IEEE TRANSACTIONS ON SMART GRID, VOL. 12, NO.
3, MAY 2021
A FDI Attack-Resilient Distributed Secondary
Control Strategy for Islanded Microgrids
Yulin Chen , Donglian Qi, Member, IEEE, Hangning Dong, Chaoyong Li , Member, IEEE,
Zhenming Li, and Jianliang Zhang
Abstract—Distributed cooperative control has been used as a
preferred secondary control strategy for maintaining frequency
synchronization and voltage restoration in cyber-physical AC
microgrids due to its flexibility, scalability and better computa-
tional performance. However, such a control system is susceptible
to potential cyber attacks, i.e., false data injection (FDI) attacks.
To this end, this article introduces a hidden layer based attack-
resilient distributed cooperative control algorithm to solve the
problem of the secondary control of islanded microgrids under
FDI attacks. In comparison to the existing attack-resilient dis-
tributed control methods, the proposed controller with sufficient
large α can mitigate the adverse effects of time dependent FDI
attacks on actuators, sensors and communication links of the con-
trol system, and is also robust to state dependent FDI attacks.
Furthermore, the algorithm is applicable even when all DGs and
communications are compromised. Finally, the efficiency of the
proposed controller is evaluated for a test microgrid with 4 DGs
under different types of attack.
Index Terms—AC microgrids, distributed control, attack-
resilient control, secondary control.
I. I NTRODUCTION
ITH advanced computing and communication compo-
W nents being equipped extensively, active power dis-
tribution systems have evolved into Cyber-Physical Systems
(CPSs) with tight integration and cooperation between cyber
and electrical spaces [1], [2]. AC microgrids (MGs), as
the important constituents in active distribution system, can
facilitate the penetration of renewable-energy generated by dis-
tributed generators (DGs), and can also maintain local power
supply by managing the internal power independently when
operating at islanded mode. As for the control structure of
MGs, the hierarchical control is a standardized framework,
which is typically classified into three layers, i.e., the primary,
secondary, and tertiary control levels [3], [4]. The function of
primary control is to balance the power generation and the
load demand through droop mechanism. The secondary con-
trol is to compensate the derivation of frequency and voltage
Manuscript received February 21, 2020; revised August 17, 2020 and
November 5, 2020; accepted December 24, 2020. Date of publication
December 29, 2020; date of current version April 21, 2021. This work was
supported in part by the National Key Research and Development Program
of China (Basic Research Class) under Grant 2017YFB0903000, and in part
by the National Natural Science Foundation of China under Grant U1909201.
Paper no. TSG-00256-2020. (Corresponding author: Donglian Qi.)
The authors are with the College of Electrical Engineering, Zhejiang
University, Hangzhou 310027, China (e-mail: [email protected]).
Color versions of one or more figures in this article are available at
https://doi.org/10.1109/TSG.2020.3047949.
Digital Object Identifier 10.1109/TSG.2020.3047949
1949-3053 
c 2020 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: University Town Library of Shenzhen. Downloaded on August 28,2024 at 07:44:51 UTC from IEEE Xplore. Restrictions apply.
1929
caused by the primary control. The tertiary control maintains
the optimal operation of MGs.
Since the secondary control is critical for islanded MGs
to operate at the nominal condition and supply power with
high quality, the reliability of the secondary control level is
of particularly importance. Therefore, distributed control of
large scale multi-agent system becomes a superior alternative
to centralized control structures due to its flexibility, scalability
and better computational performance [5]–[8]. Despite these
advantages, most of existing distributed secondary control
strategies assume ideal communication environment among
DGs. Nevertheless, the ideal communication assumption is
unreasonable in the practice because communication failure
and potential attacks can easily compromise the control system
with a lot of information interaction and computing processes
being involved. Also, the lack of central authority makes the
distributed control have relatively lower security than its cen-
tralized counterpart. Furthermore, the collaborative nature of
states propagating and states update of distributed control can
easily make the attack spread throughout the overall system,
and result in control failure or even make the overall power
system unstable when only being infected by a simple cyber
attack on a certain DG or a communication link. For exam-
ple, for the distributed frequency secondary control system, a
simple constant injection can make frequencies of DGs out
of synchronous, which would cause instability of the overall
power system after a long run, and would lead to a complete
disaster in the worst case [9].
Potential cyber attacks that violate the security of systems
include data modification or false date injection attacks (FDI),
denial of sevice, replay attacks, and others. Among them, FDI
attacks are the most common and typical attack forms for
distributed control systems [9]–[16], which will maliciously
destroy the control performance by injecting false information
to corrupt the real information. Normally, to enhance the robust-
ness of control systems, there are two ways to deal with the
FDI attack, one is to encrypt the propagated information [17],
another is to design special control laws to mitigate or eliminate
the diverse effects of the FDI attack, which is of our concern
in this article. Actually, some relevant works, including attack
detection and attack-resilient control, have been investigated
in the literature. For example, the authors in [11] developed a
false data injection attack detection method for power system
to detect unrecognizable false data injected by stealthy attack
(a kind of attack that can bypass the normal monitors as the
control objectives being satisfied without any error involved).
1930
A vulnerability factor based stealthy attack detection strategy
for cooperative control was introduced in [12], which can accu-
rately identify FDI attacks or stealthy attacks on sensors or
communication links of secondary voltage control system of DC
MGs. Analogously, the authors in [13] dealt with this problem
by transforming attack detection problem into identifying the
variable in inferred candidate invariant MGs properties’ set. In
addition to the attack detection methods, some researchers focus
on attack-resilient techniques. Specifically, the authors in [14]
focused on dealing with the constant attacks (the injections are
constants) on the distributed secondary control of frequency
synchronization of islanded MGs. In particular, an observer
based resilient control protocol was presented to mitigate the
adverse effects of constant attacks, in which confidence factors
and trust factors were designed to estimate the effects caused
by constant attacks and attenuate their damage. Its similar
counterpart for DC MG can be found in [15]. An observa-
tion network based attack-resilient cooperative control strategy
was introduced in [16]. With the strategy in [16], each DG
can monitor the behaviors of its neighbors and gradually iso-
late the compromised DGs with the aid of a proper designed
observation network.
To the best of our knowledge, the research on attack-
resilient distributed secondary control in AC MGs is insuf-
ficient. Most of the existing algorithms only deal with one
specific kind of attack, which is not in line with the practice
applications since the injections can be in various forms [11],
[12], [14], [15], [18]–[23]. In addition, few existing works
clarify the vulnerable locations for control systems. In fact,
all the computing and data exchange components are vulner-
able to FDI attacks, especially for the actuators, sensors and
communication links. Furthermore, to ensure attack-resilient
operation, some works assume that more than half of the
attacked DG’s neighbors should be healthy [14], [15], [24],
which is a rather strict assumption for applications since
attackers could corrupt any DG if they can get access to, and
even corrupt all the DGs or communication links if possible.
To comprehensively protect the secondary control system
of AC MGs against FDI attacks, inspired by the algorithms
proposed in [25], [26], this article introduces an attack-resilient
control for frequency synchronization of islanded MGs. The
main contribution of this work are three folds: 1) a hidden
layer of virtual system is introduced to maintain the stabil-
ity of the islanded MGs being attacked, the algorithm is fully
distributed and can mitigate the damage of time dependent or
state dependent FDI attacks; 2) we show that the algorithm
ensures the frequency of each DG synchronous to the nomi-
nal value when the actuators, sensors and communication links
being compromised, and the controller is robust even when all
the DGs and communication links are attacked. 3) the condi-
tion and possibility that would make the algorithm invalid in
the extreme case are analyzed. To illustrate the superiority
of the proposed controller, a comparison experiment with the
algorithm proposed in [14] is implemented.
The remainder of the article is organized as follows.
Introduction of hierarchical control structure of MGs and the
problem to be solved is presented in Section II. The designing
of FDI attack-resilient strategy for frequency synchronization
Authorized licensed use limited to: University Town Library of Shenzhen. Downloaded on August 28,2024 at 07:44:51 UTC from IEEE Xplore. Restrictions apply.
IEEE TRANSACTIONS ON SMART GRID, VOL. 12, NO. 3, MAY 2021
of MGs is provided in Section III. Simulation validation for
the proposed control strategy is presented in Section IV, and
Section V presents the summary of this article.
II. P RELIMINARIES OF M ICROGRIDS AND P ROBLEM
S TATEMENT
A. Hierarchical Control Structure of Microgrids
AC MGs are now still in the cutting edge of the state of
the art. As mentioned above, MGs can operate in both grid-
connected mode and islanded mode. Thus, appreciate control
is critical for the stability and economy of MGs in both modes.
In the grid-connected mode, the main power grid provides the
frequency and voltage reference for MGs, and DGs operate
in PQ control mode according to the references. Whereas, in
islanded mode, control systems must maintain the frequency
and voltage synchronization and restore the nominal opera-
tion condition by properly controlling the power supply within
the MGs. The control for islanded MGs can be classified into
master-slave control mode and peer-to-peer control mode [27].
For the master-slave control mode, a DG controlled by con-
stant frequency/voltage control strategy, termed as the master
controller, is chosen to provide the frequency and voltage ref-
erences for the overall MG, while other DGs, as the slave
controllers, operate in PQ control mode according to the refer-
ences provided by the master controller. However, master-slave
control mode needs the master controller have the ability of
supplying sufficient power quickly since it must maintain the
frequency and voltage of the MG by regulating the output
power to meet the load quickly, which is too much for the
chosen DG in MGs. For peer-to-peer control mode, each of
the DGs is equally important in supporting the frequency and
voltage in MGs, and operates in the same control mode based
on the local information at the access point. Droop control,
which can share the load automatically and locally, is often
used as the preferred control strategy in peer-to-peer control
mode. Droop mechanism prescribes linear relation between
the frequency and the active power, and between the voltage
amplitude and the reactive power, which is typically denoted
by [3]

ωi = ωri − mpi Pi
(1)
vi = Vri − nqi Qi
where vi and ωi are the voltage amplitude and frequency of
DGi respectively. Pi and Qi are the active and reactive power
of DGi terminal. Vri and ωri are the primary control references.
mpi and nqi are the droop coefficients in relation with the DGi ’s
rating.
Although the droop mechanism based peer-to-peer control
can share power automatically, it would leads to the devi-
ation of frequency and voltage. To this end, the hierarchical
control structure is developed. As illustrated in Fig. 1, the hier-
archical control includes three control layers, the first layer,
referred to as the primary control, plays the role of balancing
the power generation and the load demand. Typically, droop
control mechanism is used in this layer, which could result
in frequency and voltage deviation. The primary control layer
also includes the inner voltage loop, current loop and power
CHEN et al.: FDI ATTACK-RESILIENT DISTRIBUTED SECONDARY CONTROL STRATEGY FOR ISLANDED MICROGRIDS
Fig. 1. Hierarchical control structure of MGs.
control loop, which have a much faster response than that of
droop control. The second layer, termed as secondary con-
trol, whose main task is to compensate for the frequency and
voltage deviation caused by droop mechanism, which will be
further discussed in subsequent section. The third layer, called
tertiary control, concerns more about the economic dispatch
and the optimal operation of the MGs in both grid-connected
mode and islanded mode.
B. Problem Formulation
In a MG with a number of DGs, frequency synchronization
is of great importance for the stability of the system when the
MG operating at islanded mode. Thus, the reliable operation of
frequency secondary control is critical for MGs. As the alter-
native of centralized secondary control, distributed secondary
control can compensate the frequency deviation caused by
droop mechanism by cooperating all DGs with only local com-
munication. However, cyber-physical security issues are also
important concerns for distributed secondary control system.
Due to the distributed propagation of information and the lack
of central authority, distributed control is easily injected by
FDI attacks. Although many works about this problem have
been done, most of the existing works focus on one form of
attack on one vulnerable location only. Actually, the attack-
ers can inject corrupted data with any forms once they get
access to the control system. Furthermore, attackers may cor-
rupt the control system by injecting false date into any feeble
locations, i.e., the actuators, sensors and communication links.
Whereas, rare existing works considered all of the vulnerable
components being attacked when studying the attack-resilient
control algorithms. Thus, better distributed control schemes
with robustness to FDI attacks are still required for the sec-
ondary control in AC MGs, which leads to the following
problem.
Problem 1: How to design an attack-resilient distributed
secondary control scheme for islanded MGs to synchronize the
system frequency to the desired value when the actuators, sen-
sors and communication links of control system being attacked
by any bounded FDI attacks. That is, in the presence of any
bounded FDI attacks on any vulnerable areas, the following
control objective is satisfied
 
lim ωi − ωref  = 0 ∀i ∈ {1, 2, . . . , N} (2)
t→∞
where ωi is the frequency of DG i, ωref is the reference
frequency. For islanded MGs, the reference frequency is
usually set to be the nominal frequency, i.e., 50 Hz.
Authorized licensed use limited to: University Town Library of Shenzhen. Downloaded on August 28,2024 at 07:44:51 UTC from IEEE Xplore. Restrictions apply.
1931
Fig. 2. Structure of distributed secondary control.
III. ATTACK -R ESILIENT D ISTRIBUTED S ECONDARY
C ONTROL S TRATEGY
A. Conventional Distributed Secondary Controller
The intrinsic distributed nature of DGs in MGs makes the
distributed control a more suitable secondary control scheme
in restoring system frequency, which controls the frequency
of each DG to the reference value through updating the set
points ωri of primary control in (1). In the distributed sec-
ondary control, seen in Fig. 2, only some of the DGs (not
all) can receive the command from the superior control layer.
Each DG requires only peer-to-peer communication among its
neighbors. Then all the DGs will complete the task cooper-
atively in a distributed manner with a sparse communication
network.
Without loss of generality, only frequency restoration is con-
sidered in this article. It’s worthy of noting that the priority
task of frequency secondary control is to obtain the proper set
point ωri for the primary control. The secondary frequency
control of a MG including N DGs can be transformed into a
synchronization problem for a first order and linear multi-agent
system, and the procedure is as follows [7], [14], [28].
1) Differentiating the first equation in (1) yields
ω̇i = ω̇ri − mpi Ṗi . (3)
for i = 1, 2, . . . , N.
2) Based on the feedback linearization, the secondary con-
troller for frequency restoration can be formulated as
ω̇i = ui . The auxiliary control ui , using the local
information of each DG, the information of neighbor’s
and the reference signal, is
    
ui = −cω aij ωi − ωj − gi ωi − ωref (4)
j∈Ni
where aij is the element in the adjacency matrix A of
networked topology, aij = 1 indicates DG i can receive
information from DG j, aij = 0 otherwise [29]. gi
denotes the pinning gain, gi = 1 implies DG i receives
information of reference value, and gi = 0 if otherwise.
cω > 0 is a coupling gain.
3) Then, the secondary set point ωri can be derived from (3)
and (4),

 
ωri = ui + mpi Ṗi dt (5)
1932 IEEE TRANSACTIONS ON SMART GRID, VOL. 12, NO. 3, MAY 2021

where Ṗi can be obtained through the power controller

dynamics, which can be found in [28], [30].

B. Design of FDI Attack-Resilient Controller

For the conventional distributed secondary frequency con-
trol protocol (4), in [14, Th. 1] has shown that the synchroniza-
tion error of DGs is nonzero if (4) is under FDI attacks, which
implies that the frequencies of DGs are out of synchronous.
Once the DGs operate asynchronously for an extended period
of time, the load in the MG can not be properly met by DGs,
and the voltage stability and the frequency stability are reduced
as well, which would lead to collapse of MGs. Therefore, the
synchronization of the DGs is of particularly importance for
the stability of the MG.
In this section, a FDI attack-resilient distributed secondary
control protocol with a hidden layer of virtual system is Fig. 3. Structure of the attack-resilient system.
presented.
As was pointed out in the introduction, most existing
works focus on dealing with only one specific FDI attack. Therefore, the following assumption is hold throughout this
Furthermore, most of these works do not clarify the vulnera- article.
ble locations. The diversity of attacks on different vulnerable Assumption 1: Each of injections considered in this article
locations are not fully considered. Toward this end, inspired by satisfies
the work in [25] and [26], a hidden layer of virtual system is δ(t) ≤ δ̄ (8)
introduced to establish a FDI attack-resilient secondary control
protocol based on cooperative control. where δ̄ is a positive constant.
The dynamics of distributed secondary control system In order to achieve frequency synchronization and restora-
described by (4) can be represented by tion of MGs under FDI attacks, the parameter and matrices
should be chosen properly [26]. The network of virtual system
ω̇ = −(L + G)ω + Bωref (6) at hidden layer H could be chosen as a sparse Hurwitz matrix.
The interconnection matrix P and Q need to be designed as
with L = D in
− A being graph Laplacian matrix, in which follows.
D = diag{ N
in
j=1 aij } is the in-degree matrix of networked Interconnection Matrix for Original System P: intercon-
topology [29]. ω = [ω1 , ω2 , . . . , ωN ]T , B = [g1 , g2 , . . . , gN ]T , necting with virtual system, it should be a invertible sparse
and G = diag{B}. matrix.
In order to mitigate the adverse impacts of FDI attacks and Interconnection Matrix for Virtual System Q: interconnect-
ensure frequencies synchronization and restoration of DGs, ing with original system, it is given by
a hidden layer of virtual system is introduced to design the
attack-resilient control scheme. The attack-resilient distributed Q = P−1 T
h P Ps (9)
secondary control system in the presence of attack is described where Ph and Ps are all symmetric matrices and can be defined
as follows [25], [26] as follows.
Symmetric Matrix Ps :
ω̇ = Cω + αPz + Bωref + 
ż = Hz − αQω + αDωref (7) Ps = diag(qi /pi )
= C−1 1N
T
p = p1 , . . . , pN
where C = −(L + G), z = [z1 , z2 , . . . , zN ]T denotes the state
= C−T 1N
T
of virtual system. P ∈ RN×N and Q ∈ RN×N are designed q = q1 , . . . , qN (10)
interconnection matrices between original system and virtual Symmetric Matrix Ph :
system. H ∈ RN×N is the hidden layer matrix, and D ∈ RN×1
is the pinning vector in the virtual system. Thus, the topology Ph = diag(ri /si )
of overall cyber-physical MG system with attack-resilient dis- r = [r1 , . . . , rN ]T = H−1 1N
tributed secondary frequency control system can be illustrated
s = [s1 , . . . , sN ]T = H−T 1N (11)
by a three layers network as shown in Figure 3.
In (7),  represents the attack vector. It is worth mention- Pinning Vector for Virtual System D: it is determined by
ing that, for obvious attack behavior, like extensively large D = Q1N according to the obtained Q.
injections, a well-defined system can easily detect them and Remark 1: Noting that matrix H has no requirement on
take actions to prevent them from propagating, a simple way connectivity but Hurwitz and invertibility, it can be obtained
is to shut down the corrupted channel. Thus, a smart attacker distributively using Gershgorin theorem [31]. Matrix Ps and
would attack the system stealthily by injecting bounded data. matrix Ph can also be computed distributively according to

Authorized licensed use limited to: University Town Library of Shenzhen. Downloaded on August 28,2024 at 07:44:51 UTC from IEEE Xplore. Restrictions apply.
CHEN et al.: FDI ATTACK-RESILIENT DISTRIBUTED SECONDARY CONTROL STRATEGY FOR ISLANDED MICROGRIDS
the method proposed in [32], so does the obtainment of Q.
Therefore, the overall attack-resilient system can be realized
in a distributed manner.
The following lemmas show that in the presence of bounded
time dependent FDI attacks or state-dependent attacks, the
designed control strategy (7) can make sure frequencies of
DGs synchronize to ωref with an arbitrarily small error given
a sufficient large values of α > 0 and proper matrices P, H,
Q and vector D.
Lemma 1 [25]: Consider the secondary control system (7)
under Assumption 1, with the properly chosen matrices P, H,
Q and D according to the aforementioned rules, the frequency
vector of DGs ω converges to 1N ωref with a small bounded
error for a sufficient large α > 0 as t → ∞. Specifically
lim eω  ≤ J (12)
t→∞
where eω = ω − 1N ωref is the tracking error, J = (C +
α 2 PH−1 Q)−1 .
Lemma 2 [26]: For state-dependent attacks (ω, t) under
Assumption 1 satisfying
˙ = f (, ω)
 (13)
in which (13) would have a finite L2 gain, the secondary con-
trol system (7) is uniformly bounded for a sufficient large
values of α > 0, with the properly chosen matrices P, H, Q
and D according to the aforementioned rules. Furthermore,
by increasing α, frequency vector of DGs ω is forced to
converge to an arbitrarily small neighborhood around 1N ωref .
Specifically
lim eω  ≤ Je  (14)
t→∞
where e is the steady state of the injection .
Lemma 1 and Lemma 2 show that the proposed attack-
resilient control is highly robust to bounded FDI attacks. The
tracking error is related to the topology of networks, the
designed P and H as well as the value of α. It can be also
observed from J that larger α implies better attack-resilient
performance.
Subsequently, we will show the proposed attack-resilient
control can mitigate adverse effects of FDI attacks on actua-
tors, sensors and communication links of control system. The
models of attacks on these three parts are given as follows:
1) The FDI attack on actuator of DG i can be model by
uai = ui + λi δui (15)
where ui is the control input, δui is the injected attack, uai
is the corrupted control input, λi is a binary number indi-
cating the availability of attack, i.e., λi = 1 represents
the presence of attack, otherwise, λi = 0.
2) The corrupted communication link between DG i and
DG j can be expressed by
ωija = ωij + μij δωij (16)
where ωija is the corrupted frequency received by DG i
from DG j, δωij is the injected attack, μij = 1 implies
the presence of attack, otherwise, μij = 0.
Authorized licensed use limited to: University Town Library of Shenzhen. Downloaded on August 28,2024 at 07:44:51 UTC from IEEE Xplore. Restrictions apply.
1933
3) When the DG i’s sensor is attacked, all of the
information received by the sensor will be infected,
which is
ωija = ωij + ηi δa for all j ∈ Ni (17)
where ωija is the corrupted frequency sensed by the DG
i from DG j, δa is the attack injected into the sensor of
DG i. Likewise, ηi = 1 indicates the presence of attack.
It should be noted that attack model (17) is a special
case of (16). Thus, we can only analyze attack model (16)
to investigate both communication links and sensors being
attacked.
Based on the attack models above, the following corollary
is hold.
Corollary 1: In the presence of bounded FDI attacks
on actuators, sensors and communication links, the attack-
resilient strategy (7) can ensure frequency of each DG ωi , (i =
1, . . . , N) synchronize to ωref with a small bounded error given
proper matrices P, H, Q and vector D and a sufficient large
α > 0.
Proof: As mentioned previously, we here only consider
the cases where the actuators and communication links being
attacked.
For the case where the actuators of DGs are subjected to
FDI attacks, using (15) and (7), we have
ω̇ = Cω + αPz + Bωref + δu
ż = Hz − αQω + αDωref (18)
where  = diag([λ1 , . . . , λN ]), and δu = [δu1 , . . . , δuN ]T
satisfying Assumption 1.
Invoking Lemma 1, we have limt→∞ eω (t) ≤ Jδu .
For the case where the communication links suffer from
FDI attacks, from (16) and (7), one can derive
ω̇ = Cω + αPz + Bωref + δω
ż = Hz − αQω + αDωref (19)
N
where δω = [ j=1 aij μij δωij ] ∈ RN . Likewise, invoking
Lemma 1, we have limt→∞ eω (t) ≤ Jδω . The proof is
complete. 
It is worthy of mentioning that Lemma 1, Lemma 2 and
Corollary 1 imply that system (7) can maintain frequency
synchronization even when more than half of the neighbors of
each DG are infected with FDI attacks, which is more practical
than the observer-based strategy in [14].
C. Analysis of the Extreme Case Where the Algorithm Fails
to Protect Against Attacks
If attackers get access to the parameter α of the designed
system (7), and inject FDI attacks by
 = αγ d (20)
where d ∈ RN is the attack vector, whose elements are satisfy-
ing Assumption 1, the tracking error of (12) with attack (20)
becomes
1934 IEEE TRANSACTIONS ON SMART GRID, VOL. 12, NO. 3, MAY 2021

−1
J = C + α 2 PH−1 Q αγ d
 −1
1 −1
= C+α 2−γ
PH Q d
αγ
−1
≈ α γ −2 PH−1 Q d (21)

if α is chosen to be sufficient large.

It can be derived form (21) that if attackers launch
attacks (20) with γ ≥ 2, the proposed FDI attack-resilient
secondary frequency control strategy would fail to synchro-
nize the frequencies of DGs to the nominal reference value in
the sense that the synchronization error is very big as α being
sufficient large. Fig. 4. The single-line diagram of the test AC MG.
However, it would be particularly difficult for attackers to
obtain the parameter α, because the designed control system communication networks can be designed to be sparse as well
is fully distributed and is with a hidden layer, which makes to reduce the communication burden [26].
it very difficult for attackers to reconstruct the overall system
and get α by only hijacking several DGs. Furthermore, since α IV. C ASE S TUDY
is designed to be large, the attack form (20) would be obvious
A. System Setup
and can easily be detected by system. Therefore, the proposed
FDI attack-resilient secondary frequency control strategy is The proposed FDI attack-resilient distributed secondary
still reliable in protecting against FDI attacks. control strategy is validated in an islanded AC MG with 4
DGs. The single-line diagram of the AC MG and its associ-
ated real communication topology is illustrated in Fig. 4. In
D. The Implementation of the Hidden Layer Based each DG, the inner control loops of primary control including
Attack-Resilient Controller the voltage, current and power control loops are simulated in
From the design of the attack-resilient distributed secondary detail based on [28]. The specifications of the test AC MG are
control (7), we know that the overall system contains two cyber presented in Table I. The reference frequency is set to be nom-
layers, i.e., the real cyber system and the virtual cyber system. inal frequency 50 Hz. The time step of the test MG is set to
Note that the two cyber layer are interconnected with matrices be 1e-5 sec. It is worth noting that the communication topol-
P and Q, thus additional communication networks correspond- ogy is with directed links, the network is simple and sparse.
ing to these two matrices are required as well. Therefore, According to the communication topology shown in Fig. 4,
the matrices of C and B are as follows:
the implementation of the hidden network design need to be ⎡ ⎤ ⎡ ⎤
carefully considered. −2 1 0 0 1
⎢ 0 −1 1 0 ⎥ ⎢0⎥
The hidden layer could be implemented as an internal sig- C=⎢ ⎣ 0
⎥, B = ⎢ ⎥.
nal component at each of DG i’s (i = {1, 2, . . . , N}) local 0 −1 1 ⎦ ⎣0⎦
controller, whose state zi has no physical meaning and is dif- 1 0 0 −1 0
ferent from the local state, i.e., ωi . This implementation has Hurwitz matrix H and invertible matrix P for hidden layer
the benefit that the virtual node can get the state of real node are set to be
easily, and vice versa. The additional information exchange in ⎡ ⎤
−4 0 0 1
the hidden layer can be achieved by using a different com- ⎢ 2 −5 0 0 ⎥
munication channel from the original cyber layer. Such as, H=⎢ ⎣ 0
⎥.
1 −3 0 ⎦
using Internet technology or software-defined networking to
0 0 2 −4
obtain better security for communication. In order to precisely
connect the real cyber layer with the virtual cyber layer, the ⎡ ⎤
interconnection communication could be implemented by dif- −2 1 0 0
⎢ 1 −2 0 1 ⎥
ferent communication channel based on the interconnection P=⎢
⎣ 0
⎥.
matrices P and Q as well. Therefore, to implement the overall 0 −2 0 ⎦
attack-resilient control system, three additional communication 0 1 0 −2
networks including the virtual cyber system communication The matrices Ps , Ph , Q and vector D can be computed
network and two interconnection communication networks are according to the aforementioned rules.
required, which comes at a price of an increased communi- The simulation process for all cases is as follows: the MG
cation expenses. However, the communication expense could is islanded from the main grid at t = 0 sec, and DGs 1-4
be small since the hidden network matrix can be chosen to and Load 1 are connected to the MG in the beginning. The
be sparse enough and the network is not necessarily physical. secondary control starts at t = 2 sec. Load 2 is connected into
In addition, the interconnection matrices corresponding to the the MG at t = 4 sec. Attacks are launched at t = 6 sec. Load 2

Authorized licensed use limited to: University Town Library of Shenzhen. Downloaded on August 28,2024 at 07:44:51 UTC from IEEE Xplore. Restrictions apply.
CHEN et al.: FDI ATTACK-RESILIENT DISTRIBUTED SECONDARY CONTROL STRATEGY FOR ISLANDED MICROGRIDS 1935

TABLE I
S PECIFICATIONS OF THE T EST AC MG

TABLE II
ATTACKS ON C OMMUNICATION L INKS

is switched off from the MG at t = 8 sec. The total simulation Fig. 5. Performances of secondary frequency control under actuator
attacks: (a) Conventional distributed secondary control; (b) FDI attack-resilient
time is set to be 10 sec. distributed secondary control with α = 200.

B. Case 1: Time Dependent Attacks

To evaluate the performance of proposed attack-resilient
control, the bounded time dependent FDI attacks on actua-
tors and communication links are investigated firstly. Without
loss of any generality, the bounded time dependent FDI attacks
is defined as
δ = c + k sin(nt + φ) (22)
where c and k are constants, n is a positive integer, and φ ∈
[0, 2π ]. It is obvious that δ is under Assumption 1.
For this case, the attacks on actuators is set to be
⎡ ⎤
0.2 cos(t)
⎢ −0.1 ⎥
=⎢ ⎥
⎣ 0.2 sin(2t) ⎦
0.1
and the attacks on communication links is shown Table II.
The simulation results of FDI attacks on actuators and com-
munication links are shown in Fig. 5 and Fig. 6 respectively. Fig. 6. Performances of secondary frequency control under communication
Fig. 5(a) and Fig. 6(a) show the performance of the conven- links attacks: (a) Conventional distributed secondary control; (b) FDI attack-
tional distributed secondary frequency control strategy. It is resilient distributed secondary control with α = 200.
clear that the conventional control strategy can synchronize the
frequencies of DGs to the nominal reference after islanding or
during load changes. However, it can not protect the system C. Case 2: State Dependent Attacks
when the actuators and communication links being attacked, To evaluate the performance of proposed attack-resilient
and the frequencies become unstable. However, as shown control under state dependent FDI attacks, we consider the
in Fig. 5(b) and Fig. 6(b), protected by our attack-resilient following attack dynamics
control, the frequency of each DG converges to the nomi-
nal frequency 50 Hz even in the presence of attacks, which ˙ = −I + Mω
 (23)
validate the effectiveness of the proposed algorithm. Fig. 7
shows the simulation results of FDI attacks on actuators and with
communication links simultaneously. As shown in Fig. 7, the ⎡ ⎤
−0.1 0 −0.4 −0.2
attack-resilient control can still achieve the secondary control ⎢ 0.5 0.2 −0.1 −0.3 ⎥
M=⎢
⎣ 0.2
⎥
goal in such a bad situation. −0.2 0 −0.2 ⎦
The results also illustrate that our algorithm is with robust- 0 −0.1 0.2 −0.3
ness to FDI attacks even when all of the neighbors of each
DG are attacked. where I is identity matrix.

Authorized licensed use limited to: University Town Library of Shenzhen. Downloaded on August 28,2024 at 07:44:51 UTC from IEEE Xplore. Restrictions apply.
1936
Fig. 7. Performances of secondary control under actuators attacks and
communication links attacks simultaneously: (a) Conventional distributed sec-
ondary control; (b) FDI attack-resilient distributed secondary control with
α = 200.
Fig. 8. Performances of secondary control under state dependent attacks: (a)
Conventional distributed secondary control; (b) FDI attack-resilient distributed
secondary control with α = 50; (c) FDI attack-resilient distributed secondary
control with α = 200.
Fig. 8 shows the simulation results of the conventional
distributed secondary control and the proposed FDI attack-
resilient distributed secondary control under state dependent
attack (23). As a result, it can be seen from Fig. 8(a)
that without protection, the state dependent attack makes the
Authorized licensed use limited to: University Town Library of Shenzhen. Downloaded on August 28,2024 at 07:44:51 UTC from IEEE Xplore. Restrictions apply.
IEEE TRANSACTIONS ON SMART GRID, VOL. 12, NO. 3, MAY 2021
frequencies of DGs out of synchronous and system frequency
unstable. However, the proposed attack-resilient control still
ensures the frequencies of DGs synchronize to the value
around the nominal frequency 50 Hz, as shown in Fig. 8(b)
and Fig. 8(c). It can also be observed that by increasing α, as
expected, a much improved performance is yield.
From Fig. 8(b), note that if α is not large enough, the
frequencies of DGs would be slightly out of synchronous, but
stable, which illustrate our algorithm can mitigate the attack
significantly. However, it would lead to deviation of the volt-
ages or other stable problems after a long time running at this
state because of the physical interconnection. Nevertheless, it
can provide enough time for remedial actions, e.g., tuning α
to be larger. Therefore, the designer should select a large α as
far as possible if conditions allow.
D. Case 3: Comparison With the State-of-the-Art
Attack-Resilient Control in [14]
In this section, we provide the performances of the observer-
based attack-resilient secondary control in [14] to compare
with that of our attack-resilient control strategy.
The observer-based secondary control of DG i in [14] is
given by
    
ω̂˙ i = aij Cj Tij ω̂i − ω̂i + bi ω̂i − ωref (24)
j∈Ni
where ω̂i is the frequency observed at DG i. Cj is the designed
confidence factor that measures how much confidence each
DG i has about its own observed frequency. Tij is the designed
trust factor that evaluate the trust level of DG j for DG i. The
specifications of Cj and Tij can be found in [14].
With the designed confidence factor Cj and trust factor Tij ,
the observer-based secondary frequency control evaluates the
credibility of its own frequency and the received frequencies,
and uses the credibility to mitigate the FDI attack on actuators,
sensors and communication links of control system. But, it
requires the network connectivity to be at least (2z+1), i.e., at
least half of the neighbors of each DG are not attacked, where
z is the number of neighbors under attack [14], which means
the control needs a more complex communication network
than that of our method. For the attacks on communication
links, the observer-based control measures the trust level Tij to
isolate the injected attack. Specifically, each DG’s controller
sets a lower threshold on trust value, i.e., Tij > 0.4; Once
the trust value of a link drops below this level, this link is
disconnected from the communication network. Based on this
mechanism, the controller can eliminate the attack.
To show the performance of the observer-based secondary
control when DG 3’s actuator is attacked by 0.1 + 0.05 sin(t),
the communication network of observer-based is designed as
Fig. 9. Notice that DG 2 and DG 4 both have more than half
of healthy neighbors, which meets the above requirement. The
case where all the actuators of DGs are attacked by the  in
case 1 is also considered.
Fig. 10 shows the performances of the observer-based sec-
ondary frequency control under the case where only DG 3’s
actuator is attacked and the case where all the DGs’ actua-
tors are attacked. It is observed in Fig. 10(a) that frequencies
CHEN et al.: FDI ATTACK-RESILIENT DISTRIBUTED SECONDARY CONTROL STRATEGY FOR ISLANDED MICROGRIDS
Fig. 9. Communication network of observer-based secondary control.
Fig. 10. Performances of observer-based control in [14] under attacks: (a)
The actuator of DG 3 is attacked by 0.1 + 0.05 sin(t); (b) Actuators of all the
DGs are attacked by the  in Case 1.
Fig. 11. Performance of observer-based control in [14] under attacks: The
communication link between DG 2 and DG 4 is attacked by −0.1+0.2 cos(t).
at all DGs, except DG 3 (under attack), remain synchro-
nized at 50 Hz. The controller mitigates the attack obviously.
Nevertheless, some remedial actions need to be taken, e.g.,
disconnecting the DG 3, otherwise, the deviation of DG 3’s
frequency would result in other problem after a long time
running. While for the case where all the actuators of DGs
are attacked as shown in Fig. 10(b), clearly the attacks result
in a loss of synchrony, which explains superiority of our
attack-resilient control by comparing it with Fig. 5(b).
To show the performance of the observer-based control
under communication attacks, the case where communication
link between DG 2 and DG 4 is considered. As Fig. 11 shown,
Authorized licensed use limited to: University Town Library of Shenzhen. Downloaded on August 28,2024 at 07:44:51 UTC from IEEE Xplore. Restrictions apply.
1937
the corrupted communication link is detected and isolated,
and the frequency synchronization is achieved. However, the
observer-based control can not achieve the secondary control
goal when multiple communication links being attacked since
the communication topology would not be connected when
the corrupted links are cut off.
All the simulation results verify that the proposed FDI
attack-resilient distributed secondary control strategy with a
sufficient large α is highly robust to both bounded time depen-
dent attacks and the state dependent attacks. By comparing
with the observer-based control in [14], we show that the
proposed FDI attack-resilient distributed secondary control
strategy is more practical in protecting system against FDI
attacks on multiple DGs and multiple communication links.
V. C ONCLUSION
This article proposed a FDI attack-resilient distributed sec-
ondary control strategy for frequency synchronization and
restoration in AC islanded MGs. Specifically, a hidden layer
based attack-resilient control scheme was introduced to deal
with FDI attacks on actuators, sensors and communication
links of the secondary control system. The design of the
matrices that construct the controller is discussed in detail.
We shown that the proposed controller can greatly mitigate
the adverse impacts made by time dependent attacks and
state dependent attacks with sufficient large α. Moreover, the
extreme case that makes the algorithm failure was analyzed.
Finally, the effectiveness of the proposed attack-resilient con-
trol was provided by simulation results in a test MG with
4 DGs, and the superiority of the controller was verified by
comparing its performances with that of an existing state-of-art
attack-resilient controller.
R EFERENCES
[1] Z. Su, L. Xu, S. Xin, W. Li, Z. Shi, and Q. Guo, “A future outlook
for cyber-physical power system,” in Proc. IEEE Conf. Energy Internet
Energy Syst. Integr. (EI2), 2017, pp. 1–4.
[2] H. Ye, Q. Mou, X. Wang, and Y. Liu, “Eigen-analysis of large delayed
cyber-physical power system by time integration-based solution oper-
ator discretization methods,” IEEE Trans. Power Syst., vol. 33, no. 6,
pp. 5968–5978, Nov. 2018.
[3] J. M. Guerrero, J. C. Vasquez, J. Matas, L. G. De Vicuña, and
M. Castilla, “Hierarchical control of droop-controlled AC and DC
microgrids—A general approach toward standardization,” IEEE Trans.
Ind. Electron., vol. 58, no. 1, pp. 158–172, Jan. 2011.
[4] A. Bidram and A. Davoudi, “Hierarchical structure of microgrids con-
trol system,” IEEE Trans. Smart Grid, vol. 3, no. 4, pp. 1963–1976,
Dec. 2012.
[5] H. Xin, Z. Lu, Z. Qu, D. Gan, and D. Qi, “Cooperative control strat-
egy for multiple photovoltaic generators in distribution networks,” IET
Control Theory Appl., vol. 5, no. 14, pp. 1617–1629, Sep. 2011.
[6] H. Xin, Z. Qu, J. Seuss, and A. Maknouninejad, “A self-organizing
strategy for power flow control of photovoltaic generators in a distribu-
tion network,” IEEE Trans. Power Syst., vol. 26, no. 3, pp. 1462–1473,
Aug. 2011.
[7] A. Bidram, A. Davoudi, F. L. Lewis, and Z. Qu, “Secondary control
of microgrids based on distributed cooperative control of multi-agent
systems,” IET Gener. Transm. Distrib., vol. 7, no. 8, pp. 822–831,
Aug. 2013.
[8] G. Zhang, C. Li, D. Qi, and H. Xin, “Distributed estimation and sec-
ondary control of autonomous microgrid,” IEEE Trans. Power Syst.,
vol. 32, no. 2, pp. 989–998, Mar. 2017.
1938
[9] H. Zhang, W. Meng, J. Qi, X. Wang, and W. X. Zheng, “Distributed load
sharing under false data injection attack in an inverter-based microgrid,”
IEEE Trans. Ind. Electron., vol. 66, no. 2, pp. 1543–1551, Feb. 2019.
[10] J. Duan, W. Zeng, and M.-Y. Chow, “Resilient distributed DC optimal
power flow against data integrity attack,” IEEE Trans. Smart Grid, vol. 9,
no. 4, pp. 3543–3552, Jul. 2018.
[11] J. Zhao, L. Mili, and M. Wang, “A generalized false data injection attacks
against power system nonlinear state estimator and countermeasures,”
IEEE Trans. Power Syst., vol. 33, no. 5, pp. 4868–4877, Sep. 2018.
[12] S. Sahoo, S. Mishra, J. C.-H. Peng, and T. Dragičević, “A stealth
cyber-attack detection strategy for DC microgrids,” IEEE Trans. Power
Electron., vol. 34, no. 8, pp. 8162–8174, Aug. 2019.
[13] O. A. Beg, T. T. Johnson, and A. Davoudi, “Detection of false-data
injection attacks in cyber-physical DC microgrids,” IEEE Trans. Ind.
Informat., vol. 13, no. 5, pp. 2693–2703, Oct. 2017.
[14] S. Abhinav, H. Modares, F. L. Lewis, F. Ferrese, and A. Davoudi,
“Synchrony in networked microgrids under attacks,” IEEE Trans. Smart
Grid, vol. 9, no. 6, pp. 6731–6741, Nov. 2018.
[15] S. Abhinav, H. Modares, F. L. Lewis, and A. Davoudi, “Resilient coop-
erative control of DC microgrids,” IEEE Trans. Smart Grid, vol. 10,
no. 1, pp. 1083–1085, Jan. 2019.
[16] Y. Liu, H. Xin, Z. Qu, and D. Gan, “An attack-resilient cooperative con-
trol strategy of multiple distributed generators in distribution networks,”
IEEE Trans. Smart Grid, vol. 7, no. 6, pp. 2923–2932, Nov. 2016.
[17] Y. Mo et al., “Cyber–physical security of a smart grid infrastructure,”
Proc. IEEE, vol. 100, no. 1, pp. 195–209, Jan. 2012.
[18] H. Modares, B. Kiumarsi, F. L. Lewis, F. Ferrese, and A. Davoudi,
“Resilient and robust synchronization of multiagent systems under
attacks on sensors and actuators,” IEEE Trans. Cybern., vol. 50, no. 3,
pp. 1240–1250, Mar. 2020.
[19] S. Abhinav, I. D. Schizas, F. L. Lewis, and A. Davoudi, “Distributed
noise-resilient networked synchrony of active distribution systems,”
IEEE Trans. Smart Grid, vol. 9, no. 2, pp. 836–846, Mar. 2018.
[20] J. Hu and G. Feng, “Distributed tracking control of leader–follower
multi-agent systems under noisy measurement,” Automatica, vol. 46,
no. 8, pp. 1382–1387, Aug. 2010.
Authorized licensed use limited to: University Town Library of Shenzhen. Downloaded on August 28,2024 at 07:44:51 UTC from IEEE Xplore. Restrictions apply.
IEEE TRANSACTIONS ON SMART GRID, VOL. 12, NO. 3, MAY 2021
[21] D. Meng and K. L. Moore, “Studies on resilient control through
multiagent consensus networks subject to disturbances,” IEEE Trans.
Cybern., vol. 44, no. 11, pp. 2050–2064, Nov. 2014.
[22] H.-N. Wu and H.-D. Wang, “Distributed consensus observers-based H∞
control of dissipative pde systems using sensor networks,” IEEE Trans.
Control Netw. Syst., vol. 2, no. 2, pp. 112–121, Jun. 2015.
[23] Y. Liu and J. Lunze, “Leader–follower synchronisation of autonomous
agents with external disturbances,” Int. J. Control, vol. 87, no. 9,
pp. 1914–1925, 2014.
[24] H. J. LeBlanc, H. Zhang, X. Koutsoukos, and S. Sundaram, “Resilient
asymptotic consensus in robust networks,” IEEE J. Sel. Areas Commun.,
vol. 31, no. 4, pp. 766–781, Apr. 2013.
[25] H. Dong, C. Li, and Y. Zhang, “Resilient consensus of multi-agent
systems against malicious data injections,” J. Frankl. Inst., vol. 357,
no. 4, pp. 2217–2231, 2020.
[26] A. Gusrialdi, Z. Qu, and M. A. Simaan, “Competitive interaction design
of cooperative systems against attacks,” IEEE Trans. Autom. Control,
vol. 63, no. 9, pp. 3159–3166, Sep. 2018.
[27] C. Wang, Analysis and Simulation Theory of Microgrids. Beijing, China:
Sci. Press, 2013.
[28] A. Bidram, F. L. Lewis, and A. Davoudi, “Distributed control systems
for small-scale power networks: Using multiagent cooperative con-
trol theory,” IEEE Control Syst. Mag., vol. 34, no. 6, pp. 56–77,
Dec. 2014.
[29] Z. Qu, Cooperative Control of Dynamical Systems: Applications to
Autonomous Vehicles. London, U.K.: Springer, 2009.
[30] A. Bidram, V. Nasirian, A. Davoudi, and F. L. Lewis, Cooperative
Synchronization in Distributed Microgrid Control. Cham, Switzerland:
Springer, 2017.
[31] A. Gusrialdi and Z. Qu, “Distributed estimation of all the eigenval-
ues and eigenvectors of matrices associated with strongly connected
digraphs,” IEEE Control Syst. Lett., vol. 1, no. 2, pp. 328–333,
Oct. 2017.
[32] S. Mou, J. Liu, and A. S. Morse, “A distributed algorithm for solving a
linear algebraic equation,” IEEE Trans. Autom. Control, vol. 60, no. 11,
pp. 2863–2878, Nov. 2015.