Version of Record: https://www.sciencedirect.

com/science/article/pii/S1874548222000348
Manuscript_0dd13352f772d9ed05fad38417b07e6c

Machine Learning for Cybersecurity in Smart Grids: A

Comprehensive Review-based Study on Methods, Solutions, and
Prospects
Tarek Berghout1, Mohamed Benbouzid2,3,*, and S. M. Muyeen4
1University of Batna 2, Laboratory of Automation and Manufacturing Engineering, 05000 Batna, Algeria (email: [email protected])
2University of Brest, UMR CNRS 6027 IRDL, 29238 Brest, France (email: [email protected])
3Shanghai Maritime University, Logistics Engineering College, 201306 Shanghai, China
4Qatar University, Department of Electrical Engineering, 2713 Doha, Qatar (email: [email protected])
*Corresponding author: Mohamed Benbouzid.

Abstract: In modern Smart Grids (SGs) ruled by advanced computing and networking technologies, condition monitoring relies 1
on secure cyberphysical connectivity. Due to this connection, a portion of transported data, containing confidential information, 2
must be protected as it is vulnerable and subject to several cyber threats. SG cyberspace adversaries attempt to gain access through 3
networking platforms to commit several criminal activities such as disrupting or malicious manipulation of whole electricity 4
delivery process including generation, distribution, and even customer services such as billing, leading to serious damage, 5
including financial losses and loss of reputation. Therefore, human awareness training and software technologies are necessary 6
precautions to ensure the reliability of data traffic and power transmission. By exploring the available literature, it is undeniable 7
that Machine Learning (ML) has become the latest in the timeline and one of the leading artificial intelligence technologies 8
capable of detecting, identifying, and responding by mitigating adversary attacks in SGs. In this context, the main objective of this 9
paper is to review different ML tools used in recent years for cyberattacks analysis in SGs. It also provides important guidelines on 10
ML model selection as a global solution when building an attack predictive model. A detailed classification is therefore developed 11
with respect to data security triad, i.e., Confidentiality, Integrity, and Availability (CIA) within different types of cyber threats, 12
systems, and datasets. Furthermore, this review highlights the various encountered challenges, drawbacks, and possible solutions 13
as future prospects for ML cybersecurity applications in SGs. 14

Keywords: Cybersecurity, cyberattacks, machine learning, model selection, smart grids. 15

16

1. Introduction 17

Condition Monitoring (CM) of electrical power grids is an essential anomaly prevention process enabling higher quality 18
continuous delivery of electrical energy with hopefully zero downtimes [1], [2]. Today's advanced computing and networking 19
technologies make power grids CM more ergonomic and an accessible centralized process led by the so-called Internet of Things 20
(IoT) technologies [3]–[5]. SGs are a combination of two interconnected layers, in particular, a cyber-layer and a physical one [6]. 21
The cyber layer is a blend of computers networking technologies and necessary monitoring applications and software. The 22
physical layer compromises physical elements and field devices (e.g., smart sensors, actuators, generators, programmable logic 23
controllers (PLCs), networking cables, and computers) [7]. More precisely, the cyber layer software is used to control different 24
industrial processes in the physical layer through specific industrial networking protocols of Industrial IoT (IIoT). Plugging in the 25
two layers to the Internet makes the entire SG network processes more vulnerable to cyberthreats. Cyberattacks are the attempts of 26
sufficiently qualified individuals known as cybercriminals to destroy or maliciously use the cyberphysical system by targeting one 27
of the CIA security pillars via unauthorized access to cybersecurity systems [8], [9]. Confidentiality attacks require unauthorized 28
access via someone’s credentials to private information with the purpose of malicious activity. Integrity attacks refer to intentional 29
attacks that tend to modify data content leading to damaging the system [9], [10]. Availability attacks are time-delayed attacks that 30
© 2022 published by Elsevier. This manuscript is made available under the Elsevier user license
https://www.elsevier.com/open-access/userlicense/1.0/
are usually Denial of Service (DoS) that tries to slow down data traffic and alter the whole process [11], [12]. Additionally, DoS 31
attacks may also gain time to further proceed with confidentiality or integrity attacks [13]. 32

Generally speaking, due to much vulnerability such as lack of authentication, data encryption, and continuous data integrity 33
checking, SGs are vulnerable to one of the aforementioned threats under the CIA umbrella. Therefore, necessary security, 34
prevention, and process backup plans are top priorities for the cyberphysical system immunity against any possible adversary. In 35
this context, cyberthreats detection and mitigation can be found under two categories; Human-Centric (HC) and Non-Human 36
Centric (NHC) approaches [10]. HC approaches (i.e., authentication, training, passwords, awareness, and updates) refer to the 37
involving of continuous training and expanding of human awareness about necessary new security precautions. NHC (i.e., 38
blockchain, cloud computing, game theory [14], and ML, etc.) signify different modeling procedures and automatic detection via 39
specifically designed hardware and software. Ongoing human awareness training and updates on safety precautions play an 40
important role in preventing data theft. In fact, a simple daily mistake could be an easy cause of a data breach. Clicking wrong 41
spam links, giving confidential information to inappropriate persons, or more generally, hesitantly ignoring security policies, are 42
some common human errors, to mention a few [15]. 43

On the other hand, NHC approaches are very important in diagnosing (i.e. detecting and identifying) data traffic and making use 44
of any suspicious false data symptoms when HC approaches are unable to cope with such digital threats. Blockchain digital 45
ledgers are able to mitigate data changes, theft, or cheating by following certain specific rules for recording information. However, 46
their installation and duplication across the entire SG nodes make it highly expensive especially in terms of energy consumption. 47
Besides, private blockchains witnessed low-security efficiency precautions [16]–[18]. Cloud computing security-based has the 48
advantage of allowing higher security features under low latency and computational costs. However, it needs higher bandwidth as 49
well as it completely depends on the web service provider [19]. Although classical residue-based modeling and simulation 50
techniques separate the two layers (i.e., cyber and physical layers), which are no longer effective in establishing the behavior of 51
both simultaneously. Contrariwise, ML modeling procedures of attack behaviors based on historical data show promising 52
performances and become leading alternatives in the cybersecurity field. It has the advantage of higher accuracy, ability to adapt 53
to dynamic data, fewer deployment costs, and plenty of available blackbox models easy to be directly used [20], [21]. In this 54
context, many ML models, which use different learning paradigms including both conventional and advanced deep learning, have 55
been developed. In terms of SGs, data-driven model reconstruction is based on data analysis from both inbound and outbound 56
traffics of both cyber and physical layers. Capturing anomaly patterns on both sides is therefore the mission of the designed 57
prediction ML model. 58

1.1. Related comprehensive studies 59

As part of using ML techniques to model data behavior in terms of holding attack and normal data patterns, many recent ML 60
comprehensive studies giving insightful information about the use of attack modeling in the context of SGs have been therefore 61
published. For instance, Yohanandhan et al. [22] studied different used modeling techniques of cyberphysical power systems in 62
addition to simulation methods of a wide range of cyberthreats and cybersecurity measures. ML for cybercrimes investigations is 63
discussed as perspectives but not thoroughly detailed. SGs cybersecurity review introduced by Nejabatkhah et al. [23] is more 64
generally dedicated to SGs description, integrity attacks, i.e., specifically false data injection (FDI), security protocols in a general 65
way, and economic impacts of cyberattacks on both cyber and physical layers. In their review, there is almost a complete absence 66
and specific pointing to ML. Ye et al. [24] discussed cybersecurity challenges and future prospects in power grids specifically 67
photovoltaic systems. In terms of modeling security systems, both model-based and data-driven have been discussed. Besides, 68
blockchain approaches are also elaborated. ML and artificial intelligence are briefly discussed as future perspectives (see [24], § 69
V.B). Hossain et al. [25] have an excellent contribution in this context, where ML security is analyzed under the application of 70
both big data and ML. Accordingly, ML has been discussed as a single technique without detailed approaches classification (e.g., 71
conventional and advanced deep learning). In fact, the ML part is more concentrated on learning paradigms (i.e., supervised and 72
unsupervised learning) and types of threats. Besides, its applications in cybersecurity of renewable energies systems (i.e., solar and 73
wind) are discussed. Alimi et al. [26] studied machine techniques for both cybersecurity and stability of power systems. ML is 74
discussed according to cyberattack detections, power quality disruption, and dynamic security assessment. ML tools are therefore 75
listed where reinforcement learning and deep learning are given special attention. Musleh et al. [27] elaborate a comprehensive 76
study on FDI detection algorithms in SGs networks. ML is briefly discussed as an FDI attack detection technique that allows 77
detection in three main ways: supervised learning, unsupervised learning, and reinforcement learning. In the review paper 78
introduced by Kotsiopoulos et al. [28], ML is introduced as two subcategories including conventional ML and advanced deep 79
learning methods. These categories were studied according to their application in Industry 4.0 (e.g., embedded artificial 80
intelligence devices, resilience factory, smart human and health performances, predictive energy systems, worry-free 81
transportation, and industrial-based artificial intelligence educational systems) where SGs are more detailed. In their review, ML 82
topic was seen as a challenge for these applications. Accordingly, time, an interesting key feature is brought to attention that is 83
related to federated learning is further discussed. In the work of Cui et al. [29], FDI-based ML in SGs is the main studied topic. 84
Investigation criteria of ML modeling are undertaken under three main topics namely, fraud detection, state estimation, and load 85
forecasting. ML is thereafter broken down into three broad categories including supervised, unsupervised, and reinforcement 86
learning. Jow et al. [30] introduced a survey of intrusion detection systems in SGs where ML was then mentioned that it follows 87
learning paradigms including supervised and unsupervised learning. Radoglou-Grammatikis et al. [31] also introduced a 88
comprehensive study-based intrusion detection and prevention systems. Among three categories of intrusion detection techniques, 89
namely, signature-based, anomaly-based, and specification-based; ML is generally discussed as an anomaly-based approach. 90

To better understand the contribution of the aforementioned reviews, Table 1 shows how ML has been approached in a 91
cybersecurity context. 92

Table 1. Discussed reviews about ML for cybersecurity in SGs. 93

Reference Description of ML discussion methodology in the context of cybersecurity in SGs
Yohanandhan et al. [22] ML is discussed as perspective only
Nejabatkhah et al. [23] ML topic is almost not discussed
Ye et al. [24] ML has been discussed as perspective only
Hossain et al. [25] ML is discussed only as a technique for big data analysis
Alimi et al. [26] ML is classified according to many applications besides cyberthreats types
Musleh et al. [27] ML is classified onto supervised, unsupervised, and reinforcement learning methods
Kotsiopoulos et al. [28] Cybersecurity is discussed as a challenge to ML applications in SGs
Cui et al. [29] ML is classified onto supervised, unsupervised, and reinforcement learning methods
Jow et al. [30] ML is classified onto supervised and unsupervised learning methods
Radoglou-Grammatikis et al. [31] ML is generally discussed as anomaly-based approach

According to the above-selected literature reviews, specifically Table 1 results, many conclusions about ML applications in 94
cybersecurity of SGs are drawn. These conclusions can be listed as follow: 95

1. Most ML reviews such as in [22]–[24], [26], [28] are dedicated to studying different applications, of which cybersecurity is 96
one. In this context, its description is limited to be considered as a single technique, which normally leads to a brief 97
description and not in-depth classification. 98

2. For further studies that delve deeper into ML applications for SGs, ML is categorized according to the types of learning 99
paradigm and some types of cyberthreats such as in [25], [27], [29], [30]. 100

3. Most ML tools are classified according to well-known learning paradigms (i.e., supervised, unsupervised, and reinforcement 101
learning) and proceed by listing the used tools and deriving conclusions. 102

1.2. Contributions 103

Generally speaking, these comprehensive studies including surveys and reviews describe the used ML methods classification 104
according to either different applications in SGs (i.e., not necessarily cybersecurity) or according to the learning philosophy (i.e., 105
supervised, unsupervised, and reinforcement learning). After that, several features like limitations, clarifications, pros, and cons 106
are listed in detail. Futures prospects also can be found but not specifically pointing to the current topic. In this context, we believe 107
that besides these relevant items, important instruction to readers on “how it’s done?” is very important. In other words, no 108
guidelines were proposed for either model selection or reconstruction. Besides, most of these reviews also did not take into 109
account the model selection criteria, i.e., on “what criteria to choose a specific ML model?”. 110

Accordingly, and in an attempt to provide an even clearer analysis of ML applications on cybersecurity of SGs as well a further 111
detailed classification, our main contributions in this comprehensive review-based study are therefore listed as follow: 112

1. Introducing a general solution on “how it’s done?” (i.e., how to solve any attack detection problem) using ML tools to remedy 113
model selection issues; 114

2. Providing a useful flowchart on “what criteria to choose a specific ML model?”, which helps in easily selecting the 115
appropriate learning model type for each specific data with different characteristics; 116

3. Providing better ML models which delve into the context of cybersecurity more than previously mentioned classifications. 117
This classification ranks ML tools according to CIA security attributes to provide a better and more accurate projection of ML 118
models in the area of SGs cybersecurity; 119

4. Introducing best-known classification of ML tools according to two model complexity criteria (i.e. conventional learning and 120
deep learning) to help distinguish modeling complexity in processed data; 121

5. Addressing all types of learning paradigms, including supervised, unsupervised, and reinforcement learning, in addition to 122
modeling architectures such as ordinary, hybrid, and ensemble; 123

6. Listing datasets used systems and treated types of attacks to help readers easily access applications and gain information such 124
as most confronted attacks. 125

7. Summarizing advantages, disadvantages, challenges, and drawbacks if available, of ML-based cybersecurity in power grids of 126
selected references; 127

8. Illustrating important future prospects. 128

This review-based study is carried out following a well-structured bibliographical search via well-known search engines on recent 129
works carried out during the last five years, while, more attention was paid to papers published in the past three years in well- 130
known databases. In this context, keywords belonging to the lexical set of cybersecurity in smart grids and machine learning have 131
been judiciously selected. As a result, it may be seen later that most of the collected papers focus on detecting attacks while only a 132
few might embrace the concept of mitigation and remediation. It should be mentioned that these results are not intentionally 133
pushed towards attack detection rather than mitigation and correction. In fact, papers analysis is responsible for fact findings when 134
it provides these conclusions. 135

This paper is organized as follows: Section 2 provides a general methodology for ML threat detection including giving guidelines 136
for model selection process. Section 3 is devoted to describing the aforementioned classification of ML tools in SGs security 137
according to CIA triad. Section 4 elucidates the challenges and drawbacks of ML applications. Section 5 is dedicated to provide 138
future research directions. Finally, Section 6 concludes the review-based study and provides important prospects. 139

2. Standard ML-based cybersecurity scheme 140

Typically, cybercriminals target the transmission lines connecting the two layers of the cyberphysical system. The attack may 141
possibly be carried out to access these layers. It should be noted that data transmission lines can be wired or wireless depending on 142
the preferred sensing technologies. Therefore, wireless sensors are more susceptible to security threats since it is easy to install 143
signals capturing nodes in this case. Threatening the physical layer is conceivably realized by several data injection attacks which 144
have the possibility to damage the control process and cause physical, economic losses, and loss of reputation, as it could also 145
extend to catastrophic loss of lives [32], [33]. In addition, they could manipulate the cyber layer and steal top-notch confidential 146
information, which can also lead to malicious control before that of legitimate people. In SGs context, as addressed by Figure 1 147
diagram, ML aims to detect attacks in three particular steps, namely, data preprocessing, training process, and detection process. 148

Generation, transport, distribution

of electrical energy, etc.
Features selection, extraction, mapping, cleaning,
Physical layer Data preprocessing dimensionality reduction, encoding, etc.

Training
Data traffic data
Networking and
capturing Model selection, Online/
control protocols
TCP/IP, S7comm, Model training offline Training, and
Modbus, MQTT, validation
Hackers threaten etc. Trained
Testing
transmission lines model
data
through specific
nodes Cyber layer Detection
Control, surveillance, security,
Online/offline detection
resources planning, billings
applications, etc.
(a) (b)
149

Figure 1. ML modeling of cyberattack detection process in SGs: (a) SGs main layers and threats illustration; (b) Necessary steps 150
of building a ML model for attack detection. 151

2.1. Data preprocessing 152

ML modeling generally depends on data quality where distribution similarity between training and testing (unseen samples) plays 153
an important role. Also, in terms of attack detection modeling (i.e. classification or clustering), data is often subject to an 154
imbalanced class proportion. These constraints usually make data preprocessing a very difficult task. In fact, there are two main 155
methods to process traveling data in SGs, either using signal processing (SP) or ML processing techniques. SP techniques are 156
recommended when data capturing is recorded as voltage, current, and frequency characteristics, which typically have higher 157
sampling rates and a higher level of nonstationarity and nonlinearity. In this context, significant pattern extraction, signal filtering, 158
and dimensionality reduction are essential to provide proper training samples. ML processing techniques are well recommended 159
when data is captured from network nodes (e.g. switches, firewalls, programmable logic controllers, etc.) as control protocol and 160
address configuration features such as IP address and MAC address. This section is introduced to describe well-known SP and ML 161
preprocessing techniques used to create attack prediction models. 162

2.1.1. SP preprocessing techniques 163

SP techniques are very effectives in features extraction and dimensionality reduction tools. In fact, SP techniques are highly 164
recommended when extracting useful information from higher level of nonlinear and no stationary processes. Besides, these 165
techniques are very useful when detecting previous filtration of data have been either innocuous or encrypted. In the field of 166
cybersecurity many SP tools have been used for features extraction and data preprocessing along with ML classifiers/clusters. For 167
example, Hilbert Huang Transform (HHT) [34], [35] which is used along with deep learning networks [36] and Support Vector 168
Machine (SVM) [37]. Fast Fourier Transform (FFT) which is used within deep learning [38] to detect attacks like false alarm rate 169
(FAR), precision and the detection rate (DR) in smart island. Power Spectral Density (PSD), Byte Probability Distribution (BPD) 170
and Sliding-Window Entropy (SWE) with a deep learning [39]. Variational Mode Decomposition (VMD) within SVM and Online 171
Sequential Extreme Learning Machine (OS-ELM) [40]. Savitzky-Golay (SaG) filter and Fast S transform (FST) are used with 172
Convolutional Neural Networks (CNN) [41]. 173

2.1.2. ML preprocessing techniques 174

Unlike SP techniques, ML preprocessors with different types are faster, easier and simpler to manipulate and to implement in 175
controlling devices since they are not expensive in term of information size (i.e. bytes) and need fewer computing requirements. 176
However, ML tools needs a specific set of conditions that must be followed to gain a quite meaningful feature space such as, data 177
distribution mismatch. ML preprocessors can be used either for features extraction or for compression. For examples 178
AutoEncoders (AE) which are widely used with different types such as multilevel AEs [42], stacked AEs [43], deep denoising 179
AEs [44], multi-sourced deep AEs [45]. Singular Value Decomposition (SVD) and Principal Component Analysis (PCA) also 180
have been investigated for sparse coding-based compression or representation [46], [47]. Compressed Sensing (CS) can be used 181
for data-driven prediction, aggregation and reconstruction [48], [49]. 182

In order to provide more information on the application of the SP and ML preprocessing techniques, Table 2 is provided for a 183
clearer description. One may observe that the most treated types of attacks when using both SP and ML techniques are FDI 184
attacks. However, other important attacks need to be discussed such as reconnaissance and replay attacks, which are very 185
important in real-world applications. Also, SP extracted features are generally linked to deep learning models due to complexity 186
and nonlinearity of treated signals. Contrariwise, ML preprocessing techniques could be a deep unsupervised networks or not, but 187
generally linked to a conventional ML classifier. So at this stage, we can conclude that ML preprocessing techniques help in 188
improving features representations better than SP techniques. This is due to the necessity of only small-scale conventional ML 189
classifiers/clusters to accomplish detection task, unlike SP techniques, which require deep algorithms even before very complex 190
processing. 191

Table 2. ML and SP preprocessing techniques used for cybersecurity in SGs. 192

SP preprocessing techniques
Reference Preprocessing tools ML model Attack type System/Dataset
Dehghani et al. Smart Island model with several
HHT Deep learning FDI distributed generations is developed in
[35]
MATLAB
Cui et al. [36] DC microgrid considering electric
HHT SVM FDI
vehicles
Chang et al. [38] FFT Deep learning FAR and DR DC smart microgrid model
Dou et al. [40] VMD OS-ELM FDI IEEE-14 bus system[50]
Qiu et al. [41] SaG and FST CNN Spoofing FNET/GridEye [51]
ML preprocessing techniques
Multiple kernel
Ali et al. [42] Multilevel AEs DoS UNB ISCX [52] and UNSW-NB 15 [53]
learning
Chen et al. [43] Stacked AEs SoftMax layer FDI IEEE 39-bus [54]
Covert cyber-deception IEEE 14-bus [50], 39-bus [54], 57-bus
Ahmed et al. [44] Deep denoising AEs Deep denoising AEs
attack [55], and 118-bus [56]
Hu et al. [45] Multi-sourced AEs Random forest Intrusion attacks Hardware in the loop testbed
IEEE 14-bus [50], 30-bus [57], and 57-
Anwar et al.[46] PCA Waited least squares FDI
bus systems [55]
Sybil attack, bad
Toeplitz matrix and
Gilbert et al. [48] CS mouthing, and forgery Intel Berkeley research lab testbed
auto regressive models
attacks
193

2.2. Training and validation 194

Training type of an ML threat/attack detection model in a cyberphysical system depends on many data characteristics such as the 195
existence of labels (i.e. whether samples are labeled data or not), the availability of data (i.e. complete or incomplete), and data 196
drift (i.e. sequential or non-sequential). It also has common features with user desired training behavior such as offline and online 197
learning. These metrics allow judging whether the learning paradigms are appropriate for this mission. According to the authors 198
expertise in ML modeling, Figure 2 illustrates a proposed flowchart that discusses all these cases. 199
 Start

Load data

Launch initial experiments to

determine some data characteristics
Data
complexity

Data are Data are

NO Yes No Yes
Labled ? complex ?
Unsupervised Supervised Conventional
Deep ML
learning learning ML

OR OR

Data are Data are

No Yes
complete ? Online ?
Data
availability
NO Offline Online/reinforcement
learning learning
AND
OR
/OR
Domain Data Yes
adaptation via augmentation
Data drift
transfer via Generative
learning models

AND
end
/OR

200
Figure 2. Selection of security learning type based on data characteristics. 201

Firstly, the existence of labels with candidate training data is essential to tell whether we need to use supervised or unsupervised 202
learning. For instance, in the work of Ahmed et al. [58] used a completely unsupervised learning scheme for integrity attacks in 203
SGs by exploiting isolated forest features. Anwar et al. [59] followed a clustering scheme to detect FDI attacks in SGs. Secondly, 204
data volume and class balancing are used to further judge the next step of learning type. Thus, the data is considered complete 205
when training samples containing all the necessary patterns are available. In this case, testing the completeness of data requires 206
running initial experiments by training and validating both small-scale and deep learning models and estimating generalization 207
performance. Accordingly, if data are complete and necessary patterns are quite balanced with no missing attributes, then 208
conventional ML or advanced deep learning is used (this classification will be discussed in next the sections). Selection between 209
deep learning and conventional ML can be done according to the complexity of encountered data as detailed in Geetha et al. [60]. 210
If data is not complete, which suggests missing patterns, then data augmentation and/or domain adaptation are recommended to 211
provide either further meaningful samples or more generalization through transfer learning [61]. Data complexity is generally 212
related to three main criteria, which are volume, velocity, and variety known as 3V. The more 3V we have, the more complex the 213
data is. Although a main test on specific computer hardware with a set of ML models from conventional and deep learning is also 214
important to judge the complexity of the data [61]. Finally, the nature of driven training samples, which could be generated in real- 215
time (both samples and labels), or already available as a dataset, will tell whether it is necessary use reinforcement/online learning 216
or offline learning [61]. The work of Liu et al. [62] and Kurt et al. [63] are good examples to address this situation where both 217
conventional and deep learning have been discussed. In this context, online adaptive learning or reinforcement learning is 218
necessary when dealing with dynamic sequence-to-sequence driven data. Nevertheless, offline models will be enough for static 219
offline data analysis. 220

2.3. Detection 221

At this stage, the learning model is already built and evaluated on a set of training and testing samples. The next step consists of 222
the detection of anomalies in data. In this particular case, two different ways can be used depending on the exploited results, 223
namely, offline and real-time detection. The detection process itself, as it seems, depends on where the model is supposed to be 224
used. Offline detection is strictly designed for data analysts whose primary goal is to draw important conclusions based on data 225
mining of samples that have never been seen before by the pre-trained model. The study objectives, in this case, will be limited to 226
specific types of findings needed for specific investigations of real cases. 227

Meanwhile, real-time detection is the most important results exploitation methodology, especially when it leads to real interaction 228
between the physical layers of SGs. In other words, real-time detection is a common way to deploy ML models to help make the 229
right threats mitigation decisions in an event-driven architecture. In this case, data flow is introduced into the model. The 230
processing pipeline handles all the dynamism of data and makes it ready to be entered into the model. Simultaneously, the data 231
pipeline updates the model adaptively to accommodate new changes in data behavior based on current conditions. 232

Accordingly, in live security monitoring, the sequence-to-sequence prediction process has to be taken into account where samples 233
normalization has a strong effect in this case. More precisely, data dynamism changes its structure and the normalization process 234
has to be managed in a way where it can be generalized and considers those new changes. For instance, min-max normalization 235
will no longer be helpful as it pushes new samples to be similar to old ones even they are not the same. Otherwise, if the model 236
considered for offline evaluation on a specific block of data, then testing samples should follow the same normalization and 237
preprocessing measures of previously used data for training [64], [65]. 238

3. ML-based cybersecurity applications 239

In this section, recent ML approaches under CIA security attributes shown in diagram of Figure 3 are discussed. Therefore, it is 240
divided into three subsections where each one is devoted to discuss both conventional ML and deep learning. Conventional ML 241
refers to traditional tools that do not require multiple complex nonlinear layers of feature mappings. In fact, it is simply depending 242
on basic strong mathematics in an attempt to achieve required approximation such as SVM, K-Nearest Neighbor (KNN), 243
multilayer ANN, etc. Unlike conventional ML, deep learning tools require a deep multilayered web of nonlinear abstractions to 244
achieve a good feature mapping where meaningful representations appear before fine-tuning (supervised learning). 245

Protection against unauthorized access, use

or disclosure

Confidentiality

Ensuring Accuracy and consistency of data

over its life cycle
Data security Ensuring availability of data and application
triad to users when they need them

Integrity Availability

246
Figure 3. CIA data security triad. 247
3.1. Confidentiality attacks 248

The privacy attack is usually performed by injecting some type of data in transmission lines where the attacker can capture 249
confidential information. Once this information is contained, the attacker can gain access to very sensitive data like passwords and 250
account names, if the network traffic is not encrypted. Access to information in SGs will lead to malicious control of the power 251
generation process as well as distribution. This subsection is dedicated to describing the most important problems handled by ML 252
models in both detection and mitigation. 253

3.1.1. Conventional machine learning 254

Spoofing attacks and stealthy FDIs are common confidentiality attacks, which have also been subject to conventional ML 255
modeling. For instance, Ashrafuzzaman et al. [66] developed a complex ensemble learning architecture. Their model was based on 256
a set of supervised approximators and unsupervised learning models used for data mapping as a sort of preprocessing. Supervised 257
learners include Logistic Regression (LR), Support Vector Machines (SVM), Naive Bayes (NB), Decision Tree (DT), and 258
Artificial Neural Networks (ANN). Thus, the unsupervised learning algorithms are One-class SVM (OCSVM), Isolation Forest 259
(ISOF), Elliptic Envelope (EE), and Local Outlier Factor (LOF). The designed scheme was evaluated on a simulation model, i.e., 260
IEEE 14-bus system. The IEEE 14-bus test case is a simulation model designed to simulate a real US electrical power system from 261
February 1962. It has 14 buses, 5 generators and 11 loads [50]. In this case, one of the main reasons for ensemble learning 262
schemes is to contribute several learners advantages to acquire final efficient fused perdition. It is also helpful to avoid algorithms 263
retraining for optimal parameters search. However, these architectures are very expensive in terms of computing time and 264
hardware especially when the data is massive. Furthermore, in terms of limitations, there is a lack of specific pointing towards the 265
current IIoT and the currently used industrial control protocols. In this case, they mainly focus on building the ML model rather 266
than addressing realistic scenarios. Cui et al. [67] proposed a spatio-temporal analysis model of frequency monitoring network 267
(FNET/GridEye) for the detection of spoofing attacks in SGs. FNET/GridEye is a phasor measurement system that uses frequency 268
disturbance recorders to collect necessary power grid monitoring data such as frequency, voltage magnitude, and voltage phase 269
angle. The ML model architecture is basically built upon a sparse feature mappings (i.e., data preprocessing) and approximation 270
(i.e., training) via Multi-Grained Cascade Forest (MGCF). Their model architecture was designed to help improving data 271
representations and provide insight into the study of attack patterns in synchrophasors. However, as with the overall architectures 272
of the used MGCF, some disadvantages related to time and computation time will potentially be encountered. Besides, the concept 273
of adaptive learning is not addressed by MGCF, which makes the current study limited to offline static analysis and does not 274
address data changing conditions. Kavousi-Fard et al. [6] proposed a lower and upper bound thresholding algorithm for clustering 275
of different stages of severity attack in wireless sensors microgrid dataset. This dataset, which represents realistic attack scenarios, 276
is collected by a specific metering infrastructure of a practical residential microgrid with three neighborhoods and 114 houses. The 277
ML model architecture consists of an ordinary multilayer perceptron (i.e., ANN) optimized with a Modified Symbiotic Organisms 278
Search (MSOS) algorithm. MSOS is adopted for the supervised classification of stealthy FDI attacks using data obtained from 279
wireless sensors installed in a smart microgrid. This combination of thresholding algorithms within the ANN reduces the 280
algorithmic complexity to a certain level, which helps to achieve the availability of computing resources. However, as the model is 281
only discussed on a single data resource, the study may not be able to be generalized on a real SG as complex as today's ones, 282
where data is massive and comes from several sensors with different acquisition rates and installations. Camana et al. [68] built a 283
cyberattacks detection model for SG networks with an architecture using Kernel Principal Component Analysis (KPCA) for 284
dimensionality reduction and Extremely Randomized Trees (ERT) algorithm for classification. The SG networks, in this case, use 285
the IEEE 57-bus and IEEE 118-bus systems. The IEEE 57-bus system reflects a simulation model of a real US electrical power 286
system from early 1960 which has 57 buses, 7 generators, and 42 loads [55]. The IEEE 118-bus system is also a simulation model 287
of a real US electrical power system as of December 1962 which has 19 generators, 35 synchronous condensers, 177 lines, 9 288
transformers, and 91 loads [56]. The method is tested and compared against a set of state-of-the-art methods and proved its 289
accuracy when detecting stealthy FDI in a power system. It is undeniable that a set of small-scale conventional ML models is an 290
effective way to avoid the complexity of reconstruction of an FDI attack detector. Nevertheless, real control systems have been 291
subject to threats more than FDI including threatening authentication, encryption, and integrity, to mention a few. In this case, they 292
limit SGs cyberthreats detection at FDI only. Liu et al. [69] used signal processing techniques combined in an architecture of 293
Ensemble Empirical Mode Decomposition (EEMD) and Fast Fourier Transform (FFT) for data preprocessing. Besides, the 294
extracted representations were fed into an ANN for approximation and generalization of a spoofing attacks detector. Data from 295
three Universal Grid Analyzers (UGAs) located near Knoxville, TN, USA are used in their study. Whereas, locations of these 296
UGAs are deployed several kilometers from each other. The data recording process took about a day with a sampling rate of 1.44 297
kHz. Similar to the work previously discussed in [6], this one also uses a preprocessor and small-scale ANN model for prediction. 298
The difference is in the use of SP techniques instead of ML preprocessing. The constructed model is able to fit within cyberthreats 299
detection by analyzing traveling electric signals in the networks. Even so, some specific information related to connection 300
protocols such as nodes addresses will be difficult to detect in this case. 301

Table 3 is a summary of these recent works done under confidentiality attacks on SGs. It is observed that both SP and ML 302
preprocessing techniques are investigated when preprocessing data and building learning models. This highlights the advantages 303
of improving data quality for both training and prediction processes. Additionally, and under the use of conventional machine 304
learning, it is obvious that most of the treated types of attacks in data confidentiality are stealthy FDIs and spoofing, where IEEE- 305
bus systems are the most exploited simulation models. It is also seen that ANN is a commonly used tool in most of the 306
reconstructed ML models. 307

Table 3. Conventional ml for data confidentiality in SGs. 308

Reference ML Tools Attack type System/Dataset
LR, SVM, NB, DT, ANN,
Ashrafuzzaman et al. [66] Stealthy FDI IEEE 14-bus system [50]
OCSVM, ISOF, EE, LOF
Cui et al. [67] Sparse coding and MGCF Spoofing FNET/GridEye [51]
Wireless sensors microgrid
Kavousi-Fard et al. [6] ANN and SOS Stealthy FDI
(references are not revealed)
IEEE 57-bus and IEEE 118-bus [55]
Camana et al. [68] ERT and KPCA Stealthy FDI
[56]
Liu et al. [69] EEMD, FFT and ANN Spoofing attacks 3 dataset of UGAs [69]
Most discussed ANN Stealthy FDI and spoofing IEEE-bus systems

3.1.2. Advanced deep learning 309

Deep learning models refer to very complex training tools designed to provide meaningful feature extraction when it is difficult to 310
do by conventional methods due to the curse of dimensionality [70]. In this context of cybersecurity in SGs, deep learning has 311
been also exploited. For instance, Kwon et al. [71] used Bidirectional Recurrent Neural Networks (Bi-RNN) to detect several 312
types of attacks in power systems. Evaluation of the learning model was done by simulating malware, FDI, and Disabling 313
Reassembly (DR) attacks. For this purpose, they utilized the IEEE 1815.1 standard as the main decision criteria. This standard 314
describes the mapping between Distributed Network Protocol (DNP3) and communication networks and systems for electric 315
utility automation (IEC 61850). In this work, about three days of network packet collection were performed from an operating 316
Korean substation. The collected packet was labeled by well-qualified engineers into two categories, namely, normal data with no 317
cyberattack and abnormal data. The Bi-RNN shows it has the ability to emulate very complex sequential adaptive learning without 318
suffering from the vanishing gradient problem or easily tending to overfitting. Keshk et al. [72] proposed a privacy-preservation 319
strategy based on both blockchain and deep learning. The blockchain technology is involved when collecting authentic data by 320
following a specific encryption scheme, while the deep learning model is used for features extraction and approximation process. 321
Features extraction was done via Variational AE (VAE). The approximation process is thereafter accomplished by using a Long 322
Short-Term Memory neural network (LSTM). The proposed model is evaluated on two different datasets including a power plant 323
and UNSW-NB15 datasets [73], [74]. The power plant dataset includes control attributes of power systems organized in multiclass 324
classification problem of 37 different classes. The second one is devoted to networking attributes and represents a binary 325
classification problem. By comparing the developed codes to recent state-of-the-art methods, the designed deep network has 326
proven its capabilities. Nevertheless, combining two deep learning methods will lead to additional complexity issues and higher 327
computational costs. Wang et al. [75] also used an ML architecture, which combines a stack of AEs for unsupervised learning to 328
help in extracting important FDI patterns. The model is thereafter used for multiple IEEE benchmarks including previously stated 329
IEEE 14-bus and 118-bus besides IEEE 9-bus and IEEE 30-bus systems to address its accuracy. The IEEE 9-bus system consists 330
of a 9-bus three-phase power system network while the IEEE 30-bus system represents a simulation of a US electric power system 331
as it was in December 1961, with 15 buses, 2 generators, and 3 synchronous capacitors [50], [56], [57]. A major drawback of these 332
studies on multiple IEEE simulation models is that they cannot be used to prove the generalizability of a deep network designed 333
on any SG. This discrimination is due to the lack of realistic threats that cannot be guessed by ML developers. Yao et al. [76] 334
designed a specific ML architecture, which adopts a CNN to help assess any possibilities of energy theft in SGs. Besides, Paillier 335
algorithm is employed to protect energy privacy. This work used realistic datasets of nontechnical loss detection problems from 336
the state grid of China [77]. Generally speaking, such type of dataset is subject to missing information, class imbalance, higher 337
cardinality related to data complexity, and feature similarity. This is why the CNN algorithm was chosen. Indeed, it is a well- 338
known powerful tool for sophisticated convolutional mapping. These mappings allow giving data classes meaningful 339
representations better than original space. However, CNN does not have the ability to adapt to the dynamicity of data especially 340
when encountering real data such as in SGs environments. Therefore, adaptive units such as recurrent ones are necessary. 341

Table 4 is a summary of the deep learning tools discussed earlier. A similar conclusion of using conventional ML models can be 342
drawn in this case. It is also observed that IEEE simulation models are the most widely used ones, which makes deep learning- 343
based cybersecurity studies for data confidentiality poorly reported in terms of real-world application data. Besides FDI is also the 344
most discussed type of cyberthreats in SGs when discussing data confidentiality. When it comes to constructed models from 345
picked deep learning references, it should be mentioned that RNN variants are dominant in this case. AEs also have been given 346
special attention due to their abilities in providing meaningful representation when extracting features. 347

Table 4. Deep learning for data confidentiality in SGs. 348

Reference ML Tools Attack type System/Dataset
Kwon et al. [71] Bi-RNN Malware, FDI and DR IEEE 1815.1
Keshk et al. [72] VAE and LSTM Intrusion Power systems [73], [74]
IEEE 9-bus, 14-bus, IEEE 30-bus,
Wang et al. [75] SAE FDI
and 118-bus systems [50], [56], [57]
Yao et al. [76] CNN Energy theft Energy theft dataset [77]
Most discussed RNN and its variant (LSTM) and AEs FDI IEEE-bus systems

3.2. Integrity attacks 349

An integrity attack is an attack with attempts to distort and corrupt data in transmission lines. It is usually the attempt to undermine 350
trust in the entire cyberphysical system. This subsection introduces ML tools and datasets that have been used to mitigate this kind 351
of attack. 352

3.2.1. Conventional machine learning 353

Integrity attacks are recognized most familiar types for attacks treated by ML experts. This reflects the fact that this type is the 354
most important one in guaranteeing secure connectivity. 355

Bhusal et al. [78] made a study on attacks detection in voltage regulation that could disturb voltage control algorithm (i.e. 356
malicious control). They, therefore, investigated the training of small-scale ML architecture that includes RF and LR algorithms 357
for diagnosing transmission lines in a SG network. Two datasets/systems have been involved in this work. Accordingly, a 240- 358
node real distribution system located in Midwest USA [79] and the IEEE 123-node simulation model were chosen for the process 359
of ML model reconstruction and evaluation [80]. The first system contains sets of three feeders supplied by a 69kV substation. 360
This system has a total of 23 miles of main power conductors, which provides power to over 1100 customers. The second system 361
features are overhead and underground lines, four voltage regulators, four shunt capacitor banks, multiple sectioning and coupling 362
switches, and an unbalanced load with constant current, power, and impedance patterns that allow total active and reactive loads of 363
3490kW and 1925kV, respectively. This makes their data support their conclusion of ML model explainability based on realistic 364
results. Soltan et al. [81] investigated two types of attacks on a SG, which can remotely activate switches (i.e., tripping), namely, 365
disconnection of lines and blocking measurements that attempt to reach the control center. The investigated ML model is, in this 366
case, a Probabilistic Bayesian Regression (PBR) model used to detect different classes. In their study, they followed a similar 367
methodology of attack deployment using the DC power flow model as in their previous work in [82]. More specifically, a 368
linearized DC power flow model was used. It is typically used as an approximation for a nonlinear AC power flow model when 369
studying electrical network vulnerabilities. Their PBR approach achieves great performance, especially when it fits into the 370
analysis of malicious controls, which is a very important aspect of data integrity. 371

An integrity attack detection-based Denial of Service (DoS) is discussed in the work of Wang et al. [83]. SVM and DT are used to 372
train an ML model as a particular agent. Many agents have thereafter been cloned to make sure that several combinations of 373
hyperparameters have been scanned. After that, results are fused and a decision is made upon a single output. When testing the 374
model on the IEEE 39-bus system, their model has proven its ability to detect bad data in network operating states with the ability 375
to adjust its corrective actions to adapt to under attack situations. The IEEE 39-bus system is well known as the New England 10- 376
machine power system, which represents an aggregation of a large number of generators [54]. From an algorithmic point of view, 377
it can be observed that adaptive learning capability is added to fit within data changes. In this case, the model has both algorithmic 378
simplicity and adaptability, which are compatible with big data anomalies detection. Ravikumar et al. [84] proposed a damping 379
control mitigation algorithm for a wide-area power system. This study considered coordinated and primitive attacks such as pulse, 380
ramp, relay-trip, and replay attacks as the main integrity attacks. It was conducted on a combined power system of two zones of 381
four machines, while data were generated using a parallel execution approach to be used for all power grid models at a large scale. 382
Authors, therefore, used KNN and DT for the classification of such data anomalies. In this area, KNN and DT can achieve great 383
classification performance. However, the lack of adaptive learning will not allow real-time data monitoring. Singh et al. [85] 384
studied cyberattack detection in wide-area power systems with machine learning tools. SP techniques such as VMD are used for 385
feature extraction while DT is used for classification. The previously described IEEE 39-bus system is involved in the ML model 386
assessment process [54]. Similar to the previously discussed works of conventional ML tools, they lack dynamic adaptation and 387
online learning, which is much needed in terms of real-time online monitoring and algorithm updates. 388

Cao et al. [86] used ensemble learning techniques for FDI attack detection in power systems. Well-structured data preprocessing 389
steps including cleaning, filling missing data, and dimensionality reduction have been involved along within the learning model to 390
achieve a better prediction process and to ensure security integrity in the cyberphysical system. They constructed an ensemble 391
classifier, namely, Focal-Loss-Lightgbm (FLL), which turns weak classifiers into strong ones by contributing to a single learning 392
process. The used dataset was created at the Oak Ridge National Laboratory (ORNL). The dataset includes measurements of an 393
electrical transmission system with different characteristics of normal behaviors, disturbance control, and cyberattacks. 394
Measurements include synchrophasor measurements and data logs from Snort, a simulated control panel, and relays [87]. The 395
algorithm application shows promising performances for its application on real-world plants. Nevertheless, ensemble learning 396
always remains a problem of computational expensiveness. Even computer technologies are always in continuous improvements; 397
data also is heading towards more complexity and rapid growth. Ahmed et al. [58] followed a non-supervised learning scheme to 398
manage covering data integrity assault detection on a SG. They explored non-labeled data retrieved from previously described 399
IEEE 14-bus, 39-bus, 57-bus, and 118-bus systems to be able to judge the accuracy of the model when detecting attacks. PCA and 400
ISOF are involved in dimensionality reduction and attack detection respectively. Their small-scale models are able to achieve high 401
accuracy in data classification. However, there is still a lack of real data on the use of simulation models, which may not be good 402
generalizers. 403
Wu et al. [88] used ELM theories to train a series of feedforward networks for the prediction of FDI attacks. In this context, IEEE 404
benchmarks including the aforementioned IEEE 14-bus, 57-bus, and 118-bus systems have been used for their model evaluation. 405
To ensure better weight tuning, Gaussian Random Distribution (GRD) and Latin Hypercube (LH) are used to generate initial input 406
weights of the ensemble of ELMs. Before feeding the ELMs, a bad data identification method, which is based on Contaminated 407
State Separation (CSS) is involved to label samples. ELM is an excellent method for training feed-forward networks especially 408
when it comes to reducing algorithmic complexity. The only problem it faces is that a model structure must be large enough which 409
makes the number of coefficients in the model also large enough, which forces the training sets to be large as well. 410
Table 5 summarizes these ML models in more detail on the types of attacks studied and the used datasets and systems. Similar to 411
the work that was explored in the section on data availability, there is a clear lack of real data for different applications. This is a 412
significant problem that studies limited to simulation models lack and makes it difficult to judge their generalizability. In this case, 413
ensemble learning and DT algorithms are well discussed under IEEE benchmarks and FDI attacks. 414
Table 5. Conventional ML for data integrity in SGs. 415
Reference ML Tools Attack type System/Dataset
Bhusal et al. [78] 240-node system (Midwest USA) [79]
RF and LR FDI
IEEE 123-node system [80]
Soltan et al. [81] PBR FDI Linear DC power flow model [81], [82]
Wang et al. [83] SVM and DT DoS IEEE 39-bus system [54]
Ravikumar et al. Pulse, ramp, relay-trip and 2-area of 4-machine
KNN and DT
[84] replay power system
Singh et al. [85] VMD and DT FDI IEEE 39-bus system [54]
Cao et al. [86] Ensemble FLL FDI Industrial control systems [87]
IEEE 14-bus, 39-bus, 57-bus, and 118-bus
Ahmed et al. [58] PCA and ISOF FDI
systems
CSS, GRD, LH and ensemble IEEE 14-bus, 57-bus,
Wu et al. [88] FDI
ELM and 118-bus systems [56]
Most discussed DT and ensemble learning FDI IEEE-bus systems

3.2.2. Advanced deep learning 416

In recent publications, especially when IoT technologies witnesses a huge amount of important data (i.e., big data era) which 417
dynamically change over time, the necessity for more complex preprocessing leads to the investigation of deep learning tools more 418
than conventional ML. As a result, data integrity received special attention in this context through deep networks. 419

Dehghani et al. [89] combined deep learning methods within Wavelet Transform (WT) and SVD for the diagnosis of DC 420
microgrids and to detect FDI attacks. They involved data recorded from a small electrical power grid to achieve model 421
reconstruction. The deep network was built in a sort of Deep Belief Network (DBN) that combines generative models (i.e., AEs) 422
and discriminative models (i.e., Softmax layer) under a unified loss term. AEs have the advantage of feature reconstruction, which, 423
unlike any mapping, allows for measuring the quality of the results and determining whether important features are not lost when 424
moving to another space. Indeed, this gave additional performance characteristics to the learning model as a mechanism for 425
selecting meaningful representations. 426

In the work of Gómez et al. [90], a real data anomalies detection dataset retrieved from an electric traction substation control 427
system is proposed. The industrial control system is designed for monitoring railway industrial systems. The most attractive thing 428
about the dataset is the fact that it is designed to emulate real threats such as FDI, reconnaissance, and replay attacks. The dataset 429
is posted on the Web to allow conducting their data-driven studies on cyberattacks [91]. According to [90] and compared to other 430
available datasets, their data is the only one that provides more meaningful application and is more capable to replicate real-world 431
security problems by studying most used industrial control protocols such Modbus and s7comm (see Gómez et al. [90], Table 1). 432
Hao et al. [92] proposed a hybrid ML model that integrates a Seasonal AutoRegressive Integration Moving Average (SARIMA) 433
model with a dynamically adjusted threshold and LSTM for the FDI detection. The algorithm was validated using a realistic 434
testbed of three typical systems, namely power generation systems, gas pipeline systems, and urban rail systems for a range of 435
scenarios including cyberattacks, malicious operating behavior, and network anomalies. The adaptive thresholding algorithm is 436
used to label data whereas LSTM is used for supervised learning. LSTM is a good choice because it has the advantage of 437
sequential learning with a forgetting mechanism capability allowing systems to always be compatible with data change. Albarakati 438
et al. [93] proposed an ensemble learning algorithm for SGs cyberattack and/or anomalies is proposed. The entire prediction 439
algorithm fuses results received from different learning units. Three different units are identified by three different deep learning 440
algorithms namely LSTM, RNN, and Gated Recurrent Unit (GRU), where each unit is separately connected to an AE. 441
Experimental investigations were carried out on the previously mentioned IEEE 9-bus system under the IEC 62351-7 standard. It 442
can be seen that their learning pattern follows feature mappings with AEs and adaptive deep learning units with powerful 443
dynamism. It definitely leads to great performance but an expensive training process. Li et al. [94] used a multilayer LSTM for 444
current-voltage times series waveform data diagnosis to detect any possible data integrity attack in PV systems. A simulation 445
model of a solar farm power grid was conducted to analyze the proposed algorithm. In this particular case, the multilayer 446
architecture allows deeper representations leading to exploring an in-depth solution adapted to the approximation process but 447
remains a huge consumer of computing resources. In the study of Karimipour et al. [95], a combination of Symbolic Dynamic 448
Filtering (SDF) method and RBMs techniques for cyberattack detection are investigated. The full process was based on 449
unsupervised learning to distinguish between fault line patterns and those related to cyberattacks. After data labeling process, the 450
Restricted Boltzmann Machines (RBMs) are used to fine-tune a DBN for the classification process. Many classification metrics 451
have been adopted to confirm the accuracy of the approach. It should be mentioned that the study was conducted on several IEEE 452
benchmarks including the previously mentioned bus systems such as IEEE 39-bus [54], IEEE 118-bus [56], and IEEE 2848-bus 453
systems. Yan et al. [96] performed an attack detection algorithm on a power generation system. The algorithm involves two main 454
important features, more specifically; a Denoising AE (DAE) and ELM classifier. Data labeling (i.e. normal and abnormal 455
samples) was done via division-based threshold identification. The machine learning model was evaluated using twelve datasets. 456
Among them, one is generated from a simulation model while the others are realistic ones. These datasets are related to high 457
power gas turbines of combined cycle power plants. Wang et al. [97] used a deep AE for data manipulation attacks. They 458
implemented an IEEE 9-bus test system to generate enough data for ML model reconstruction and validation. After that, a 459
thresholding process is used to distinguish between good and bad data (i.e. probably hold attack patterns). Sawas et al. [98] 460
Proposed two methods for FDI attack detection in power integration and gas system. The first method is based on input feature 461
extraction acquired from monitoring system and classifications using WT and CNN respectively. In the second method, a hybrid 462
unsupervised ANN is used to detect attacks on the output side (i.e., information sent to the physical layer for resilient control of 463
the system). The previously discussed IEEE 30-bus [57] was the main evaluation criteria. Ismail et al. [99] investigated electricity 464
thefts on distributed generation side which is completely new compared to previous works that basically studied the consumption 465
side. In their study, they investigate several types of data including data from the distributed generation smart meters from Ontario 466
Canada [100], meteorological data, and SCADA data. Their study proved that a combination of CNN mapping and RNN learning 467
was very accurate. Table 6 provides more details about the discussed deep networks and used datasets or simulation systems. It 468
also highlights that RNN variants and AEs are very useful deep learning models for data integrity security. 469

Table 6. Deep learning for data integrity in SGs. 470

Reference ML Tools Attack type System/Dataset
Dehghani et al.[89] WT, SVD, AE, Softmax layer FDI Small electrical power grid
Multiple ML and deep learning FDI, replay
Gómez et al. [90] Electra dataset [91]
tools and reconnaissance
Hao et al. [92] SARIMA and LSTM FDI Realistic testbed of three typical systems
Albarakati et al. Inject, capture, replay,
LSTM, RNN and GRU IEEE 9-bus system
[93] modify, drop, and delay
Li et al. [94] LSTM Abnormal data Simulated PV system
Karimipour et al. IEEE 39-bus [54], IEEE 118-bus [56], and
SDF, RBM and DBN FDI
[95] IEEE 2848-bus
Scaling, ramp, step and random 1 Simulated model and 11 industrial plans
Yan et al. [96] DAE and ELM
attacks datasets
Wang et al. [97] Deep AE Intrusion IEEE 9-bus
Sawas et al. [98] WT, CNN and ANN FDI IEEE 30-bus [57]
 Smart meters [100], meteorological, and
Ismail et al. [99] CNN and RNN FDI
SCADA datasets
Most discussed RNN, LSTM, AE FDI IEEE-bus systems

3.3. Availability attacks 471

In general, availability attacks are a DoS attack that can delay or completely prohibit authorized individuals to access to certain 472
services at the time when they need to. In this context many ML models have been developed to detect or prevent by mitigating 473
such kind of attacks in SGs. This section is devoted to introduce some important examples. 474

3.3.1. Conventional machine learning 475

Conventional ML algorithms played an important role in availability attacks detection/mitigation more than deep learning. 476
Consequently, Haghighi et al. [101] designed an ML-based firewall software to automatically adjust its parameters and write 477
appropriate preventive rules in a way where false alarms are reduced. The 1999 International Knowledge Discovery and Data 478
Mining Tools Competition (KDD Cup’99) was developed by the MIT Lincoln Laboratory in 1999 and simulated in a military 479
network environment for intrusion detection purposes [102]. The firewall algorithm adopts an ML architecture that involves an 480
improved SVM iteratively trained to perform the classification process. In fact, giving such a characteristic to SVM models will 481
accommodate any changes in the data behavior. This is very important, especially when SVM is going through an inexpensive 482
training process. Lou et al. [103] proposed an assessment and mitigation of attacks impact on power grid controllers. A hybrid ML 483
algorithm is therefore constructed to perform two main missions. The first mission is devoted to systems state safety classification, 484
while the second one is dedicated to false negatives reduction when detecting unsafe patterns. They applied their ML approach to 485
estimate the impact of the attack on the automatic power grid generation control, where they developed a mitigation system able to 486
automatically restore security settings. They also successfully applied their evaluation approach to a thermal power plant control 487
system. Additional simulations on an IEEE 37-bus system and a thermal power plant control system were conducted to assess the 488
effectiveness of the proposed hybrid approach. Cui et al. [104] developed an ML-based cyberthreats detection algorithm that 489
allows the assessment of load forecasting information delivered to the control board. In this case, The raw data files can be 490
obtained directly from ISO New England [105]. K-means clustering algorithms label learning data and send them to ANN for 491
supervised load forecasting. Naive Bays (NB) is used to estimate/detect any possible cyberthreats in the forecasting measurements 492
where dynamic programming is necessary. Accordingly, dynamic adaptation towards data dynamism will help in model updates 493
towards new changes in load condition leading to a better active generalization process. Ahmadi et al. [106] proposed an ensemble 494
learning algorithm that is able to dynamically detect line rating in smart power grids even under the presence of severe FDI 495
cyberattacks. This study mainly investigated Ghadamgah and Binalood wind farms an ensemble of DTs was used as the main 496
architecture of the prediction model. Upadhyay et al. [107] used Gradient Boosting Feature Selection (GBFS) based on Weighted 497
Feature Importance (WFI) for appropriate features selection rather than optimal hyperparameters tuning when classifying attack 498
patterns in SGs. Features selection results are fed into an ensemble of DTs to achieve the training of the best classifiers. The model 499
adopts data obtained from the SCADA system where applications witness a higher level of accuracy. Datasets include 500
measurements related to normal, disturbance, control, and cyber-attack behaviors with respect to the electrical transmission system 501
in the power grid [108]. Nader et al. [109] employed Support Vector Data Description (SVDD) and Kernel PCA (KPCA). The 502
used kernel mapping function was the RBF function where the minimization problem was investigated under norm 503
optimizations. Different norms optimization requires experimenting variety of data representations with different degrees of 504
sparsity. Accordingly, testing is performed on actual gas pipeline testbed data from the Mississippi State University SCADA lab 505
[110] and the water treatment plant dataset from the UCI repository [111]. Ustun et al. [112] used ANN, DT, Extremely 506
Randomized Trees (XRT), and Random Forest (RF) to build an intrusion detection system for SGs. They thereafter used the 507
previously introduced IEEE 14-bus system to assess the accuracy of their model [50] where IEC 61850 protocols were main 508
standards of communication between the SG cyber and physical layers. In this study, it has been concluded that RF and XRT are 509
best ML architectures that could give promising results for the future cybersecurity. Aflaki et al. [113] introduced a new hybrid 510
method for attack detection for malicious control of SG power plants. An unsupervised hierarchical clustering process is adopted 511
to determine two types of attacks namely, FDI injection and DoS. The DT regressor is involved thereafter in mitigating different 512
types of cyberthreats where the adaptive estimation of the power system state is performed by Kalman filters. IEEE benchmarks 513
such as the 9-bus and 14-bus [50] have been also considered. 514

Table 7 is a summary of recent work reviewed regarding the ML-based conventional availability attack. It is shown that SVM, 515
DT, and ANN and their variants are the most discussed algorithms under simulation models such as IEEE systems. 516

Table 7. Conventional ML for data availability in SGs. 517

Reference ML Tools Attack type System/Dataset
Haghighi et al. [101] SVM FDI KDD Cup’99 [102]
Lou et al. [103] ELM Time delay IEEE 37-bus and a thermal power dataset [114], [115]
Cui et al. [104] K-means, ANN and NB FDI Load forecasting [105]
Ahmadi et al. [106] Ensemble DT FDI Ghadamgah and Binalood wind farms
Upadhyay et al. [107] GBFS, WFI and ensemble DT Intrusion SCADA data of a power grid system [108]
Gas pipeline testbed [110] and water treatment plant
Nader et al. [109] SVDD and KPCA Intrusion
[111]
Ustun et al. [112] ANN, DT, XRT and RF Intrusion IEEE 14-bus [50]
Hierarchical clustering, DT, and
Aflaki et al. [113] FDI and DoS IEEE 9-bus and IEEE 14-bus [50]
Kalman filters
Most discussed SVM, DT and ANN FDI IEEE bus systems

3.3.2. Advanced deep learning 518

Since attacks against availability are more related to DoS, which is basically associated with some sort of delay to authorized 519
access or decision, adaptive deep learning under complex criteria has a superior advantage. Accordingly, Wang et al. [75] 520
developed a deep learning model for sparse cyberattack detection in SGs networks. The developed model was built to fit within 521
both complete and incomplete data. In this context, thresholding-based interval estimation is formulated as an optimization 522
problem. Deep extractors such as Stacked AEs (SAEs) are deployed for nonlinear mapping where LR is used thereafter for the 523
approximation process. Previously discussed IEEE benchmarks, including IEEE 9-bus, 14-bus [50], 30-bus [57], and 118-bus [56] 524
simulation systems, were used for this study where experimental parameters are obtained from MATPOWER [116]. In the work of 525
Ali et al. [42], Stacked DAEs (SDAEs) are used for learning robust attack patterns, while the Multiple Kernel Learning (MKL) 526
algorithm is used for the supervised fine-tuning process. Performances of the proposed approach are evaluated using two different 527
datasets and compared against several well-known types of ML models and proved the classification capability of the proposed 528
approach. The first is the UNB ISCX dataset designed to create data-based methods related to intrusion detection. In this study, the 529
IDE2012 evaluation subset was used. Specifically, the June 11 testbed named IDE2012/11 and the June 16 testbed named 530
IDE2012/16 were selected to carry out experiments [52]. The second is the UNSW-NB15 [41] dataset developed by the Australian 531
Center for cybersecurity using the IXIA PerfectStorm platform [53]. Shereen et al. [117] proposed an intelligent data-driven 532
approach for time synchronization phasors measurement unit attacks to serve threat detection in SGs. A simulation model based 533
on physical interpretations has been therefore developed to assess the ML model. Correlation analysis has been used as 534
preprocessing step before feeding training data in data-driven models (i.e., detectors, AEs, and RF algorithms) for the 535
classification process. Siniosoglou et al. [118] proposed a deep learning-based Generative Adversarial Networks (GAN) for both 536
operational anomalies and cyberattacks classification in SGs. The generative models depend on an AE to enhance generated 537
examples, while the discriminator is a sort of DBN. The model was validated on four datasets from the SPEAR project [119], 538
where different types of data including Modbus/TCP network, DNP3 network, and operational data are involved. These datasets 539
are provided from four SG environments, namely SG laboratory, substation, hydropower plant, and power plant. In this case, a 540
wide range of cyberattacks are discussed for both Modbus/TCP and DNP3 protocols (see [118], Tables 1 and 2). Vinayakumar et 541
al. [120] realized a comparative study between an improved Deep Neural Network (DNN) of their own, within conventional 542
machine learning when detecting several types of malicious attacks. Their study revolves around studying multiple well-known 543
SGs datasets (i.e., KDD-Cup 99, NSL-KDD, UNSW-NB15, Kyoto, WSN-DS, and CICIDS 2017) and proving the effectiveness of 544
their method when detecting intrusions. Table 8 is devoted to a more detailed description of these methods. Analysis of published 545
papers in data availability security, specifically for deep learning tools, shows that a lot of real-world datasets have been discussed. 546
This has the advantage of approaching realistic conclusions on this topic. 547

Table 8. Deep learning for data availability in SGs. 548

Reference ML Tools Attack type System/Dataset
IEEE 9-bus, 14-bus [50], 30-bus [57], 118-bus [56], and
Wang et al. [75] SAEs and LR FDI
MATPOWER [116]
Ali et al. [42] SDAEs and MKL Intrusion UNB ISCX [52] and UNSW-NB 15 [53]
Detectors, AEs
Shereen et al. [117] FDI Model-based system
and RF
Siniosoglou et al. Multiple (see [118] , Table 1
GAN and DBN 4 datasets from the SPEAR project [119]
[118] and Table 2).
Vinayakumar et al KDD-Cup 99, NSL-KDD, UNSW-NB15, Kyoto, WSN-
DNN Multiple
.[120] DS and CICIDS 2017
Most discussed AEs FDI Realistic datasets

4. Discussion, drawbacks, and challenges 549

This section is devoted to providing a general outcome of this review-based study besides model efficiency. In this context, 550
instead of analyzing all the cited works, bringing out the “most discussed” parts from each table (Tables 3 to 8) will be more useful 551
for readers. Accordingly, Table 9 is introduced for this purpose from which the following important conclusions are drawn for 552
SGs cybersecurity: 553

1. In the various CIA attributes, ML application in cybersecurity evolves around the use of IEEE benchmarks except when 554
using deep learning tools under data availability security where more realistic analysis is provided. 555
2. Most discussed tools in cybersecurity of SGs are ANN and its variants. 556
3. FDI attacks are the most considered type of attacks. 557
With respect to model efficiency, three main metrics namely adaptive learning, data realisticity, and representation learning are 558
considered. These metrics are inspired by the flowchart in Figure 2, which is tightly related to data drift, data availability, and data 559
complexity. As a result, the following conclusions are drawn (Table 9): 560
1. Application of advanced deep learning techniques in any of CIA attributes always brings more effective solutions than 561
conventional ML techniques. 562
2. Application of advanced deep learning techniques to secure data availability in SGs in terms of FDI detection yielded the 563
best results in terms of approximating reality. 564
Table 9. Global view and efficiency of ML tools in cybersecurity of SGs. 565
Application Efficiency
Adaptive Data Representation
CIA attributes ML categories ML Tools Attack type System/Dataset
learning realisticity learning
FDI and IEEE-bus
Conventional ML ANN
spoofing systems
Confidentiality
Advanced deep RNN and its variant IEEE-bus
FDI
learning (LSTM) and AEs systems
DT and ensemble IEEE-bus
Conventional ML FDI
learning systems
Integrity
Advanced deep IEEE-bus
RNN, LSTM, and AE FDI
learning systems
IEEE-bus
Conventional ML SVM, DT, and ANN FDI
systems
Availability
Advanced deep Realistic
AEs FDI
learning datasets
After an overview of the discussed tools in the literature, it is now needed to dig a little deeper for more details. As a result, and if 566
we consider SGs data real behavior, which is volume rapid growth, speed, and variety, these methods have some limitations that 567
decrease heir performance. For instance, concerning conventional ML works, small-scale ML models are helpful especially when 568
they do not require a lot of computational resources. However, they generally lack the dynamic adaptation characteristic, which is 569
very essential when processing such a type of data. In this case, only a few studies considered these features such as SVM in [83] 570
and SARIMA in [92]. Besides, and generally speaking, conventional ML models also lack online learning features, except for a 571
few examples such as OSELM in [40]. When it comes to deep learning variants, e.g., DBN, CNN, AEs, and LSTM, the 572
algorithmic complexity is tremendously increasing and such an application will be computationally expensive in terms of 573
reconstruction and repeating experiments. Also, CNN variants such as in [76], [99], DBN in [89], and AEs in [72], [75] are not 574
adaptive algorithms and cannot drive parameter updates to new samples and delete old information. In studying the two classes of 575
ML models, it was noticed that reinforcement learning is not discussed. Indeed, reinforcement learning is the way to decide 576
control and mitigation decisions in such a security monitoring process. 577

Additionally, and more generally, when analyzing Tables 1 to 9 we can notice that ML studies have been deeply deployed in the 578
diagnosis and mitigation of cybersecurity attacks. However, looking this far, we can also go a step further and uncover that ML 579
models deal with integrity threats more specifically than other types. This provides an important conclusion about the most 580
important threats in SGs. Indeed, some shortcomings can also be drawn in this case. For instance, most of the faced studies have 581
been applied on simulation models whether are IEEE systems or other self-designed physical models. This limits the study under 582
this criterion that is not similar to real cases. Additionally, and unlike real cases where the security system has no previous 583
knowledge of the attack/attacker goals, in most of the studies, specific types of threats have been injected by user knowledge, 584
paving the way to detect this type. Conversely, these studies do not consider the hacker (cybercriminal) degrees (e.g., black and 585
grey hat hackers) when injecting their attacks into transmission lines. In this case, the ML model should have prior knowledge 586
about this important information to be more flexible against cyberattacks. Learning models are also generally trained offline on 587
specific already prepared and well-organized data, which is not the case in real-world applications where data arrives in sequence- 588
by-sequence and the security system attempts to mitigate the threats at the same moment (real-time interaction between the 589
security system and the cybercriminal). Besides these shortcomings, real-time monitoring generally requires adaptive learning that 590
dynamically adapts its parameters within continuous data changing. This is not the case in most of the trained models. 591

If we follow the proposed flowchart in Figure 2 and project our case of scarification (unavailability) of real data set onto it, we 592
can see that we have gone beyond generative models and domain adaptation. Besides, deep complex learning with 593
backpropagation in real-time training, specifically under IoT connectivity bandwidth of cyberphysical systems, is a very 594
expensive process in terms of computational costs. Furthermore, and most importantly, FDI attacks are generally considered 595
primary ones. This will limit the coverage of the carried out studies that do not consider more realistic attacks such as reply and 596
reconnaissance, except in Gómez et al. [90]. More generally, there are only a few studies that consider the study of connection 597
protocols used in IIoT such as MQTT, ICS, and Modbus such as in Gómez et al. [90] and Vaccari et al. [121]. 598

5. Future research directions 599

By way of perspective, and in an attempt to remedy the effects of these drawbacks, we propose the following solutions or 600
alternatives: 601

1. If real data is still difficult to be collected, Virtual Reality (VR) based simulation of cyberattacks will be helpful to gather 602
important features similar to real ones (see Suomalainen et al. [122], §1, ¶ 2). 603
2. VR can also provide a possible solution by involving reinforcement learning. Besides, ML experts will not be able to 604
assume the type of attack, which is similar to real problems. 605
3. VR for hacker degrees real-time simulation will be of great advantage to generalize the ML models by simulating virtual 606
cybercrime scenes. 607
4. In this case transfer learning must be involved to transfer information from models trained on VR/real datasets to 608
simulation models or vice-versa. 609
 5. Involving powerful generative models such as GANs will help to extract new examples from data. 610
6. Reducing computational cost by developing simpler and more effective training tools than traditional Backpropagation 611
algorithms, especially, when training deep networks. 612
7. To remedy deep learning and Backpropagation algorithmic complexity, simple training algorithms with adaptive learning 613
features and deep architectures compatibility such as ELM and Neural network with an Augmented Hidden Layer 614
(NAHL) can be investigated [123]. 615
8. To contribute to more realistic studies, well-known industrial control protocols, as well as IoT and IIoT, should be 616
discussed and more datasets should be available in this context. 617
9. Additionally, the main issue discussed in the presented ML works on cybersecurity is privacy preservation of data 618
following the CIA triad in a sort of decentralized/centralized learning. However, one of the very important aspects that 619
have not been discussed is privacy preservation of the ML model itself. Future works must also consider decentralized 620
federated learning to protect the attack modeling process and provide more security precautions. 621
Finally, we believe that by following this scheme, more realistic conclusions will be drawn and results will more closely 622
approximate the necessary needs of real-world applications. 623

6. Conclusion 624

This review-based study discussed ML tools with both conventional and advanced deep learning models according to the available 625
literature about SGs cybersecurity. It provided a classification of these models under the umbrella of the CIA triad. It has also 626
given information about discussed types of possible threats and used simulation models and datasets. In this context, we concluded 627
that most of the targeted attacks in these studies threaten the integrity of data in SGs. Deep learning models and conventional ML 628
both receive much attention in this case. Additionally, deep learning models in data availability security have shown high 629
effectiveness. Discussion of these methods has led to many drawbacks, the most serious of which have been listed. Finally, an 630
important future direction should be the federated learning that could lead to better privacy preservation of SGs cybersecurity 631
modeling. 632

References 633

[1] T. Berghout, M. Benbouzid, T. Bentrcia, X. Ma, S. Djurović, and L.-H. Mouss, “Machine Learning-Based Condition Monitoring for PV 634
Systems: State of the Art and Future Prospects,” Energies, vol. 14, no. 19, p. 6316, Oct. 2021, doi: 10.3390/en14196316. 635
[2] M. Benbouzid, T. Berghout, N. Sarma, S. Djurović, Y. Wu, and X. Ma, “Intelligent Condition Monitoring of Wind Power Systems: 636
State of the Art Review.,” Energies, vol. 14(18), p. 5967, 2021, doi: https://doi.org/10.3390/en14185967. 637
[3] A. Ghasempour, “Internet of Things in Smart Grid: Architecture, Applications, Services, Key Technologies, and Challenges,” 638
Inventions, vol. 4, no. 1, p. 22, Mar. 2019, doi: 10.3390/inventions4010022. 639
[4] A. R. Khattak, S. A. Mahmud, and G. M. Khan, “The Power to Deliver: Trends in Smart Grid Solutions,” IEEE Power Energy Mag., 640
vol. 10, no. 4, pp. 56–64, Jul. 2012, doi: 10.1109/MPE.2012.2196336. 641
[5] I. A. Hiskens, “What’s smart about the smart grid?,” in Proceedings of the 47th Design Automation Conference on - DAC ’10, 2010, p. 642
937, doi: 10.1145/1837274.1837510. 643
[6] A. Kavousi-Fard, W. Su, and T. Jin, “A Machine-Learning-Based Cyber Attack Detection Model for Wireless Sensor Networks in 644
Microgrids,” IEEE Trans. Ind. Informatics, vol. 17, no. 1, pp. 650–658, 2021, doi: 10.1109/TII.2020.2964704. 645
[7] A. L. Russell, “The Physical Layer,” in Strategic A2/AD in Cyberspace, Cambridge: Cambridge University Press, 2017, pp. 26–39. 646
[8] I. Priyadarshini, “Introduction on Cybersecurity,” in Cyber Security in Parallel and Distributed Computing, Hoboken, NJ, USA: John 647
Wiley & Sons, Inc., 2019, pp. 1–37. 648
[9] L. L. Dhirani, E. Armstrong, and T. Newe, “Industrial IoT, Cyber Threats, and Standards Landscape: Evaluation and Roadmap,” 649
Sensors, vol. 21, no. 11, p. 3901, Jun. 2021, doi: 10.3390/s21113901. 650
[10] S. Tufail, I. Parvez, S. Batool, and A. Sarwat, “A survey on cybersecurity challenges, detection, and mitigation techniques for the smart 651
grid,” Energies, vol. 14, no. 18, pp. 1–22, 2021, doi: 10.3390/en14185894. 652
[11] J. Tian, B. Wang, T. Li, F. Shang, and K. Cao, “Coordinated cyber‐physical attacks considering DoS attacks in power systems,” Int. J. 653
 Robust Nonlinear Control, vol. 30, no. 11, pp. 4345–4358, Jul. 2020, doi: 10.1002/rnc.4801. 654
[12] H. Tu, Y. Xia, C. K. Tse, and X. Chen, “A Hybrid Cyber Attack Model for Cyber-Physical Power Systems,” IEEE Access, vol. 8, pp. 655
114876–114883, 2020, doi: 10.1109/ACCESS.2020.3003323. 656
[13] E. Conrad, S. Misenar, and J. Feldman, “Domain 7: Operations Security,” in Eleventh Hour CISSP, Elsevier, 2014, pp. 117–133. 657
[14] X. G. Shan and J. Zhuang, “A game-theoretic approach to modeling attacks and defenses of smart grids at three levels,” Reliab. Eng. 658
Syst. Saf., vol. 195, p. 106683, Mar. 2020, doi: 10.1016/j.ress.2019.106683. 659
[15] S. M. Debb, “Keeping the Human in the Loop: Awareness and Recognition of Cybersecurity Within Cyberpsychology,” 660
Cyberpsychology, Behav. Soc. Netw., vol. 24, no. 9, pp. 581–583, Sep. 2021, doi: 10.1089/cyber.2021.29225.sde. 661
[16] X. Zheng, Y. Zhu, and X. Si, “A Survey on Challenges and Progresses in Blockchain Technologies: A Performance and Security 662
Perspective,” Appl. Sci., vol. 9, no. 22, p. 4731, Nov. 2019, doi: 10.3390/app9224731. 663
[17] N. M. Kumar and P. K. Mallick, “Blockchain technology for security issues and challenges in IoT,” Procedia Comput. Sci., vol. 132, 664
pp. 1815–1823, 2018, doi: 10.1016/j.procs.2018.05.140. 665
[18] N. Wang et al., “When Energy Trading Meets Blockchain in Electrical Power System: The State of the Art,” Appl. Sci., vol. 9, no. 8, p. 666
1561, Apr. 2019, doi: 10.3390/app9081561. 667
[19] S. Alatawi, A. Alhasani, S. Alfaidi, M. Albalawi, and S. M. Almutairi, “A Survey on Cloud Security Issues and Solution,” in 2020 668
International Conference on Computing and Information Technology (ICCIT-1441), Sep. 2020, pp. 1–5, doi: 10.1109/ICCIT- 669
144147971.2020.9214397. 670
[20] I. D. Aiyanyo, H. Samuel, and H. Lim, “A Systematic Review of Defensive and Offensive Cybersecurity with Machine Learning,” 671
Appl. Sci., vol. 10, no. 17, p. 5811, Aug. 2020, doi: 10.3390/app10175811. 672
[21] M. N. Al-Mhiqani et al., “A Review of Insider Threat Detection: Classification, Machine Learning Techniques, Datasets, Open 673
Challenges, and Recommendations,” Appl. Sci., vol. 10, no. 15, p. 5208, Jul. 2020, doi: 10.3390/app10155208. 674
[22] R. V. Yohanandhan, R. M. Elavarasan, P. Manoharan, and L. Mihet-Popa, “Cyber-Physical Power System (CPPS): A Review on 675
Modeling, Simulation, and Analysis With Cyber Security Applications,” IEEE Access, vol. 8, pp. 151019–151064, 2020, doi: 676
10.1109/ACCESS.2020.3016826. 677
[23] F. Nejabatkhah, Y. W. Li, H. Liang, and R. R. Ahrabi, “Cyber-security of smart microgrids: A survey,” Energies, vol. 14, no. 1, 2021, 678
doi: 10.3390/en14010027. 679
[24] J. Ye et al., “A Review of Cyber-Physical Security for Photovoltaic Systems,” IEEE J. Emerg. Sel. Top. Power Electron., pp. 1–23, 680
2021, doi: 10.1109/JESTPE.2021.3111728. 681
[25] E. Hossain, I. Khan, F. Un-Noor, S. S. Sikander, and M. S. H. Sunny, “Application of Big Data and Machine Learning in Smart Grid, 682
and Associated Security Concerns: A Review,” IEEE Access, vol. 7, pp. 13960–13988, 2019, doi: 10.1109/ACCESS.2019.2894819. 683
[26] O. A. Alimi, K. Ouahada, and A. M. Abu-Mahfouz, “A Review of Machine Learning Approaches to Power System Security and 684
Stability,” IEEE Access, vol. 8, pp. 113512–113531, 2020, doi: 10.1109/ACCESS.2020.3003568. 685
[27] A. S. Musleh, G. Chen, and Z. Y. Dong, “A Survey on the Detection Algorithms for False Data Injection Attacks in Smart Grids,” IEEE 686
Trans. Smart Grid, vol. 11, no. 3, pp. 2218–2234, 2020, doi: 10.1109/TSG.2019.2949998. 687
[28] T. Kotsiopoulos, P. Sarigiannidis, D. Ioannidis, and D. Tzovaras, “Machine Learning and Deep Learning in smart manufacturing: The 688
Smart Grid paradigm,” Comput. Sci. Rev., vol. 40, p. 100341, 2021, doi: 10.1016/j.cosrev.2020.100341. 689
[29] L. Cui, Y. Qu, L. Gao, G. Xie, and S. Yu, “Detecting false data attacks using machine learning techniques in smart grid: A survey,” J. 690
Netw. Comput. Appl., vol. 170, no. August, p. 102808, 2020, doi: 10.1016/j.jnca.2020.102808. 691
[30] J. Jow, Y. Xiao, and W. Han, “A survey of intrusion detection systems in smart grid,” Int. J. Sens. Networks, vol. 23, no. 3, p. 170, 692
2017, doi: 10.1504/IJSNET.2017.083410. 693
[31] P. I. Radoglou-Grammatikis and P. G. Sarigiannidis, “Securing the Smart Grid: A Comprehensive Compilation of Intrusion Detection 694
and Prevention Systems,” IEEE Access, vol. 7, pp. 46595–46620, 2019, doi: 10.1109/ACCESS.2019.2909807. 695
[32] Y. Xu, “A review of cyber security risks of power systems: from static to dynamic false data attacks,” Prot. Control Mod. Power Syst., 696
vol. 5, no. 1, 2020, doi: 10.1186/s41601-020-00164-w. 697
[33] A. Dagoumas, “Assessing the impact of cybersecurity attacks on power systems,” Energies, vol. 12, no. 4, 2019, doi: 698
10.3390/en12040725. 699
[34] N. Huang, Z. Wu, and S. Long, “Hilbert-Huang transform,” Scholarpedia, vol. 3, no. 7, p. 2544, 2008, doi: 10.4249/scholarpedia.2544. 700
[35] M. Dehghani, M. Ghiasi, T. Niknam, A. Kavousi-Fard, and S. Padmanaban, “False data injection attack detection based on hilbert- 701
huang transform in ac smart islands,” IEEE Access, vol. 8, pp. 179002–179017, 2020, doi: 10.1109/ACCESS.2020.3027782. 702
[36] H. Cui, X. Dong, H. Deng, M. Dehghani, K. Alsubhi, and H. M. A. Aljahdali, “Cyber Attack Detection Process in Sensor of DC Micro- 703
Grids Under Electric Vehicle Based on Hilbert–Huang Transform and Deep Learning,” IEEE Sens. J., vol. 21, no. 14, pp. 15885–15894, 704
Jul. 2021, doi: 10.1109/JSEN.2020.3027778. 705
[37] F. Zhang and Q. Zhou, “HHT–SVM: An online method for detecting profile injection attacks in collaborative recommender systems,” 706
Knowledge-Based Syst., vol. 65, pp. 96–105, Jul. 2014, doi: 10.1016/j.knosys.2014.04.020. 707
[38] Q. Chang, X. Ma, M. Chen, X. Gao, and M. Dehghani, “A deep learning based secured energy management framework within a smart 708
island,” Sustain. Cities Soc., vol. 70, p. 102938, Jul. 2021, doi: 10.1016/j.scs.2021.102938. 709
[39] J. A. Cox, C. D. James, and J. B. Aimone, “A Signal Processing Approach for Cyber Data Classification with Deep Neural Networks,” 710
Procedia Comput. Sci., vol. 61, pp. 349–354, 2015, doi: 10.1016/j.procs.2015.09.156. 711
[40] C. Dou, D. Wu, D. Yue, B. Jin, and s Xu, “A hybrid method for false data injection attack detection in smart grid based on variational 712
mode decomposition and OS-ELM,” CSEE J. Power Energy Syst., 2020, doi: 10.17775/CSEEJPES.2019.00670. 713
[41] W. Qiu et al., “Cyber-Attack Identification of Synchrophasor Data Via VMD and Multi-fusion SVM,” in 2020 IEEE Industry 714
Applications Society Annual Meeting, Oct. 2020, pp. 1–6, doi: 10.1109/IAS44978.2020.9334870. 715
[42] S. Ali and Y. Li, “Learning Multilevel Auto-Encoders for DDoS Attack Detection in Smart Grid Network,” IEEE Access, vol. 7, pp. 716
108647–108659, 2019, doi: 10.1109/ACCESS.2019.2933304. 717
[43] L. Chen, S. Gu, Y. Wang, Y. Yang, and Y. Li, “Stacked Autoencoder Framework of False Data Injection Attack Detection in Smart 718
Grid,” Math. Probl. Eng., vol. 2021, pp. 1–8, Jul. 2021, doi: 10.1155/2021/2014345. 719
[44] S. Ahmed, Y. Lee, S.-H. Hyun, and I. Koo, “Mitigating the Impacts of Covert Cyber Attacks in Smart Grids Via Reconstruction of 720
Measurement Data Utilizing Deep Denoising Autoencoders,” Energies, vol. 12, no. 16, p. 3091, Aug. 2019, doi: 10.3390/en12163091. 721
[45] C. Hu, J. Yan, and X. Liu, “Adaptive Feature Boosting of Multi-Sourced Deep Autoencoders for Smart Grid Intrusion Detection,” in 722
2020 IEEE Power & Energy Society General Meeting (PESGM), Aug. 2020, pp. 1–5, doi: 10.1109/PESGM41954.2020.9281934. 723
[46] A. Anwar, A. N. Mahmood, and M. Pickering, “Modeling and performance evaluation of stealthy false data injection attacks on smart 724
grid in the presence of corrupted measurements,” J. Comput. Syst. Sci., vol. 83, no. 1, pp. 58–72, Feb. 2017, doi: 725
10.1016/j.jcss.2016.04.005. 726
[47] L. Wen, K. Zhou, S. Yang, and L. Li, “Compression of smart meter big data: A survey,” Renew. Sustain. Energy Rev., vol. 91, pp. 59– 727
69, Aug. 2018, doi: 10.1016/j.rser.2018.03.088. 728
[48] E. P. K. Gilbert, B. Kaliaperumal, E. B. Rajsingh, and M. Lydia, “Trust based data prediction, aggregation and reconstruction using 729
compressed sensing for clustered wireless sensor networks,” Comput. Electr. Eng., vol. 72, pp. 894–909, Nov. 2018, doi: 730
10.1016/j.compeleceng.2018.01.013. 731
[49] H. Li, R. Mao, L. Lai, and R. C. Qiu, “Compressed Meter Reading for Delay-Sensitive and Secure Load Report in Smart Grid,” in 2010 732
First IEEE International Conference on Smart Grid Communications, Oct. 2010, pp. 114–119, doi: 733
10.1109/SMARTGRID.2010.5622027. 734
[50] “IEEE 14-bus System.” https://icseg.iti.illinois.edu/ieee-14-bus-system/#:~:text=The IEEE 14-bus test,IEEE 14-Bus System case. 735
(accessed May 05, 2022). 736
[51] Y. Liu et al., “Recent developments of FNET/GridEye — A situational awareness tool for smart grid,” CSEE J. Power Energy Syst., 737
vol. 2, no. 3, pp. 19–27, Sep. 2016, doi: 10.17775/CSEEJPES.2016.00031. 738
[52] “UNB ISCX Intrusion Detection Evaluation Dataset.” http://www.unb.ca/cic/d%0Aids.html/. 739
[53] “UNSW-NB 15 Dataset.” http://www.ucd.ie/issda/data/commissionforenergyregulationcer/. 740
[54] T. Athay, R. Podmore, and S. Virmani, “A Practical Method for the Direct Analysis of Transient Stability,” IEEE Trans. Power Appar. 741
Syst., vol. PAS-98, no. 2, pp. 573–584, Mar. 1979, doi: 10.1109/TPAS.1979.319407. 742
[55] “IEEE 57-bus System.” https://icseg.iti.illinois.edu/ieee-57-bus-system/#:~:text=The IEEE 57-bus test,1%5D%2C%5B2%5D. (accessed 743
May 05, 2022). 744
[56] “IEEE 118-bus System.” https://icseg.iti.illinois.edu/ieee-118-bus-system/ (accessed May 05, 2022). 745
[57] “IEEE 30-bus System.” https://icseg.iti.illinois.edu/ieee-30-bus-system/#:~:text=The IEEE 30-bus test,not reflect the actual data. 746
[58] S. Ahmed, Y. Lee, S.-H. Hyun, and I. Koo, “Unsupervised Machine Learning-Based Detection of Covert Data Integrity Assault in 747
Smart Grid Networks Utilizing Isolation Forest,” IEEE Trans. Inf. Forensics Secur., vol. 14, no. 10, pp. 2765–2777, Oct. 2019, doi: 748
10.1109/TIFS.2019.2902822. 749
[59] A. Anwar, A. N. Mahmood, and Z. Tari, “Identification of vulnerable node clusters against false data injection attack in an AMI based 750
Smart Grid,” Inf. Syst., vol. 53, pp. 201–212, Oct. 2015, doi: 10.1016/j.is.2014.12.001. 751
[60] R. Geetha and T. Thilagam, “A Review on the Effectiveness of Machine Learning and Deep Learning Algorithms for Cyber Security,” 752
Arch. Comput. Methods Eng., vol. 28, no. 4, pp. 2861–2879, Jun. 2021, doi: 10.1007/s11831-020-09478-2. 753
[61] T. Berghout and M. Benbouzid, “A Systematic Guide for Predicting Remaining Useful Life with Machine Learning,” Electronics, vol. 754
11, no. 7, p. 1125, Apr. 2022, doi: 10.3390/electronics11071125. 755
[62] X. Liu, J. Ospina, and C. Konstantinou, “Deep Reinforcement Learning for Cybersecurity Assessment of Wind Integrated Power 756
Systems,” IEEE Access, vol. 8, pp. 208378–208394, 2020, doi: 10.1109/ACCESS.2020.3038769. 757
[63] M. N. Kurt, O. Ogundijo, C. Li, and X. Wang, “Online Cyber-Attack Detection in Smart Grid: A Reinforcement Learning Approach,” 758
IEEE Trans. Smart Grid, vol. 10, no. 5, pp. 5174–5185, Sep. 2019, doi: 10.1109/TSG.2018.2878570. 759
[64] D. Singh and B. Singh, “Investigating the impact of data normalization on classification performance,” Appl. Soft Comput., vol. 97, p. 760
105524, Dec. 2020, doi: 10.1016/j.asoc.2019.105524. 761
[65] J. Shao, K. Hu, C. Wang, X. Xue, and B. Raj, “Is normalization indispensable for training deep neural network?,” in Advances in Neural 762
Information Processing Systems, 2020, vol. 33, pp. 13434–13444, [Online]. Available: 763
https://proceedings.neurips.cc/paper/2020/file/9b8619251a19057cff70779273e95aa6-Paper.pdf. 764
[66] M. Ashrafuzzaman, S. Das, Y. Chakhchoukh, S. Shiva, and F. T. Sheldon, “Detecting stealthy false data injection attacks in the smart 765
grid using ensemble-based machine learning,” Comput. Secur., vol. 97, p. 101994, Oct. 2020, doi: 10.1016/j.cose.2020.101994. 766
[67] Y. Cui, F. Bai, Y. Liu, P. L. Fuhr, and M. E. Morales-Rodriguez, “Spatio-Temporal Characterization of Synchrophasor Data Against 767
Spoofing Attacks in Smart Grids,” IEEE Trans. Smart Grid, vol. 10, no. 5, pp. 5807–5818, 2019, doi: 10.1109/tsg.2019.2891852. 768
[68] M. R. Camana Acosta, S. Ahmed, C. E. Garcia, and I. Koo, “Extremely randomized trees-based scheme for stealthy cyber-attack 769
detection in smart grid networks,” IEEE Access, vol. 8, no. Ml, pp. 19921–19933, 2020, doi: 10.1109/ACCESS.2020.2968934. 770
[69] S. Liu et al., “Model-Free Data Authentication for Cyber Security in Power Systems,” IEEE Trans. Smart Grid, vol. 11, no. 5, pp. 771
4565–4568, 2020, doi: 10.1109/TSG.2020.2986704. 772
[70] T. Poggio, H. Mhaskar, L. Rosasco, B. Miranda, and Q. Liao, “Why and when can deep-but not shallow-networks avoid the curse of 773
dimensionality: A review,” Int. J. Autom. Comput., vol. 14, no. 5, pp. 503–519, Oct. 2017, doi: 10.1007/s11633-017-1054-2. 774
[71] S. Kwon, H. Yoo, and T. Shon, “IEEE 1815.1-Based power system security with bidirectional RNN-Based network anomalous attack 775
detection for cyber-physical system,” IEEE Access, vol. 8, pp. 77572–77586, 2020, doi: 10.1109/ACCESS.2020.2989770. 776
[72] M. Keshk, B. Turnbull, N. Moustafa, D. Vatsalan, and K. K. R. Choo, “A Privacy-Preserving-Framework-Based Blockchain and Deep 777
Learning for Protecting Smart Power Networks,” IEEE Trans. Ind. Informatics, vol. 16, no. 8, pp. 5110–5118, 2020, doi: 778
10.1109/TII.2019.2957140. 779
[73] “Power systems datasets,” 2017. https://sites.google.com/a/uah.edu/tommy-morris-uah/ics-data-sets (accessed Oct. 30, 2021). 780
[74] N. Moustafa, B. Turnbull, and K.-K. R. Choo, “An Ensemble Intrusion Detection Technique Based on Proposed Statistical Flow 781
Features for Protecting Network Traffic of Internet of Things,” IEEE Internet Things J., vol. 6, no. 3, pp. 4815–4830, Jun. 2019, doi: 782
10.1109/JIOT.2018.2871719. 783
[75] H. Wang et al., “Deep Learning-Based Interval State Estimation of AC Smart Grids Against Sparse Cyber Attacks,” IEEE Trans. Ind. 784
Informatics, vol. 14, no. 11, pp. 4766–4778, Nov. 2018, doi: 10.1109/TII.2018.2804669. 785
[76] D. Yao, M. Wen, X. Liang, Z. Fu, K. Zhang, and B. Yang, “Energy Theft Detection With Energy Privacy Preservation in the Smart 786
Grid,” IEEE Internet Things J., vol. 6, no. 5, pp. 7659–7669, Oct. 2019, doi: 10.1109/JIOT.2019.2903312. 787
[77] Z. Zheng, Y. Yang, X. Niu, H.-N. Dai, and Y. Zhou, “Wide and Deep Convolutional Neural Networks for Electricity-Theft Detection to 788
Secure Smart Grids,” IEEE Trans. Ind. Informatics, vol. 14, no. 4, pp. 1606–1615, Apr. 2018, doi: 10.1109/TII.2017.2785963. 789
[78] N. Bhusal, M. Gautam, and M. Benidris, “Detection of Cyber Attacks on Voltage Regulation in Distribution Systems Using Machine 790
Learning,” IEEE Access, vol. 9, pp. 40402–40416, 2021, doi: 10.1109/ACCESS.2021.3064689. 791
[79] F. Bu, Y. Yuan, Z. Wang, K. Dehghanpour, and A. Kimber, “A Time-Series Distribution Test System Based on Real Utility Data,” in 792
2019 North American Power Symposium (NAPS), Oct. 2019, pp. 1–6, doi: 10.1109/NAPS46351.2019.8999982. 793
[80] “1992 Test Feeder Cases.” http://sites.ieee.org/pestestfeeders/resources/. (accessed May 08, 2022). 794
[81] S. Soltan, P. Mittal, and H. V. Poor, “Line failure detection after a cyber-physical attack on the grid using bayesian regression,” IEEE 795
Trans. Power Syst., vol. 34, no. 5, pp. 3758–3768, 2019, doi: 10.1109/TPWRS.2019.2910396. 796
[82] S. Soltan, M. Yannakakis, and G. Zussman, “Power Grid State Estimation Following a Joint Cyber and Physical Attack,” IEEE Trans. 797
Control Netw. Syst., vol. 5, no. 1, pp. 499–512, Mar. 2018, doi: 10.1109/TCNS.2016.2620807. 798
[83] P. Wang and M. Govindarasu, “Multi-Agent Based Attack-Resilient System Integrity Protection for Smart Grid,” IEEE Trans. Smart 799
Grid, vol. 11, no. 4, pp. 3447–3456, 2020, doi: 10.1109/TSG.2020.2970755. 800
[84] G. Ravikumar and M. Govindarasu, “Anomaly Detection and Mitigation for Wide-Area Damping Control using Machine Learning,” 801
IEEE Trans. Smart Grid, vol. 3053, no. c, pp. 1–1, 2020, doi: 10.1109/tsg.2020.2995313. 802
[85] V. K. Singh and M. Govindarasu, “A Cyber-Physical Anomaly Detection for Wide-Area Protection Using Machine Learning,” IEEE 803
Trans. Smart Grid, vol. 12, no. 4, pp. 3514–3526, 2021, doi: 10.1109/TSG.2021.3066316. 804
[86] J. Cao et al., “A Novel False Data Injection Attack Detection Model of the Cyber-Physical Power System,” IEEE Access, vol. 8, pp. 805
95109–95125, 2020, doi: 10.1109/ACCESS.2020.2995772. 806
[87] T. Morris, “Industrial Control System (ICS) Cyber Attack Datasets.” https://sites.google.com/a/uah.edu/tommy-morris-uah/ics-data-sets 807
(accessed Oct. 31, 2021). 808
[88] T. Wu et al., “Extreme Learning Machine-Based State Reconstruction for Automatic Attack Filtering in Cyber Physical Power System,” 809
IEEE Trans. Ind. Informatics, vol. 17, no. 3, pp. 1892–1904, 2021, doi: 10.1109/TII.2020.2984315. 810
[89] M. Dehghani, T. Niknam, M. Ghiasi, N. Bayati, and M. Savaghebi, “Cyber-Attack Detection in DC Microgrids Based on Deep Machine 811
Learning and Wavelet Singular Values Approach,” Electronics, vol. 10, no. 16, p. 1914, Aug. 2021, doi: 10.3390/electronics10161914. 812
[90] Á. L. P. Gómez et al., “On the Generation of Anomaly Detection Datasets in Industrial Control Systems,” IEEE Access, vol. 7, pp. 813
177460–177473, 2019, doi: 10.1109/ACCESS.2019.2958284. 814
[91] “Electra dataset: Anomaly detection ICS dataset.” http://perception.inf.um.es/ICS-datasets/ (accessed Oct. 31, 2021). 815
[92] W. Hao, T. Yang, and Q. Yang, “Hybrid Statistical-Machine Learning for Real-Time Anomaly Detection in Industrial Cyber-Physical 816
Systems,” IEEE Trans. Autom. Sci. Eng., pp. 1–15, 2021, doi: 10.1109/TASE.2021.3073396. 817
[93] A. Albarakati et al., “Security Monitoring of IEC 61850 Substations Using IEC 62351-7 Network and System Management,” IEEE 818
Trans. Ind. Informatics, vol. 3203, no. c, pp. 1–12, 2021, doi: 10.1109/TII.2021.3082079. 819
[94] F. Li et al., “Detection and Diagnosis of Data Integrity Attacks in Solar Farms Based on Multilayer Long Short-Term Memory 820
Network,” IEEE Trans. Power Electron., vol. 36, no. 3, pp. 2495–2498, 2021, doi: 10.1109/TPEL.2020.3017935. 821
[95] H. Karimipour, A. Dehghantanha, R. M. Parizi, K. K. R. Choo, and H. Leung, “A Deep and Scalable Unsupervised Machine Learning 822
System for Cyber-Attack Detection in Large-Scale Smart Grids,” IEEE Access, vol. 7, pp. 80778–80788, 2019, doi: 823
10.1109/ACCESS.2019.2920326. 824
[96] W. Yan, L. K. Mestha, and M. Abbaszadeh, “Attack Detection for Securing Cyber Physical Systems,” IEEE Internet Things J., vol. 6, 825
no. 5, pp. 8471–8481, 2019, doi: 10.1109/JIOT.2019.2919635. 826
[97] J. Wang, D. Shi, Y. Li, J. Chen, H. Ding, and X. Duan, “Distributed Framework for Detecting PMU Data Manipulation Attacks with 827
Deep Autoencoders,” IEEE Trans. Smart Grid, vol. 10, no. 4, pp. 4401–4410, 2019, doi: 10.1109/TSG.2018.2859339. 828
[98] A. M. Sawas, H. Khani, and H. E. Z. Farag, “On the Resiliency of Power and Gas Integration Resources against Cyber Attacks,” IEEE 829
Trans. Ind. Informatics, vol. 17, no. 5, pp. 3099–3110, 2021, doi: 10.1109/TII.2020.3007425. 830
[99] M. Ismail, M. F. Shaaban, M. Naidu, and E. Serpedin, “Deep Learning Detection of Electricity Theft Cyber-Attacks in Renewable 831
Distributed Generation,” IEEE Trans. Smart Grid, vol. 11, no. 4, pp. 3428–3437, 2020, doi: 10.1109/TSG.2020.2973681. 832
[100] M. M. Othman, H. M. A. Ahmed, M. H. Ahmed, and M. M. A. Salama, “A Techno-Economic Approach for Increasing the Connectivity 833
of Photovoltaic Distributed Generators,” IEEE Trans. Sustain. Energy, vol. 11, no. 3, pp. 1848–1857, Jul. 2020, doi: 834
10.1109/TSTE.2019.2943553. 835
[101] M. S. Haghighi, S. Member, and F. Farivar, “A Machine Learning-based Approach to Build Zero False-Positive IPSs for Industrial IoT 836
and CPS with a Case Study on Power Grids Security,” vol. 9994, no. c, pp. 1–9, 2020, doi: 10.1109/TIA.2020.3011397. 837
[102] “KDD Cup Dataset,” 1999. http://kdd.ics.uci.edu/databases/kddcup99/kddcup99.html (accessed Oct. 30, 2021). 838
[103] X. Lou et al., “Assessing and Mitigating Impact of Time Delay Attack: Case Studies for Power Grid Controls,” IEEE J. Sel. Areas 839
Commun., vol. 38, no. 1, pp. 141–155, Jan. 2020, doi: 10.1109/JSAC.2019.2951982. 840
[104] M. Cui, S. Member, J. Wang, S. Member, and M. Yue, “Machine Learning-Based Anomaly Detection for Load Forecasting Under 841
Cyberattacks,” vol. 10, no. 5, pp. 5724–5734, 2019. 842
[105] L. Forecasting, “The Mathworks, Inc.” https://www.mathworks.com/discovery/load-forecasting.html (accessed Oct. 30, 2021). 843
[106] A. Ahmadi, M. Nabipour, B. Mohammadi-Ivatloo, and V. Vahidinasab, “Ensemble Learning-based Dynamic Line Rating Forecasting 844
under Cyberattacks,” IEEE Trans. Power Deliv., vol. 8977, no. c, pp. 1–1, 2021, doi: 10.1109/TPWRD.2021.3056055. 845
[107] D. Upadhyay, J. Manero, M. Zaman, and S. Sampalli, “Learning Classifiers for Intrusion Detection on Power Grids,” vol. 18, no. 1, pp. 846
1104–1116, 2021. 847
[108] “U. Adhikari et al. Industrial Control System (ICS) Cyber Attack Datasets Datasets Used in the Experimentation.” 848
https://sites.google.com/a/uah.edu/tommy- morris-uah/ics-data-sets (accessed Aug. 05, 2022). 849
[109] P. Nader, P. Honeine, and P. Beauseroy, “-norms in One-Class Classi fi cation for Intrusion Detection in SCADA Systems,” vol. 10, no. 850
4, pp. 2308–2317, 2014. 851
[110] T. Morris, A. Srivastava, B. Reaves, W. Gao, K. Pavurapu, and R. Reddi, “A control system testbed to validate critical infrastructure 852
protection concepts,” Int. J. Crit. Infrastruct. Prot., vol. 4, no. 2, pp. 88–103, Aug. 2011, doi: 10.1016/j.ijcip.2011.06.005. 853
[111] C. Dua, D. and Graff, “UCI Machine Learning Repository.” . 854
[112] T. S. Ustun and S. M. S. Hussain, “Artificial Intelligence Based Intrusion Detection System for IEC 61850 Sampled Values Under 855
Symmetric and Asymmetric Faults,” vol. 9, 2021, doi: 10.1109/ACCESS.2021.3071141. 856
[113] A. Aflaki, M. Gitizadeh, R. Razavi-Far, V. Palade, and A. A. Ghasemi, “A Hybrid Framework for Detecting and Eliminating Cyber- 857
Attacks in Power Grids,” Energies, vol. 14, no. 18, p. 5823, Sep. 2021, doi: 10.3390/en14185823. 858
[114] “National Energy Grid Map.” http://www.geni.org/globalenergy/library/national_energy_grid/ (accessed Oct. 30, 2021). 859
[115] J. D. Glover, M. S. Sarma, and T. J. Overbye, Power System Analysis and Design, 5th ed. Boston, MA, USA: Cengage Learning, 2011. . 860
[116] Z. R and D. Gan, “MATPOWER: A MATLAB power system simulation package.” https://matpower.org/ (accessed Oct. 31, 2021). 861
[117] E. Shereen, S. Member, G. Dán, and S. Member, “Model-Based and Data-Driven Detectors for Time Synchronization Attacks Against 862
PMUs,” vol. 38, no. 1, pp. 169–179, 2020. 863
[118] I. Siniosoglou, P. Radoglou-grammatikis, G. Efstathopoulos, P. Fouliras, and P. Sarigiannidis, “Transactions on Network and Service 864
Management A Unified Deep Learning Anomaly Detection and Classification Approach for Smart Grid,” vol. 3, 2021, doi: 865
10.1109/TNSM.2021.3078381. 866
[119] P. R. Grammatikis et al., “Secure and Private Smart Grid: The SPEAR Architecture,” in 2020 6th IEEE Conference on Network 867
Softwarization (NetSoft), Jun. 2020, pp. 450–456, doi: 10.1109/NetSoft48620.2020.9165420. 868
[120] R. Vinayakumar, M. Alazab, S. Member, and K. P. Soman, “Deep Learning Approach for Intelligent Intrusion Detection System,” IEEE 869
Access, vol. 7, pp. 41525–41550, 2019, doi: 10.1109/ACCESS.2019.2895334. 870
[121] I. Vaccari, G. Chiola, M. Aiello, M. Mongelli, and E. Cambiaso, “MQTTset, a New Dataset for Machine Learning Techniques on 871
MQTT,” Sensors, vol. 20, no. 22, p. 6578, Nov. 2020, doi: 10.3390/s20226578. 872
[122] J. Suomalainen, A. Juhola, S. Shahabuddin, A. Mammela, and I. Ahmad, “Machine Learning Threatens 5G Security,” IEEE Access, vol. 873
8, pp. 190822–190842, 2020, doi: 10.1109/ACCESS.2020.3031966. 874
[123] T. Berghout, M. Benbouzid, S. M. Muyeen, T. Bentrcia, and L.-H. Mouss, “Auto-NAHL: A Neural Network Approach for Condition- 875
Based Maintenance of Complex Industrial Systems,” IEEE Access, vol. 9, pp. 152829–152840, 2021, doi: 876
10.1109/ACCESS.2021.3127084. 877
878