2676
3, MAY 2020
CASeS: Concurrent Contingency Analysis-Based
Security Metric Deployment for the Smart Grid
Parisa Akaber, Bassam Moussa , Mohsen Ghafouri , Ribal Atallah, Basile L. Agba,
Chadi Assi , and Mourad Debbabi
Abstract—Security metric deployment is of immense impor-
tance for power utilities especially in future smart grids, which
are being actively pursued in smart cities initiatives around the
world. Through these metrics, utilities attain real-time aware-
ness of the grid’s security posture. In this paper, we propose
a contingency analysis based security evaluation framework for
smart grid systems - CASeS. Based on the power flow equations
of the grid, communication network characteristics, and concur-
rent power contingencies, CASeS leverages Markovian Decison
Processes (MDP) to quantify the smart grid security. The secu-
rity index delivered through CASeS emerges as a novel solution
for concurrent power contingency consideration, and allows for
the preparation of corrective actions to address the quantified
grid criticality level. We evaluate CASeS on the standard IEEE
14-Bus and 39-Bus systems. The collected results demonstrate
the usefulness of CASeS in quantifying the security of those
systems.
Index Terms—Smart grids, security, cyber-physical systems,
power system simulation, power system measurements, observ-
ability, power system protection.
I. I NTRODUCTION
ODAY, our power grid is witnessing a major evolution
T to a smarter and more capable grid. The idea of Smart
Grid has been introduced with a goal of enhancing the current
state of the electric grid by providing more reliable, available,
and efficient power generation, transmission, and distribution
networks [1]. The smart grid could be defined as a Cyber-
Physical network with tight coupling between the cyber and
physical components. Power network components (generation
units, protection relays, circuit breakers, transformers, etc)
are highly dependent on the availability of a communication
network infrastructure and vice versa [2], [3].
The cyber side of the grid works closely with the power
network to provide real time monitoring, and respond to the
Manuscript received March 12, 2019; revised July 15, 2019 and
November 7, 2019; accepted December 11, 2019. Date of publication
December 16, 2019; date of current version April 21, 2020. This work was
supported in part by Concordia University and in part by the NSERC/Hydro-
Québec Thales Senior Industrial Research Chair in Smart Grid Security.
The work of Bassam Moussa was supported by FRQNT Postdoctoral
Research Scholarship. Paper no. TSG-00371-2019. (Corresponding author:
Bassam Moussa.)
P. Akaber, B. Moussa, M. Ghafouri, C. Assi, and M. Debbabi are with
the Concordia Security Research Centre, Concordia University, Montreal,
QC H3G 1M8, Canada (e-mail: [email protected]).
R. Atallah and B. L. Agba are with Hydro-Québec Research Institute,
Varennes, QC J3X 1S1, Canada.
Color versions of one or more of the figures in this article are available
online at http://ieeexplore.ieee.org.
Digital Object Identifier 10.1109/TSG.2019.2959937
1949-3053 c 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
Authorized licensed use limited to: Institute of Aeronautical Engineering. Downloaded on October 16,2024 at 11:21:00 UTC from IEEE Xplore. Restrictions apply.
IEEE TRANSACTIONS ON SMART GRID, VOL. 11, NO.
dynamic changes in the electricity demand. Moreover, the
grid’s cyber component is responsible for communicating cor-
rective actions in case of any emergency to relevant devices
of the physical component. However, along with the advan-
tages induced from cyber-physical coupling, the integration of
the cyber infrastructure in the power grid augments the threats
facing the system [4]. Indeed, the impact of compromises in
either component is a candidate to expand and initiate the
well-known phenomenon of cascading failures [5], [6].
On the other hand, the availability of the cyber components
augments the operational technology (OT) data generated by
the physical processes with essential information technol-
ogy (IT) data that reports on the system health. This enables
the collection of reports and alerts from various cyber com-
ponents dispersed across the grid, along with the sampled
measurements and received control commands. However, the
need to gain intelligence and insights on the system secu-
rity status from the collected data persists. Indeed, the smart
grid lacks the definition of metrics that reflect the cyber-
physical system security, and provide operators with full
system awareness on the cyber and physical levels.
While the security evaluation techniques have been exten-
sively deployed in IT domains over the past decade, those
solutions fall short in interpreting the system dynamics and
addressing the smart grid security and functional real-time
requirements. Security metrics tailored for the smart grid are
expected to infer knowledge from the system operations, along
with on-the-fly alerts from deployed security monitoring solu-
tions to expose threats targeting the grid, and quantify the
overall system security. The significance of such metrics has
motivated researchers to develop and deploy security evalua-
tion techniques for the smart grid [7]–[10]. However, none of
those techniques considered the impact of Concurrent Power
Contingencies while evaluating the grid’s security.
In this paper, we define a security metric (CASeS) based
on concurrent contingency analysis for the smart grid. Our
metric combines cyber security analysis with Hardware-in-
the-Loop (HIL) simulation of the smart grid, and leverages
concurrent contingencies, to evaluate the system criticality
level, based on power system dynamics and alerts generated by
intrusion detection systems deployed at different grid levels.
The presented framework associates cyber alerts received by
utility operators with potential physical impact on the system
operations. CASeS captures direct physical impact of cyber-
based attacks in the form of load and/or generation loss, along
with the implicit impact by bringing the system closer to its
AKABER et al.: CASeS: CONCURRENT CONTINGENCY ANALYSIS-BASED SECURITY METRIC DEPLOYMENT FOR SMART GRID
Fig. 1. Multiple link contingency analysis example.
stability operating margins. CASeS empowers utilities with
real-time insights inferred from measurements and reports,
and allows the prediction of the consequences of concurrent
contingencies at the system level. This allows the anticipation
of probable power outages and serves as an asset in utilities
corrective actions and decision making in case of emergency.
The novelties of CASeS can be summarized as follows:
• The combination of cyber security analysis with HIL sim-
ulation for the identification and formulation of power
system cyber-physical concurrent contingencies.
• Proposal of a cyber-physical security metric and its calcu-
lation for smart grid using Markovian Decision Models
combined with a power grid co-simulation approach to
reflect in real-time the security posture of the smart grid.
• Quantification of the grid security posture, illustration of
the criticality level of the different grid states, and smart
grid security intelligence inference based on collected
security alerts and reports.
The remainder of this manuscript is structured as fol-
lows. Section II presents concurrent contingency. Section III
describes CASeS architecture. Numerical results are dis-
cussed in Section IV. Related work is covered in Section V.
Section VI highlights the concluding remarks and future work.
II. C ONCURRENT C ONTINGENCY: A M OTIVATION
Contingency analysis, in general, is one of the fundamental
tools for power grid monitoring and control. Contingency anal-
ysis can be defined as a set of if/else scenarios used to quantify
the impact of component failures on the overall system func-
tionality. The ideal smart gird operates according to the (N−1)
security measure which ensures secure power supply even in
case of a failure of any of the grid components. However, in
the presence of multiple and concurrent contingencies, (N −1)
restriction is no longer sufficient to assure the grid’s avail-
ability. To emphasize the impact of concurrent contingency
consideration on the system functionality and its usefulness in
assessing the criticality level of the system, we consider the
following example (Fig. 1).
The system presented in Fig. 1, shows a transmission
network used to deliver power to three residential areas, as
managed by a power utility. This network is composed of three
substations, transmission lines (labeled as L1-L6), and relays
Authorized licensed use limited to: Institute of Aeronautical Engineering. Downloaded on October 16,2024 at 11:21:00 UTC from IEEE Xplore. Restrictions apply.
2677
(R1-R6) controlling circuit breakers on those lines. Assume
that those relays receive commands from remotely located
operators through the communication network to control the
associated circuit breakers. The power transferred over lines
L1-L6 to the residential areas can be interrupted through relays
R1-R6. Based on single contingency analysis, a compromise
of R1 by attacking its cyber component and gaining control
over the circuit breaker to eventually interrupt power flow over
L1, can be countered by supplying the needed power of load 3
through other transmission lines mainly L6 (assuming that L6
has the needed capacity). In a similar fashion, such an analysis
can be performed for a compromise of other relays transmis-
sion line 8. Now, consider a situation in which multiple relays
are compromised. Such a scenario cannot be captured through
single contingency analysis. It puts the system under the risk
of load loss or even blackout. In Fig. 1, through a concurrent
compromise of R1 and R6, an attacker can prevent the util-
ity from delivering power over L1 and L6 and thus causing
a blackout at Load 3. Therefore, to better protect the system
against similar situations, we should identify similar contin-
gencies and prevent the system from entering such states where
multiple relays are concurrently compromised. Similar states
in Fig. 1 include {R2, R3} and {R4, R5} as concurrent con-
tingencies. Thus, in a large system, concurrent contingency
identification is not a straight forward task due to the multitude
of combinations and the presence of cascading effects [11].
Nevertheless, in a system with high availability demands, such
as the smart grid, concurrent contingency analysis is a must
to foresee hidden system states and prepare corrective actions.
III. CAS E S F RAMEWORK
The definition of a security metric through the CASeS
framework is made possible through the collaboration of sev-
eral modules. Those modules use data related to the grid
topology, communication network topology, and access con-
trol policies to identify concurrent contingencies. The resulting
CASeS framework, as used by utilities, quantifies the secu-
rity threats associated with the different system states, and
is presented in Section III-I. Next, we present each of those
components followed by the overall framework architecture.
A. Cyber-Physical Model
At the core of our framework, we represent the smart grid as
an interconnected network composed of two systems, of cyber
and physical natures, tangled together in an interdependent
manner. To define this interdependency, we follow the mod-
els presented in [12] and [13]. In this model, the smart grid
components are internally connected to each other through
direct and indirect interdependencies. This interdependency
results in a deviation from the normal performance of power
networks due to abnormal operation of the cyber network [12].
This abnormal behavior is mainly characterized by failures and
inappropriate behavior in the power system as an outcome of
failures in the cyber network.
In an interdependent smart grid, the operation of one ele-
ment depends on the existence and proper functionality of
other elements. For example, the failure of a controller or
2678
access point in the communication network may lead to the
failure of the physically connected circuit breaker or substa-
tion in the power network [12]. The cyber component failure
can be a direct result of cyber attacks as witnessed in the 2015
Ukranian blackout [14].
In brief, our cyber-physical model of the smart grid encom-
passes power components which are controlled and monitored
through cyber components. Through a compromise of the
cyber network, an attacker can:
• Initiate or block open/close command to breakers or tie-
switches.
• Drop measurement values (e.g., voltage, current, power,
etc.) sent by compromised components.
• Report false status data (e.g., breaker status, capacitor
bank status, etc.) to the control center.
• Override commands sent by the control center to com-
promised components.
B. Threat Model
We consider an attacker who is knowledgeable about the
cyber-physical nature of the smart grid, and is interested in
exploiting the cyber-physical inter-dependency to induce phys-
ical damage through compromising cyber components. The
attacker has the expertise to perform reconnaissance and intel-
ligence gathering operations to locate vulnerabilities in the
cyber components deployed in the smart grid, and leverage
their link with the physical components. Our attacker quan-
tifies his success in the form of physical disturbances in the
power grid, and he will execute his attacks to fulfill this goal.
To successfully compromise a component, the attacker can
leverage several possible attack vectors including but not lim-
ited to: distributed denial of service (DDoS), alter and hide
(AaH), and data integrity. The attacker can make use of known
vulnerabilities in systems, which are identified through ICS-
CERT [15], or exploit zero-day vulnerabilities in the available
system components. On the other hand, the attacker can gain
control over the cyber components of the grid through infil-
trating into the control center LAN, or the substation LAN as
detailed in [16]. Thus, the attacker view of the system topol-
ogy is that of services running on the available devices and
vulnerabilities associated with those services. For example, a
relay as shown in Fig. 2 resembles a service present in the
system, or a privilege gained by the attacker allowing him
to eventually control the physical circuit breakers. Here, it
is important to mention that generation stations are assumed
to be well-protected or disconnected from the cyber-network,
and attackers can not gain control over components of such
stations [12]. Thus, the attacker will direct his interest to
coordinated attacks on IP-based substation components only.
C. Connectivity Matrix Builder
The connectivity matrix builder takes as input the com-
munication network topology including the network elements
associated with the power grid, firewall rules and access con-
trol policies. Then, the connectivity matrix builder formulates
this input as services associated with the network components,
and connectivity among those services. For each component c,
Authorized licensed use limited to: Institute of Aeronautical Engineering. Downloaded on October 16,2024 at 11:21:00 UTC from IEEE Xplore. Restrictions apply.
IEEE TRANSACTIONS ON SMART GRID, VOL. 11, NO. 3, MAY 2020
Fig. 2. Network topology as seen by the connectivity matrix builder.
we define two primitives <c, h, h >, <c, h > is the exis-
tence of a service h on c, and <h, h > is the connectivity
allowing the access to service h from a component running
the service h. This procedure results in the identification and
formulation of accessibility between network components in
the form of a matrix. The resulting matrix is presented as
C[D×D], where D is the total number of network components.
An entry Cij ∈ C is 1 if the network component j has a ser-
vice h that is accessible through service h running on network
component i, and 0 otherwise. The ability of an attacker to
compromise a component c running a service h is later cap-
tured by linking a privilege ph to the service h appearing in the
c primitives (<c,h,h >). This privilege is awarded the attacker
upon successful compromise of the service h. Moreover, the
compromise of service h will result in a new privilege ph
attained by the attacker and thus granting him with the ability
to gain further accessibility to the network.
Considering the system model presented in Fig. 2, and the
potential attack points, the connectivity matrix builder estab-
lishes logical links that associate possible compromises of the
attack points with the power components that an attacker can
control. For example, through an initial compromise of in the
wide area network, the attacker can gain a privilege that grants
him access to a service in the network gateway. Eventually, the
attacker gains access to the LAN in the substation, and later
through another compromise, manages to control the protec-
tion relays present in the substation. The connectivity matrix
builder prepares such associations for later use in the security
metric evaluation.
D. MDP State Tree Generator
Given the connectivity matrix C generated in the previous
block, an MDP Tree Generator enumerates all the possible
system states and transitions among them. An MDP provides
a mathematical framework for modeling decision-making sit-
uations where outcomes are partly random and partly under
the control of the decision maker. To deploy any MDP, the
below elements should be defined.
AKABER et al.: CASeS: CONCURRENT CONTINGENCY ANALYSIS-BASED SECURITY METRIC DEPLOYMENT FOR SMART GRID
• S a finite set of states
• A a finite set of actions
• Pa (s, s ) transition probability
• Ra (s, s ) reward function
• γ ∈ [0, 1] discount factor.
From which S, A, and Pa (s, s ) are mandatory components to
build the MDP tree. In its basic setting, the attacker takes an
action, and gets a reward from the system, and the system
changes its state. Then the attacker senses the state of the
system, takes an action, gets a reward, and so on, so forth.
The state transitions are probabilistic and depend solely on the
actual state and the action taken by the attacker. The reward
obtained by the attacker depends on the action taken, and on
both the original and the new state of the system. All those
characteristics of the MDP make it most suitable to model
the system behavior, and the interaction with the attacker. We
present these components next, while Ra (s, s ) and γ will be
presented in Section III-H:
• S is a finite set of system states. Any attack scenario could
be divided into a finite number of actions followed by an
attacker or a group of attackers with pre-defined objec-
tives. In this research, we define a “security state” for the
system as a set of compromised power-communication
network components. A security state reflects the attack
propagation in the system, and the privileges the attacker
has attained through those compromises. The system
starts from an initial security state where no components
are compromised. Upon receiving intrusion detection
alerts about ongoing attacks, the system moves to a new
state which highlights the attack progress and identifies
the potentially compromised components. The critical-
ity of a security state increases as the attack advances
and the attacker is closer to imposing physical impact on
the system operations. It is worth mentioning that high-
tech power components used in smart grid such as circuit
breakers and switches have a cyber part (e.g., application
running on them) which could be compromised through
a cyber attack.
• A is a finite set of actions: For each state s, we asso-
ciate a set of actions As an attacker might initiate. Each
action in As represents exploiting a known or zero-day
vulnerability in a system component (i.e., SQL injec-
tion, ssh vulnerability, etc). By taking action Ai from As ,
the attacker leverages the system inter-dependency and
connectivity, and gains access to an additional compo-
nent that augments his reward and brings him closer to
his target. In our implementation of actions associated
with a state, we assigned random known software vul-
nerabilities to the communication network components.
Moreover, to improve the system realism, we randomly
assigned actions that represent zero-day attacks exploit-
ing unknown vulnerabilities to various Information and
Communication Technology (ICT) components available
in our system model.
• Pa (s, s ) represents the probability to successfully transit
from state s to a reachable state s by taking action a.
In our case, this probability is defined as the attacker’s
success rate for a specific attack scenario. To assign
Authorized licensed use limited to: Institute of Aeronautical Engineering. Downloaded on October 16,2024 at 11:21:00 UTC from IEEE Xplore. Restrictions apply.
2679
probabilities to the transitions between states, we use the
Common Vulnerability Scoring System [17], [18]. Using
CVSS, we input parameters (base, temporal, environmen-
tal, etc) for a specific condition to receive a 0-10 score
of the risk posed by a particular vulnerability. We divide
the score provided by CVSS by 10 to transform it into
a probability following a similar approach to that in [9],
[19]–[21]. For example, a score of 10 results in a proba-
bility equals to 1. We use different examples of possible
vulnerabilities from CVSS to assign transition probabil-
ities, and reflect the possibility of compromises in the
system under study. For the initial transit of the system
from state s0 , we consider known and unknown software
vulnerabilities that can be exploited from distance. We
assume that the attacker is capable of remotely exploit-
ing these vulnerabilities to execute his attack, and thus we
randomly add those vulnerabilities along with the conse-
quent transition probabilities to the system components.
Those exploits constitute the set of actions A0 associated
with the initial system state. On the other hand, to account
for zero-day attacks exploiting unknown vulnerabilities,
we have assigned a small probability of 0.01 to the system
security states that enables transitions representing zero
day exploits. This allows the attacker to exploit such vul-
nerabilities and advance in his attack. On the other hand,
it allows for a better quantification of the system security
in the presence of zero-day vulnerabilities.
Furthermore, it is worth noting that the presented tran-
sition model does not address availability/confidentiality
attacks, nor does it address attacks that exploit shared cre-
dentials/trusts or an insider. The modeling of those attacks
pertains as a need for more accurate cyber threat models
for the smart grid.
To generate the MDP tree, we start from an initial
state ∅ where no components are compromised. Next, using
Algorithm 1 and the connectivity matrix as input, the MDP
state tree generator creates the MDP states and transitions.
Starting from the initial state, Algorithm 1 creates entry
points corresponding to states accessible from the initial state
(lines 6-9), along with an associated transition. The reach-
able states represent components that are connected to the
Internet. Then, based on those new states, and starting with
an entry point i, we add a new reachable state sij whenever
component j is connected to component i. This connectiv-
ity is implied through the use of the connectivity matrix
builder. It is worth noting that, createReachableStates(s)
function is a recursive function which returns all the pos-
sible states reachable from state s considering all the
components in this state and their connectivity to other
components.
Applying Algorithm 1 on the network topology in 2 while
considering attack points at the control center (CC), WAN
SCADA Network (W), gateway (G), and relays (R) results in
the MDP shown in Fig. 3. This MDP is obtained through the
following steps:
• Create the initial state ∅. Lines (3,4)
• Create new states as states reachable from the initial state.
Lines (6-8)
2680 IEEE TRANSACTIONS ON SMART GRID, VOL. 11, NO. 3, MAY 2020

Algorithm 1 MDPGenerator(int[][] ComponentsConnectivity) concurrent contingency identifier reconfigures the grid topol-
1: Output: Array<State> states; ogy into a set of k clusters (k ∈ {2, 3, 4, . . .}). Each cluster
2: Array<Transition> transitions;
3: State emptyState = new State() contains a set of transmission lines whose concurrent failure
4: states.add(emptyState); results in a higher reward function compared to individual
5: for (i:componentsConnectivity) do failures. For the case of a cluster formed of two transmission
6: if (i is an attacker’s entrypoint) then
7: State initial =new State(i); lines, we can mathematically represent this relation in Eq. (1):
8:      
9:
states.add(initial);
transitions.add(emptyState, initial);
RF uns ({ti }, P) + RF uns tj , P < RF uns ti , tj , P (1)
10: end if where RF uns (T,P) denotes the value of attacker reward func-
11: for (j:componentsConnectivity[i]) do
12: if (i is not connected to j) then tion due to the failure of the set T of transmission lines given
13: continue; the power network topology P. This function is part of our
14: end if smart grid testbed presented in Section III-G. Considering the
15: if (i and j mutually connected) then
16: if (sij does not exist) then example in Fig. 1, the individual failure of R6 or R8 does not
17: State sij = new State(i, j); impact the system. However, an attack that brings down both
18: states.add(sij ) relays would cause a blackout in the residential area. Hence,
19: transitions.add(initial, sij );
20: createReachableStates(sij ); the concurrent contingency identifier would place R6 and R8
21: else in a cluster.
22: transitions.add(initial,getState(i,j)); On the other hand, our concurrent contingency extensively
23: end if
24: else looks for contingencies that divide the grid into clusters of
25: State sij = new State(i, j); size k ∈ {2,3,4}. This can be changed to consider clusters of
26: states.add(sij ) larger sizes. However, based on the outcome of the analysis
27: transitions.add(initial, sij );
28: createReachableStates(sij ); presented in [12], we can see that it is enough to target a
29: end if relatively small number of the links available in a large power
30: end for system to induce a significant loss in the load served by this
31: end for
system. Hence, for each subset of relays of size k, if Eq. 1
is satisfied, we create a cluster representing this subset. Thus,
the concurrent contingency identifier outputs a set of clusters
representing the concurrent contingencies in the system.

F. Complementary State Generator

Fig. 3. MDP state transition diagram generated based on network topology
in Fig. 2.
• For each state s, we add new reachable states based on
components connected to those of s. For instance, G1 is
connected to W so a combinatorial state WG1 would be
added to the state W. Lines (17-20).
We would like to point out that we are considering single
contingency analysis in two substations only as the MDP state
space is simple to enumerate in this case, and we aim at testing
the efficiency of using our security metric approach. However,
this study can be extended and applied to n substations as we
shall see in the numerical results section.
E. Concurrent Contingency Identifier
To perform a complete contingency analysis, it is essential
to consider concurrent contingencies. This is mainly driven
by the fact that the analysis of historical blackouts revealed
the presence of multiple failures in the grid [22]. To identify
such contingencies, our concurrent contingency identifier uses
the power grid topology to identify sets of components whose
concurrent failure deeply impacts the grid’s availability. The
An analysis of the outcome of the MDP state tree gen-
erator indicates that the concurrent contingencies identified
through the clustering of the power grid are not present as
reachable states in the generated MDP. To address this issue,
we introduce the Complementary State Generator. The com-
plementary state generator uses the clusters output by the
concurrent contingency identifier, and the previously gener-
ated MDP, to introduce additional states resembling concurrent
contingencies into the MDP tree. This process results in a
complete MDP tree, and is presented in Algorithm 2:
1) For each cluster, we consider all the possible state com-
binations called subSt; including the state representing
all the cluster elements. Line (5)
2) For each subset of states subSt, we find the root node
using the function getRoot. Line (7)
3) For each state s ∈ subSt, we find the path from the
root to s. Line (9)
4) We combine all the paths for subSt states in order
to build one combinatorial path combPath, which
includes new states and transitions from the root to
the complementary state covering all the elements in a
cluster. Line (11)
5) The compromise of different components is considered
as independent actions, we assign a transition probability
for added transitions, calculated as: Pr(A∩B) = Pr(A)×
Pr(B)
6) We add the new states and transitions to produce the
complete MDP tree. Lines (12, 13)

Authorized licensed use limited to: Institute of Aeronautical Engineering. Downloaded on October 16,2024 at 11:21:00 UTC from IEEE Xplore. Restrictions apply.
AKABER et al.: CASeS: CONCURRENT CONTINGENCY ANALYSIS-BASED SECURITY METRIC DEPLOYMENT FOR SMART GRID
Algorithm 2 MDPComplete(MDPtree)
1: Given : Array <Cluster> clusters;
2: Output: Array <State> completedSt;
3: Array <Transition> completedTr;
4: for (cluster:clusters) do
5: for (subSt:MDPtree.states.getSubSt(cluster)) do
6: Array <Path> paths;
7: State root = subSt.getRoot();
8: for (clusterState:subSt) do
9: paths.add(getPath(root, clusterState));
10: end for
11: Path combPath = paths.combine();
12: completedSt.addAllSt(combPath.states);
13: completedTr.addAllTr(combPath.transitions);
14: end for
15: end for
Fig. 4. Complete MDP state transition diagram produced by Algorithm 2.
Using the complementary state generator on the example in
Fig. 2, we get the complete MDP tree shown in Fig. 4.
G. Smart Grid Testbed
The impact of exploiting concurrent contingencies in the
power system may result in loss of a generation unit, drop
in the served load, and/or bringing the system close to its
instability limit. The quantification of the attack impact on
the power system is made possible through the use of our
smart grid testbed presented in [23]. We are able to check the
system behavior when concurrent contingencies are exploited,
and eventually compute the loss in load, generation, and vari-
ations in the system. The outcome of this evaluation is used
for the computation of the MDP reward function.
H. Security Metric Calculator
In this section, we define the reward function and the dis-
count factor for the MDP, and calculate the security metric I(s)
for each system state s. The reward function Ra (s, s ) is the
received reward (from the attacker’s point of view) after transi-
tioning from state s to s due to action a. The reward function is
often assumed to be the unserved active power of the load [12]
or the ratio that represents overloading of the transmission
lines [9]. However, the use of these reward functions has some
disadvantages which are discussed as follows.
• The security metrics are often calculated using the power
flow solution and the static features of the power system
such as overloading level or unserved load. However, the
power system dynamics, capacity limits and the impact of
dependencies between the operation of different compo-
nents are neglected in the calculation of these existing
metrics. As an example, the attack may result in the
overloading condition in several transmission lines of the
system as shown in [9]. The power system can sustain
Authorized licensed use limited to: Institute of Aeronautical Engineering. Downloaded on October 16,2024 at 11:21:00 UTC from IEEE Xplore. Restrictions apply.
2681
small overloading conditions in the transmission lines,
whereas excessive loading levels will result in the trig-
gering of the protection system as the system interprets
that as an electrical fault. Thus, to calculate the reward
function based on the dynamic behavior of the power
system, the output collected from the testbed is used to
verify whether any operational limit is violated or not.
Following any violation or operation of the protection
system, the AC power flow equations should be resolved
based on the system’s new topology and parameters. This
iterative approach continues until the solution is obtained
within the operating limits.
• The operation of the power system is dependent on the
sufficient generation and consumption of active as well
as reactive power. The reactive power flow may not
be used directly as consumed energy, however, its flow
is crucial for power system stability and proper opera-
tion. As an example, electrical motors consume a huge
amount of reactive power and insufficient generation of
reactive power will result in a huge voltage drop and
consequently, system instability. Thus, the magnitude of
apparent unserved power (|Suns | = |Puns + jQuns |)
should be used instead of active power in the calculation
of reward function.
• Generally speaking, the main aim of an adversary is
to cause damage and/or make the system vulnerable to
future incidents. In some cases, the adversary may not
cause immediate damage rather only directs the system
toward instability so that any failure, load increase, or
attack, results in complete system load outage or blackout.
Such scenarios are to be considered in the calculation of
reward function. Therefore, a term is added to the reward
function in order to quantify how far is the system from
its safe operational limits.
• The loss of load is not the only risk that an adversary
can impose on the power system. Despite the fact that
losing a generator may be compensated by other gen-
eration units, the disconnection of a generation unit will
result in huge economic damage to the system. Moreover,
such an outage increases the pressure on the other gen-
erators of the system, and may even result in a blackout
if the production of remaining generators is not sufficient
to supply the load, and balance the frequency. Therefore,
the impact of losing a generation unit is also included in
the proposed metrics.
Considering all the mentioned points, we define the reward
function as:
 
Ra (s, s ) = RF PowComp(s ), P − RF(PowComp(s), P) (2)
where
 
RF PowComp(s ), P = α1 ηL + α2 ηG + α3 ηsm
N
Loads
ηL = SLunsi
i=1

NGenerators
ηG = SGunsi
i=1
2682
Fig. 5. 9-bus WSCC transmission system [24].
N i
Loads 
ηsm =
i=1 k=1
   i
l=1,l=k fl
× max 0, 1− ×Sloadi .
Sloadi
In these equations, ηL , ηG , and ηsm represent the unserved
apparent power, unused apparent generation, and system oper-
ation margin, respectively. The coefficients α1 , α2 , and α3 are
their respective weights. NLoads , NGenerators and i represent
the number of loads, number of generators, and the set of trans-
mission lines connected to load i, respectively. The parameters
SLunsi , SGunsi , Sloadi and fl indicate the apparent unserved load,
unused generator, the power consumption of ith load, and avail-
able capacity of lth transmission line, respectively. Assuming
α2 = α3 = 0 will result in a reward function considering the
unserved power only while the assumption of α1 = α2 = 0
results in a function similar to that defined in [9].
We demonstrate the calculation of the reward function on
the Western System Coordinating Council (WSCC) 9-bus
transmission system, along with the associated load values and
transmission line capacities, as shown in Fig. 5. B1-B18 are
system circuit breakers that receive control commands from
their corresponding overcurrent (OC) relays. An outage of a
single transmission line caused by an attack on relays does not
have an impact on the unserved load is expected as expected
due to the (N-1) criteria. If two circuit breakers B16 and B17
are attacked, load 3 will be disconnected from the system and
ηL increases. If the circuit breakers B18 and B7 are attacked,
the system still supplies the loads, whereas it loses one gen-
erator (G2) and the term ηG increases accordingly. In this
scenario, load 1 is supplied only through the transmission line
between buses 4 and 5. Thus, any fault or new attack on com-
ponents of this line will result in outage of this load, i.e., the
system is pushed toward its operation limits (ηsm increases).
Moreover, as evaluated through our testbed, in this scenario
transmission lines 8-9 and 4-6 have 10% and 7% overload,
respectively. The operation code of the transmission lines will
not be violated in limited time spans due to such overloading,
while any increase in the load will result in loss of transmis-
sion lines. Using the testbed, attacks on B2 and B15 resulted
in 146% overload on transmission line 4-5. As a result, Load1
becomes disconnected in addition to the Load3 due to the
operation of the protection system at B7 or B8.
Authorized licensed use limited to: Institute of Aeronautical Engineering. Downloaded on October 16,2024 at 11:21:00 UTC from IEEE Xplore. Restrictions apply.
IEEE TRANSACTIONS ON SMART GRID, VOL. 11, NO. 3, MAY 2020
On the other hand, the discount factor γ represents the dif-
ference in importance between future and present rewards. In
other words, the discount factor values the immediate reward
above future delayed reward, and presents the uncertainty
about the future. From the mathematical perspective, it makes
an infinite sum finite. If we set γ = 1, the summation in Eq. 3
would not converge.
Assuming that we could estimate the current security state
by analyzing the alerts received from intrusion detection
systems, the Bellman Equation (Optimal Value Function) [25]
could be followed to quantify the criticality level of the current
state from the security perspective.
We leverage the Bellman equation which is a formulation
to connect a state (value/reward) to its predecessor as follows:
    
It+1 (s) = max Pa s, s Ra s, s + γ It (s ) . (3)
a∈A(s)
s ∈S
The main objective behind this representation is to find the
system state with the maximum impact (reward), reachable
from the current state, in the most efficient manner (maxi-
mum success probability), as seen by the attacker. In CASeS,
the value iteration technique is implemented to compute the
It+1 (s) from the Bellman Equation. The importance of the
Bellman equations is that they let us express values of current
states as values of other states. This means that if we know
the value of future state s , we can very easily calculate the
value of current state s. This opens a lot of doors for iterative
approaches for calculating the value for each state, since if we
know the value of the next state, we can know the value of
the current state. The most important thing about the Bellman
equation is that it allows us to calculate optimal policies, and
solve the MDP from the attacker point of view. Moreover, dur-
ing intermediate states that correspond to cyber compromises,
the attacker receives a zero one-step reward, which is a very
common practice in reinforcement learning. As the attacker
starts to explore the system by choosing actions correspond-
ing to exploits, the MDP starts to update the value of each state
it ends up in. Once the attacker reaches a terminal state (a state
that affects the unserved apparent power, unused apparent gen-
eration, or system operation margin), the reward propagates in
a backward fashion and eventually the estimated value of all
states along the way will be updated based on the recursive
Bellman equation (3). Even though a one-step reward from
state S to state S is zero, as the MDP completes the learning of
the value of each state (i.e., the Bellman equation converges),
it exploits the realized optimal policy to choose the action that
puts the system in the next state S that has the highest value.
This way, the attacker receives a zero step reward, but the
MDP made sure that the state it reached has the highest value
and by following the optimal policy, it will eventually reach
the terminal state with the highest reward.
The calculated value It+1 (s), as presented in Eq. (3),
represents the security metric associated to the state s.
I. Framework Realization
We combine all the above mentioned components to enable
the system security evaluation through CASeS as shown in
Fig. 6. Based on the power and communication network
AKABER et al.: CASeS: CONCURRENT CONTINGENCY ANALYSIS-BASED SECURITY METRIC DEPLOYMENT FOR SMART GRID
Fig. 6. CASeS architecture.
topologies, CASeS extensively scans the combined cyber-
physical components, and identifies concurrent contingencies.
Using a Stochastic Markovian Decision Process [26], CASeS
enumerates the system security states, identifies states with
multiple compromised components using the complementary
state generator, and assigns relevant indices to those states
reflecting their criticality level. The resulting MDP is updated
only when there is a change in the system topology, or a
new vulnerability is identified on one of the system compo-
nents. This allows CASeS to work offline, and prepare the
MDP regardless of the system size. Based on the resulting
model and the assigned indices, CASeS identifies the security
state of the system and allows the preparation of corrective
actions corresponding to this state. To perform the online
security assessment, operators in security centers of utilities
can combine CASeS framework with streams of alerts gen-
erated by intrusion detection systems, advanced sensors, and
system management solutions to quantify the system secu-
rity state. Using those alerts, CASeS can identify the possible
attacker actions and consequent rewards, and eventually out-
put the security metric. Hence, based on CASeS functionality,
operators have a quantification of the system security posture,
and are capable of initiating protection and recovery schemes
in response to the identified threats. It is worth noting that
CASeS is intended to complement the knowledge the operator
already has about the system topology and operations includ-
ing but not limited to control commands to open/close circuit
breakers, increase/decrease power generation, etc. Thus, legit-
imate system operations initiated by the operators will not
initially raise alerts by the deployed firewalls and intrusion
detection systems, nor conflict with the framework insights
and generated outcome.
J. Mitigation Schemes
Based on the outcome of CASeS, the system operator can
initiate several strategies to limit the identified physical impact
resulting from the attack. Those strategies provide a level of
robustness to the system, and may incur some technical or
economic costs as well. A primary defense strategy is the
rescheduling of the system generators and equipping those
generators with Automatic Generation Control (AGC). This
strategy improves the reliability of the system by letting the
separate isolated islands in the system (created by attacks)
Authorized licensed use limited to: Institute of Aeronautical Engineering. Downloaded on October 16,2024 at 11:21:00 UTC from IEEE Xplore. Restrictions apply.
2683
to operate normally based on the stable frequency and volt-
age provided by the generators. However, due to technical
limitations in capacity and type of generators such strategy
may not be always applicable. Another strategy can be the
development of microgrids in lower voltage levels. This strat-
egy not only increases the robustness of the system, but also
reduces its operation cost following the attacks or outages.
Deployment of such energy infrastructures ensures that fol-
lowing an anomaly in the behavior of the transmission system
the system loads remain connected to the system. Moreover,
for long term defense strategies, the power system utilities can
increase the number of redundant transmission lines between
different areas of the system to transfer power through several
paths, and improve the reliability of the system. Such an action
significantly improves the stability margin of the system and
its robustness, and ensures that even in case of multiple attacks
or faults, the system operation is not interrupted. Despite the
huge advantages of such remedy actions, it incurs a huge cost
for the utilities.
IV. N UMERICAL E VALUATION
In this section, we present the evaluation of the proposed
approach on the standard IEEE 14-Bus and 39-Bus NEW
England systems. To complement the power component, we
build an associated substation communication network as man-
dated by the IEC 61850-90-4 standard [27], connect this
network for monitoring and control purposes to the control
center based on Fig. 2, and evaluate the security posture for the
resulting system. We present the combined power and commu-
nication systems for the 14-Bus in Fig. 7, along with a detailed
presentation of the substation S12 network. Similar networks
are considered for other substations, but are not included in
the figure for simplicity of presentation. In our setup, a sub-
station network consists of a substation bus connecting the
main gateway, a HMI component, time sources and the relays
available in that substation. Furthermore, the network includes
a process bus connecting the protection and control relays to
merging units positioned in the different bays. Each transmis-
sion line is controlled by two relays located at substations
connected by this line; yet presented as a single relay accessi-
ble from both substations, considering that those relays have
similar functionality and an attacker need to compromise only
one of those relays to interrupt power flow over a transmis-
sion line. Moreover, we randomly assigned vulnerabilities to
the network’s cyber components based on CVSS scores. To
assign those vulnerabilities, we created a pool of randomly
generated vulnerabilities and assigned each cyber component
one vulnerability from this pool. In those experiments, we did
not consider any zero day vulnerabilities. However, this setup
can be easily adjusted to consider zero day vulnerabilities.
We conducted experiments for different values of αi used in
Eq. (2) while varying the discount factor γ used in Eq. (3).
The αi variation aims at favoring one term of the reward func-
tion over other terms, while the variation of γ presents the
attacker’s interest in future rewards (γ = 0.9) as opposed to
immediate rewards (γ = 0.1). For the 14-Bus system, we
considered attacker’s interest in substations S2 and S4, since
2684
Fig. 7. IEEE 14-Bus power-communication network.
TABLE I
CAS E S S ECURITY I NDEX BASED ON S INGLE -C ONTINGENCY
FOR IEEE 14-B US S YSTEM
this illustrates the different factors of the reward function. The
areas affected by this interest are highlighted in Fig. 7. All sim-
ulations in this section were executed on a windows machine
with Intel Core i7 CPU running at 2.67 GHz and equipped
with 12 GB of RAM.
In the first set of results, we consider the IEEE 14-Bus
system, and present the outcome of CASeS framework to com-
ment on its impact on the evaluation of the system security
in the presence of single contingencies, and the added value
concurrent contingencies bring to this study. In the presence of
single contingencies, using the MDP generated in the absence
of the complementary state generator, we evaluated the secu-
rity index for single contingencies. The resulting values are
presented in Table I. As expected, those results abide by the
(N-1) design criteria and do not result in any load or generation
loss. However, our security metric captures variations in the
system operating margins as indicated in the last two rows of
Table I. CASeS quantifies this change as a security threat and
consequently calculates an index resembling the compromise
of a single relay belonging to S2 or S4.
Next, we evaluated the 14-Bus system security index in the
presence of two concurrent contingencies. This can be easily
extended for a larger number of contingencies, however we
Authorized licensed use limited to: Institute of Aeronautical Engineering. Downloaded on October 16,2024 at 11:21:00 UTC from IEEE Xplore. Restrictions apply.
IEEE TRANSACTIONS ON SMART GRID, VOL. 11, NO. 3, MAY 2020
TABLE II
CAS E S S ECURITY I NDEX BASED ON M ULTIPLE C ONTINGENCIES
FOR IEEE 14-B US S YSTEM
Fig. 8. Resulting MDP state transition diagram for S2.
Fig. 9. Resulting MDP state transition diagram for S4.
present only the results when two relays belonging to S2 and
S4 are compromised. To enable the calculation of the secu-
rity index, CASeS computes a complete MDP state transition
diagram, and creates new states to represent concurrent contin-
gencies. The resulting security index is presented in Table II.
As can be seen from the calculated security index, concur-
rent contingencies puts the system at risk from several aspects.
Moreover, based on the collected results, the attack will impact
the system more if the attacker’s choice favors future rewards.
This is a result of more rewarding actions associated with
future states as identified by the MDP.
To output the security index results, CASeS leveraged
the MDP state transition diagram complemented with states
representing concurrent contingencies. CASeS built a com-
plete MDP representing the entire 14-Bus system presented in
Fig. 7, while considering two contingencies at a time. This
results in an increase in the MDP size from 48 states to
117 states. We represent the state transition diagrams for sub-
station S2 and S4 in Figs. 8 and 9 respectively, while the
state transition diagram for the whole system is presented
in Fig. 10. In Figs. 8 and 9, the states shown in red are the ones
corresponding to the additional states introduced by the com-
plementary state generator presented in Section III-F. Those
states result from the concurrent contingency of several relays
through the compromise of different cyber components iden-
tified as W for wide area network, G for substation gateway,
and R for relay.
AKABER et al.: CASeS: CONCURRENT CONTINGENCY ANALYSIS-BASED SECURITY METRIC DEPLOYMENT FOR SMART GRID
Fig. 10. MDP state transition diagram for 14-Bus system.
TABLE III
CAS E S S ECURITY I NDEX BASED ON S INGLE -C ONTINGENCY
FOR IEEE 39-B US S YSTEM
TABLE IV
CAS E S S ECURITY I NDEX BASED ON M ULTIPLE C ONTINGENCIES
FOR IEEE 39-B US S YSTEM
We performed a similar exercise for the 39-Bus NEW
England system, and we present the collect results for single
and multiple contingencies in Tables III and IV respectively.
We consider the attacker interest in targeting substations S11
and S12. Due to properties of the 39-Bus NEW England
system, in the presence of single contingencies, the system
suffers the loss of loads when S12 is targeted as captured
through the first row of Table III. Moreover, this loss affects
the system stability margins, and CASeS successfully captures
Authorized licensed use limited to: Institute of Aeronautical Engineering. Downloaded on October 16,2024 at 11:21:00 UTC from IEEE Xplore. Restrictions apply.
2685
that impact as presented in the resulting security index in the
last two rows of Table III. In the presence of multiple con-
tingencies, CASeS captures a larger impact and presents a
better evaluation of the system security posture as reflected in
Table IV. We can see that through the complete MDP gener-
ated by CASeS to reflect on the different security states of the
system, we have a better quantification of the system secu-
rity, especially for the cases when the impact is implicit, and
takes the form of bringing the system close to its stability
margins. As for the MDP, the initial MDP generated for the
39-Bus system consisted of 982 states. This number increased
to 1051 states upon the application of the complementary state
generator component.
Finally, we comment on the runtime of the approach. We
have collected results on the MDP generation, MDP comple-
tion, and index calculation runtime. For each of the different
values of γ , and different combinations of the weight factors
(α1 , α2 , α3 ), we performed a hundred runs of the approach,
and we report on the average runtime of those runs. The aver-
age runtimes of the collected results are presented in Table V.
As can be seen from the table, the runtime increases with
the increase in system size. This is expected as the increase
in system size results in more transition states in the gener-
ated MDPs, and consequently affects the index calculation.
However, keeping in mind that the preparation of the MDPs
can be done offline, the MDP generation and completion
runtimes become of less importance to the system operators.
On the other hand, the index calculation requires an average of
1.93 seconds for the IEEE 14-Bus system and 2.34 seconds for
2686
TABLE V
A PPROACH RUNTIME R ESULTS (S ECONDS )
the IEEE 39-Bus system. This indicates that CASeS quantifies
in a timely manner the system security posture.
Based on the collected and presented results, CASeS is
capable of identifying the system security posture according
to threats received or identified during the system operations.
Moreover, through CASeS security metric, operators can rank
different system components based on their criticality level
and allocate protection resources accordingly.
V. R ELATED W ORK
There have been several research efforts for propos-
ing security evaluation techniques to quantify the criticality
level of systems from a security point of view in the IT
domain [28]–[30]. However, those solutions can not be easily
adapted to cyber-physical systems such as smart grid, since
those techniques are not tailored to meet the characteristics
and dynamics of cyber-physical systems.
Recently, the security assessment of the smart grid gained
much interest from the research community [4], [7]–[10], [13],
[16], [31]. Indeed, Zonouz et al. [9] introduced SOCCA as
a cyber-physical contingency analysis framework to quantify
the physical impact of cyber-attacks. Through SOCCA, the
authors use cyber and physical network typologies to define a
security metric representing overloaded transmission lines in
the presence of cyber attacks. Nevertheless, this metric does
not consider concurrent contingencies, and fails to capture
other physical impact at the power system level. Another work
from the literature that is close to ours is presented in [13]
where the authors devise a combinatorial impact evaluation
in the power grid based on cyber-physical relations between
the grid components. This evaluation establishes a metric to
quantify cyber-attacks impact on IP-based substations, and
identifies critical substations which may present a significant
risk on the system when compromised. However, the authors
consider a single substation outage as the worst case scenario
and do not use any real power system testbed for the evalua-
tion of the impact. Our work can be mainly distinguished from
the literature by the consideration of concurrent power con-
tingencies (multiple coordinated cyber-physical compromises)
stemming from a cyber origin, and evaluating the physical
impact of those compromises using a realistic HIL smart grid
testbed. Through CASeS, we leverage cyber-physical depen-
dencies, the communication network architecture, intrusion
detection system reports, firewall rules and access control poli-
cies, and power system dynamics to provide a quantification
of the system security based on explicit and implicit physical
impact of cyber attacks. This quantification allows the antici-
pation of the impact of cyber compromises, and the preparation
of real-time corrective actions.
VI. C ONCLUSION
In this paper, we presented a contingency analysis-based
security evaluation framework with a special emphasis on
Authorized licensed use limited to: Institute of Aeronautical Engineering. Downloaded on October 16,2024 at 11:21:00 UTC from IEEE Xplore. Restrictions apply.
IEEE TRANSACTIONS ON SMART GRID, VOL. 11, NO. 3, MAY 2020
concurrent power contingencies. The presented framework,
CASeS, quantifies the system security level, and assigns a
security index to system states based on the dynamic changes
in the system served load and the success chances of cyber-
attacks. CASeS security index quantifies the grid criticality
level, and reflects the system security posture. Results col-
lected through CASeS can be utilized to define corrective
actions for system protection in the presence of cyber-attacks.
We have demonstrated CASeS capabilities on different IEEE
test systems. The collected results through experimentation
reveal CASeS capabilities, and manifest the need of such a
framework for power system protection and control.
As a future work, we aim at extending the defined metric
to cover other components of the smart grid. We are mainly
interested in the security quantification of wide area monitor-
ing systems (WAMS), and we believe that we can build on
top of CASeS to design a security metric tailored for WAMS.
R EFERENCES
[1] H. Farhangi, “The path of the smart grid,” IEEE Power Energy Mag.,
vol. 8, no. 1, pp. 18–28, Jan./Feb. 2010.
[2] R. Baheti and H. Gill, “Cyber-physical systems,” Impact Control
Technol., vol. 12, no. 1, pp. 161–166, 2011.
[3] H. Georg, S. C. Müller, C. Rehtanz, and C. Wietfeld, “Analyzing cyber-
physical energy systems: The INSPIRE cosimulation of power and
ICT systems using HLA,” IEEE Trans. Ind. Informat., vol. 10, no. 4,
pp. 2364–2373, Nov. 2014.
[4] B. Moussa, M. Debbabi, and C. Assi, “Security assessment of time
synchronization mechanisms for the smart grid,” IEEE Commun. Surveys
Tuts., vol. 18, no. 3, pp. 1952–1973, 3rd Quart., 2016.
[5] Y. Mo et al., “Cyber–physical security of a smart grid infrastructure,”
Proc. IEEE, vol. 100, no. 1, pp. 195–209, Jan. 2012.
[6] S. Sridhar, A. Hahn, and M. Govindarasu, “Cyber–physical system
security for the electric power grid,” Proc. IEEE, vol. 100, no. 1,
pp. 210–224, Jan. 2012.
[7] Z. Lu, X. Lu,W. Wang, and C. Wang, “Review and evaluation of secu-
rity threats on the communication networks in the smart grid,” in Proc.
Military Commun. Conf. (MILCOM), 2010, pp. 1830–1835.
[8] A. Hahn and M. Govindarasu, “Cyber attack exposure evaluation frame-
work for the smart grid,” IEEE Trans. Smart Grid, vol. 2, no. 4,
pp. 835–843, Dec. 2011.
[9] S. Zonouz, C. M. Davis, K. R. Davis, R. Berthier, R. B. Bobba, and
W. H. Sanders, “SOCCA: A security-oriented cyber-physical contin-
gency analysis in power infrastructures,” IEEE Trans. Smart Grid, vol. 5,
no. 1, pp. 3–13, Jan. 2014.
[10] S. Zonouz, C. M. Davis, K. R. Davis, R. Berthier, R. B. Bobba, and
W. H. Sanders, “SCPSE: Security-oriented cyber-physical state estima-
tion for power grid critical infrastructures,” IEEE Trans. Smart Grid,
vol. 3, no. 4, pp. 1790–1799, Dec. 2012.
[11] R. Kinney, P. Crucitti, R. Albert, and V. Latora, “Modeling cascading
failures in the North American power grid,” Eur. Phys. J. B, Condens.
Matter Complex Syst., vol. 46, no. 1, pp. 101–107, 2005.
[12] B. Moussa, P. Akaber, M. Debbabi, and C. Assi, “Critical links identi-
fication for selective outages in interdependent power-communication
networks,” IEEE Trans. Ind. Informat., vol. 14, no. 2, pp. 472–483,
Feb. 2018.
[13] C.-W. Ten, A. Ginter, and R. Bulbul, “Cyber-based contingency
analysis,” IEEE Trans. Power Syst., vol. 31, no. 4, pp. 3040–3050,
Jul. 2016.
[14] R. M. Lee, M. J. Assante, and T. Conway, Analysis of the Cyber Attack
on the Ukrainian Power Grid SANS Ind. Control Syst., Bethesda, MD,
USA, 2016.
[15] Industrial Control Systems Cyber Emergency Response Team. Accessed
Sep. 10, 2018. [Online]. Available: https://ics-cert.us-cert.gov/
[16] Y. Zhang, L. Wang, Y. Xiang, and C.-W. Ten “Inclusion of SCADA
cyber vulnerability in power system reliability assessment considering
optimal resources allocation,” IEEE Trans. Power Syst., vol. 31, no. 6,
pp. 4379–4394, Nov. 2016.
[17] P. Mell, K. Scarfone, and S. Romanosky, “Common vulnerability scoring
system,” IEEE Security Privacy, vol. 4, no. 6, pp. 85–89, Nov. 2006.
AKABER et al.: CASeS: CONCURRENT CONTINGENCY ANALYSIS-BASED SECURITY METRIC DEPLOYMENT FOR SMART GRID
[18] P. Mell, K. Scarfone, and S. Romanosky, A Complete Guide to the
Common Vulnerability Scoring System Version 2.0, vol. 1. Cary, NC,
USA: FIRST, 2007, p. 23.
[19] P. Cheng, L. Wang, S. Jajodia, and A. Singhal, “Aggregating CVSS base
scores for semantics-rich network security metrics,” in Proc. IEEE 31st
Symp. Reliable Distrib. Syst., 2012, pp. 31–40.
[20] M. Zhang, L. Wang, S. Jajodia, and A. Singhal, “Network attack surface:
Lifting the concept of attack surface to the network level for evaluating
networks’ resilience against zero-day attacks,” IEEE Trans. Dependable
Secure Comput., to be published.
[21] L. Wang, T. Islam, T. Long, A. Singhal, and S. Jajodia, “An attack
graph-based probabilistic security metric,” in Proc. IFIP Annu. Conf.
Data Appl. Security Privacy, 2008, pp. 283–296.
[22] Defense Use Case, Analysis of the Cyber Attack on the Ukrainian Power
Grid. Elect. Inf. Sharing Anal. Center, Mar. 2016.
[23] A. Albarakati, B. Moussa, M. Debbabi, A. Youssef, B. L. Agba, and
M. Kassouf, “Openstack-based evaluation framework for smart grid
cyber security,” in Proc. IEEE Int. Conf. Commun. Control Comput.
Technol. Smart Grids (SmartGridComm), 2018, pp. 1–6.
[24] B. Russell, Power System Control and Protection. Amsterdam,
Netherlands: Elsevier Sci., 2012. [Online]. Available:
https://books.google.ca/books?id=zMqybMj5LjMC
[25] F.-Y. Wang, H. Zhang, and D. Liu, “Adaptive dynamic programming:
An introduction,” IEEE Comput. Intell. Mag., vol. 4, no. 2, pp. 39–47,
May 2009.
[26] J. Filar and K. Vrieze, Competitive Markov Decision Processes.
Heidelberg, Germany: Springer, 2012.
[27] “Network engineering guideline for communication networks and
systems in substations,” IEC-TW57, Geneva, Switzerland, Rep. IEC
61850–90-4, 2013.
[28] J. Pamula, S. Jajodia, P. Ammann, and V. Swarup, “A weakest-adversary
security metric for network configuration security analysis,” in Proc. 2nd
ACM Workshop Quality Prot., 2006, pp. 31–38.
[29] M. Frigault, L. Wang, A. Singhal, and S. Jajodia, “Measuring network
security using dynamic Bayesian network,” in Proc. 4th ACM Workshop
Quality Prot., 2008, pp. 23–30.
[30] I. Kotenko and M. Stepashkin, “Attack graph based evaluation of
network security,” in Proc. IFIP Int. Conf. Commun. Multimedia
Security, 2006, pp. 216–227.
[31] C.-W. Ten, K. Yamashita, Z. Yang, A. V. Vasilakos, and A. Ginter,
“Impact assessment of hypothesized cyberattacks on interconnected bulk
power systems,” IEEE Trans. Smart Grid, vol. 9, no. 5, pp. 4405–4425,
Sep. 2018.
Parisa Akaber, photograph and biography not available at the time of
publication.
Bassam Moussa received the B.S. degree in com-
puter science from the Lebanese University, Beirut,
Lebanon, in 2004, the M.Sc. degree in com-
puter science from the American University of
Beirut, Beirut, Lebanon, in 2009, and the Ph.D.
degree in information and systems engineering from
Concordia University, Montreal, in 2018. He is cur-
rently a Postdoctoral Fellow with Thales Research
and Technology in Artificial Intelligence eXpertise
(cortAIx). His research interests include cybersecu-
rity for the smart grid, security of cyber-physical
systems, IoT security, security metrics, time synchronization systems, commu-
nication protocols, and cascading failures. He holds the FRQNT Postdoctoral
Award with cortAIx.
Mohsen Ghafouri received the B.Sc. and master’s
degrees in electrical engineering from the Sharif
University of Technology, Tehran, Iran, in 2009 and
2011, respectively, and the Ph.D. degree in electrical
engineering from Polytechnique Montreal, Montreal,
QC, Canada, in 2018. He was a Researcher with
Iranian Power System Research Institute, Sharif
University from 2011 to 2014. In 2018, he was a
Researcher with CYME International, Eaton Power
System Solutions, Montreal, QC, Canada. In August
2018, he joined as the Horizon Postdoctoral Fellow
with Security Research Group, Concordia University, where he is currently
an Assistant Professor. His research interests include cyber security of
smart grids, power system modeling, microgrid, wind energy, and control
of industrial processes.
Authorized licensed use limited to: Institute of Aeronautical Engineering. Downloaded on October 16,2024 at 11:21:00 UTC from IEEE Xplore. Restrictions apply.
2687
Ribal Atallah received the B.E. degree in com-
puter engineering from the Notre Dame University
of Louaize, Lebanon, in 2009, the M.Sc.E.
degree in computer engineering from Lebanese
American University in 2012, and the Ph.D.
degree in information and systems engineering from
Concordia University, Montreal, Canada, in 2017.
He is currently a Cybersecurity Research Scientist
with Hydro-Québec working on various machine
learning algorithms to protect the smart grid against
cyber attacks. His research interests include deep
learning, deep reinforcement learning, cyber security of the smart grid, and
intelligent transportation systems and queuing theory.
Basile L. Agba received the M.Sc. and Ph.D. degrees in electronics and
optoelectronics from the University of Limoges, France. He is the Vision
and Partnerships Manager and the Senior Scientist with the Hydro-Quebec
Research Institute. Since 2009, he has been an Adjunct Professor with the
École de technologie supérieure, Montreal. He has coauthored many scien-
tific publications and the Springer book Wireless Communications for Power
Substations: RF Characterization and Modeling.
Chadi Assi (Fellow, IEEE) received the B.Eng. degree from the Lebanese
University, Beirut, in 1997, and the Ph.D. degree from the Graduate Center,
City University of New York, NY, USA, in April 2003. He was a Visiting
Scientist with Nokia Research Center, Boston, from 2002 to 2003 for one year,
working on quality-of-service in optical access networks. He is currently a
Professor with Concordia University, where he holds the Tier I University
Research Chair. He is currently supervising a group of 14 Ph.D. students
and 4 M.A.Sc. students and has successfully supervised 18 Ph.D. students
and 25 M.A.Sc. students. His students received very prestigious awards from
NSERC and FQRNT. His current research interests are in the general areas of
networks, network design and modeling, network optimization, resource vir-
tualization and network, and cyber security. He received the Prestigious Mina
Rees Dissertation Award from the City University of New York in August
2002 for his research on wavelength-division-multiplexing optical networks
and lightpath provisioning. He held a Tier II University Chair with Concordia
from 2012 to 2017 in the area of wireless networks. He is on the Editorial
Board of the IEEE C OMMUNICATIONS S URVEYS AND T UTORIALS, and
serves as an Associate Editor for the IEEE T RANSACTIONS ON V EHICULAR
T ECHNOLOGY, the IEEE T RANSACTION ON COMMUNICATIONS, the IEEE
T RANSACTIONS ON M OBILE C OMPUTING, and the IEEE T RANSACTIONS
ON N ETWORK AND S ERVICE M ANAGEMENT .
Mourad Debbabi received the Ph.D. and M.Sc.
degrees in computer science from the University
of Paris-Sud, Orsay, France. He is a Full Professor
with the Concordia Institute for Information Systems
Engineering, where he is an Associate Dean
Research and Graduate Studies with the Gina
Cody School of Engineering and Computer Science.
He holds the NSERC/Hydro-Quebec Thales Senior
Industrial Research Chair in Smart Grid Security and
the Concordia Research Chair Tier I in Information
Systems Security. He is also the President of the
National Cyber Forensics and Training Alliance Canada. He is a member
of CATAAlliance’s Cybercrime Advisory Council. He serves/served on the
boards of Canadian Police College, PROMPT Québec and Calcul Qué́bec.
He is the Founder and one of the Leaders with the Security Research Centre,
Concordia University. He served as a Senior Scientist with the Panasonic
Information and Network Technologies Laboratory, Princeton, NJ, USA; an
Associate Professor with the Computer Science Department, Laval University,
Canada; the Senior Scientist with General Electric Research Center, New
York, USA; the Research Associate with the Computer Science Department,
Stanford University, California, USA; and the Permanent Researcher with
the Bull Corporate Research Center, Paris, France. He supervised to success-
ful completion 30 Ph.D. students, 76 Master students, and 14 Postdoctoral
Fellows. He published 5 books and more than 300 peer-reviewed research
articles in international journals and conferences on cyber security, cyber
forensics, smart grid, privacy, cryptographic protocols, threat intelligence gen-
eration, malware analysis, reverse engineering, specification and verification
of safety-critical systems, and programming languages and type theory.