IEEE TRANSACTIONS ON SMART GRID, VOL. 13, NO.
3, MAY 2022
Adaptive Hierarchical Cyber Attack Detection and
Localization in Active Distribution Systems
Qi Li , Graduate Student Member, IEEE, Jinan Zhang , Graduate Student Member, IEEE,
Junbo Zhao , Senior Member, IEEE, Jin Ye , Senior Member, IEEE, Wenzhan Song , Senior Member, IEEE,
and Fangyu Li , Member, IEEE
Abstract—Development of a cyber security strategy for the
active distribution systems is challenging due to the inclusion of
distributed renewable energy generations. This paper proposes
an adaptive hierarchical cyber attack detection and localization
framework for distributed active distribution systems via ana-
lyzing electrical waveforms. Cyber attack detection is based on
a sequential deep learning model, via which even minor cyber
attacks can be identified. The two-stage cyber attack localiza-
tion algorithm first estimates the cyber attack sub-region, and
then localize the specified cyber attack within the estimated sub-
region. We propose a modified spectral clustering-based network
partitioning method for the hierarchical cyber attack ‘coarse’
localization. Next, to further narrow down the cyber attack
location, a normalized impact score based on waveform statisti-
cal metrics is proposed to obtain a ‘fine’ cyber attack location
by characterizing different waveform properties. Finally, com-
pared with classical and state-of-art methods, a comprehensive
quantitative evaluation with two case studies shows promising
estimation results of the proposed framework.
Index Terms—Cyber attack localization, adaptive, hierarchical,
online, distribution networks.
I. I NTRODUCTION
YBER attack localization is important to protect smart
C distribution grids, but also a challenging task because of
Manuscript received August 31, 2021; revised January 3, 2022; accepted
January 27, 2022. Date of publication February 1, 2022; date of current
version April 22, 2022. This work was supported in part by the National
Key Research and Development Project under Grant 2018YFC1900800 and
Grant 2018YFC1900805; in part by the National Science Foundation of
China under Grant 61890930-5, Grant 61903010, Grant 62021003, and Grant
62125301; in part by the Beijing Outstanding Young Scientist Program under
Grant BJJWZYJH01201910005020; in part by the Beijing Natural Science
Foundation under Grant KZ202110005009; in part by the U.S. Department
of Energy’s Solar Energy Technology Office under Award DE-EE0009026;
in part by the U.S. National Science Foundation under Grant NSF-ECCS-
1946057; and in part by Southern Company. Paper no. TSG-01400-2021.
(Corresponding author: Fangyu Li.)
Qi Li, Jinan Zhang, Jin Ye, and Wenzhan Song are with the
Center for Cyber-Physical Systems, University of Georgia, Athens, GA
30602 USA (e-mail: [email protected]; [email protected]; [email protected];
[email protected]).
Junbo Zhao is with the Department of Electrical and Computer Engineering,
University of Connecticut, Storrs, CT 06269 USA (e-mail: [email protected]).
Fangyu Li is with the Faculty of Information Technology, Beijing Key
Laboratory of Computational Intelligence and Intelligent System, Engineering
Research Center of Digital Community, Ministry of Education, and Beijing
Artificial Intelligence Institute, Beijing University of Technology, Beijing
100124, China (e-mail: [email protected]).
Color versions of one or more figures in this article are available at
https://doi.org/10.1109/TSG.2022.3148233.
Digital Object Identifier 10.1109/TSG.2022.3148233
1949-3053 
c 2022 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.
Authorized licensed use limited to: Chiba University. Downloaded on April 10,2025 at 05:54:56 UTC from IEEE Xplore. Restrictions apply.
2369
the inherent distributed energy resources (DER) and topology
complexities [1], [2]. Raw electrical waveforms, signals of
electrical networks, together with those in cyber networks pro-
vide great potentials in cyber attack detection [3]. For example,
devices in power networks must leave clues of their operational
status and health (including faults or attacks) information in
the raw electrical waveform signals: a cyber-device in fault or
under attack will cause unusual energy consumption pattern in
power networks [4]; a power electronics or electric machine in
fault or under attack may cause unusual harmonics or energy
profile in electrical networks [5].
By analyzing the electrical waveform signals and their root
cause, waveform analytics can present utilities with a com-
plete picture of the health and status of their system, both
during outages and normal operating conditions. It could also
provide a variety of operational benefits to system opera-
tors, asset management personnel, and repair crew. Electronic
sensors placed on power grids and distribution systems can
either measure the electricity properties, such as phasor mea-
surement unit (PMU) sensors [6], [7] or directly record the
raw electrical waveform using waveform measurement unit
(WMU) [8]–[12], depending on the needed fidelity of moni-
toring applications. Thanks to developed network connectivity,
the streaming monitoring data flow can be obtained and
analyzed online and in real-time [13].
The network of the waveform sensors form an Internet of
Things (IoT) system [4], [14], where the waveform sensors are
viewed as networked IoT sensing devices. Therefore, we can
potentially use the information embedded in electrical signals
to enable security monitoring, diagnosis, and prognosis in the
power networks. The possibility may be well beyond what we
can imagine now. It broadly applies to many cyber-physical
systems (CPS) and applications, such as power distribution
networks, multi-stage manufacturing systems, electric vehi-
cles, and so on [15]–[17]. Cyber attacks towards connected
IoT devices trigger anomalies in system statistics, energy con-
sumption, as well as electrical waveforms [4], [14], [18], [19].
Thus, recorded waveform which carries high fidelity cur-
rent and voltage information should be adequate for cyber
attack characterization. Furthermore, the transmission of the
high-frequency waveform data is feasible in practice [20]–[22].
Data-driven methods have been widely adopted for event
localization in power electronics networks and active distri-
bution systems. Rule-based data-driven analytics [23], signal
property-based approach [24], and neural networks (NN) based
2370
Fig. 1. The proposed adaptive hierarchical online cyber attack localization
workflow. The details are discussed in Section III.
algorithms, such as autoencoders [25], convolutional neu-
ral network (CNN) [26], have been developed. However,
NN-based algorithms typically require a large amount of
training data to capture the sophisticated features, which can-
not be fully simulated or acquired from real applications.
Thus, combining the rule-based signal processing methods and
machine learning methods could lead to a solution tackling the
challenging problem using an affordable data size.
There have been numerous works targeting the event and
cyber attack localization problem [1], [2], [27]. Dynamic
data analytics based localization is always a major branch
for the distribution networks [1], DC microgrid [2], islanded
microgrid [27]. This paper proposes a new adaptive hierarchi-
cal framework for efficient and accurate cyber attack detection
and localization by taking advantage of the electrical wave-
forms (Fig. 1). The proposed approach has a hierarchical
architecture that divides the whole network into sub-groups
and then locates the cyber attack within one local cluster.
Based on a modified unsupervised clustering and an deep
learning based anomaly detection method, cyber attacks in
the active distribution systems can be adaptively detected and
located. The performance of the proposed approach has been
tested by multiple cyber attack scenarios in two representative
case studies.
Our contributions are summarized as follows:
• We propose an adaptive hierarchical cyber attack detec-
tion and localization framework for active distribution
systems with DERs using the electrical waveform;
• High fidelity models of DER and cyber attacks are built
to analyze the impacts of cyber attacks towards the
distribution networks;
• Extensive experiments are utilized to evaluate the
proposed approach performances with quantitative ana-
lytics;
The remainder of this paper is organized as follows. In
Section II, the cyber attack model of active distribution
systems is discussed. In Section III, we describe the proposed
approaches with the details of each key component, which
are cyber attack detection, network partition and cyber attack
localization. Experiments and evaluations can be found in
Section IV. In the end, a conclusion is drawn in Section V.
II. C YBER ATTACK M ODEL
Cyber attacks on power systems and smart grids have
become more common, especially with the increasing number
Authorized licensed use limited to: Chiba University. Downloaded on April 10,2025 at 05:54:56 UTC from IEEE Xplore. Restrictions apply.
IEEE TRANSACTIONS ON SMART GRID, VOL. 13, NO. 3, MAY 2022
Fig. 2. The adopted cyber attack model of the studied active distribution
systems. The vulnerability of the smart inverter due to FDI attacks is shown.
of power electronics converters. Specifically, PV embedded
active distribution system is one of the most representative
examples. For smart inverters in the distribution systems, false
data integrity (FDI) attack is one of the common cyber-attacks
when an enormous amount of DERs are connected to the
power system [28], [29]. Besides the high order abnormal
harmonics caused by the cyber attacks towards the power
electronics devices in the power system, FDI attack could
also manipulate the critical threshold in relays [30] and trans-
formers [31] to induce the short circuit faults. In addition,
the research on FDI attacks against distribution system SE
(DSSE) is an interesting open area. In [32], the vulnerability
of distribution system SE (DSSE) to FDI attack was investi-
gated. The work in [33] provides a basis to study the attack
behaviors in distribution systems and a theoretical guide to
develop protective countermeasures. Authors in [34] attempt
to optimize the effectiveness and hiddenness of Moving Target
Defense (MTD) while considering voltage stability. MTD is a
new technology to defend against the FDI attack on DSSE.
In this paper, to simulate cyber attacks that occurred in the
active distribution grid, FDI attack is modeled here, which
is assumed to falsify the sensor measurements and degrade
controller performance. FDI attack is defined as
Y = α Yf + β Y0 , (1)
where Y is the falsified data vector that is eventually used by
the controller, Y0 is the original measurement, Yf is a fake data
vector which can be independent or determined by Y0 , α is a
coefficient that determines the weight of the attack vector, β
is a coefficient that defines the weight of the measurement.
In the PV (photovotaic) converter controller in the Fig. 2,
Y0 is shown as
 T
Y0 = Upv , Ipv , Udc , If , Uc , Ig . (2)
where Upv , Ipv are the PV array voltage and current, respec-
tively. Udc is DC link voltage, If is the inverter-side current
in LCL filter, Uf is the capacitor voltage in LCL filter, Ig is
the grid-side current in LCL filter. As for the phase voltage
source inverter (VSI), Y0 only includes If , Uc and Ig . Both
Fig. 2 and Fig. A.1 show the vulnerability of the inverter due
to FDI attacks. More detailed model of DERs in this paper is
illustrated in the Appendix.
III. P ROPOSED A PPROACH
The workflow of the proposed adaptive hierarchical cyber
attack localization approach is shown in Fig. 1. It includes
LI et al.: ADAPTIVE HIERARCHICAL CYBER ATTACK DETECTION AND LOCALIZATION IN ACTIVE DISTRIBUTION SYSTEMS
online processing procedures, such as cyber attack detec-
tion, network partitioning, sub-region determination, and cyber
attack localization. In this section, we introduce the method-
ologies in detail with thorough discussions. Note that we
assume the optimal sensor placement (OSP) has been done
offline. The purpose of OSP to achieve the observability of
the whole distribution system with the minimum number of
waveform sensors [35].
A. Cyber Attack Detection
Distribution power systems typically operate under
steady-state. Therefore, the cyber attack can be detected
based on the deviation of the monitoring metrics from
steady-state, which, in our study, is an anomaly detection
problem. For time-series sensor streaming data, statistical
analysis is typically used for cyber attack detection [13], [14].
Our previous studies [13], [15] utilizing the data-driven meth-
ods have shown remarkable performance regarding the
electrical waveform data. By applying the cyber attack
detection algorithm on streaming waveform measurement
unit (WMU) data, we can determine if there is a cyber attack
in real time. In this case, cyber attack detection is treated
as a one-class classification problem. A Multi-layer Long
Short-Term Memory Network (MLSTM) from our previous
work has been applied, which not only remembers sequential
information but also carries out a more rigorous screening
of time information. So, we can generalize the behavior
complexity of the active distribution systems without a huge
dataset. Besides, detectors such as CUSUM, DBSCAN, and
our MLSTM, are compared.
B. Network Partition Based on Modified Spectral Clustering
To efficiently locate the cyber attacks, we propose to first
partition the active distribution systems into several sub-
regions. It is similar to divide a centralized problem into
smaller problems and solving them in a distributed manner.
Spectral clustering is a classic unsupervised learning method
based on the graph theory to partition a graph into several
sub-graphs [36], [37], which is easy to implement and per-
forms well. Therefore it is suitable for the active distribution
system partition in our study. We propose a modified spectral
clustering to search for the optimal partition results.
Let A ∈ RN×N be the adjacency matrix of our WMU sensor
topology and its entry is defined as

1
, if node i and j are connected.
Aij = Zij (3)
0, otherwise.
where Zij is the impedance between vertex i and vertex j.
In this case, Aij = Z1ij if vertex i and vertex j are con-
nected in the original active distribution system topology and
Aij = 0 if vertex i and vertex j are not connected directly. Let
D = diag(A1n ) be the diagonal
 matrix where Dii is the degree
di of node i, i.e., di = Nj=1 ij In addition, let S ∈ R
A . N×N be
the affinity matrix calculated based on the measurement cor-
relations. This measurement correlation could be customized
as long as it could represent the electrical distance among
nodes. Since we have considered three-phase unbalance in our
Authorized licensed use limited to: Chiba University. Downloaded on April 10,2025 at 05:54:56 UTC from IEEE Xplore. Restrictions apply.
2371
Algorithm 1 Modified Spectral Clustering
1: Input: Adjacency matrix A, data matrix X and cluster
number K.
2: Compute the Affinity matrix S based on the data matrix.
3: Compute the modified Laplacian matrix L = (D − S) +
μ(D − A).
4: For K clusters, compute the first K eigenvectors
[v1 , v2 , . . . , vK ].
5: Stack the vectors to form a matrix with the vectors as
columns.
6: Represent every node by the corresponding row of the
stacked matrix, which forms the feature matrix.
7: Use K-means clustering to cluster data samples into K
clusters {C1 , C2 , . . . , CK }.
models, it should be pointed out that we use the average of
three-phase current and voltage to calculate the measurement
correlation.
The modified Laplacian matrix L can be defined as
L = (D − S) + μ(D − A), (4)
where μ is a penalty term, without losing generality, to bal-
ance the influences on grid partition result from static topology
and dynamic data structure. Then, the eigenstructure of the
Laplacian matrix L is analyzed to decide which cluster the
nodes belong to. The details of the modified spectral clustering
can be found in Algorithm 1.
C. Cyber Attack Localization Within Sub-Regions
Combining our proposed cyber attack detection and modi-
fied spectral clustering, the cyber attack can be located into a
sub-region of the large-scale networks. Furthermore, we need
to locate the cyber attack within the sub-regions. Following
the assumption that the affected waveform signals show dif-
ferent influences according to the distances between the sensor
locations and the cyber attack location, we propose a signal
anomaly strength-based approach to detect the exact loca-
tion of the cyber attack. The location of WMU’s placement
plays a vital role in better observability and localization of
cyber attacks. Note that, in our study, we assume the topol-
ogy is known beforehand. Comparing the abnormal scales, the
relative distances can be determined. Therefore, the relative
locations in the topology can be inferred. However, some-
times, this approach may provide a range instead of a node
point, which is already an improvement using limited sensors.
The disturbance at the point of impact of stone is stronger,
but it fades out soon, and at the other end of the lake, no
such disturbance can be visibly detected. Similarly, the WMU
can detect the cyber attacks if they are near the cyber attack
location, and in some cases, multiple WMU can detect the
cyber attacks. Cyber attacks which have a more significant
impact will generate obvious signatures and can be detected in
multiple WMU. However, some minor cyber attacks or cyber
attacks are local, and their signatures are not strong enough
to be picked up by WMUs far in the electrical distance in the
network. Therefore, we compute statistical parameters and get
2372
a normalized score to determine the WMU with the strongest
signal for a particular. This method helps extract information
based on WMU data.
1) Impact Scores of WMUs: To characterize the pattern
of the waveform data, we proposed the following four (4)
statistical measures:
• Standard Deviation σ : σ is suitable for measuring the
data distribution and in our case the disturbance caused
by the attack in waveform data. σ can be calculated as:
 4: CyberAttackLocation = WMU with highest IS

1 N
σ =
(Xi − μ)2 , (5)
N 6:
i=1
where ‘X’ is the stream data, ‘i’ is the index of the
stream data window length ‘N’, and μ is the mean of
data window.
• Range: Range measures the pattern variation of WMU
data during the cyber attack. It can be expressed as:
Range = |max(Xi ) − min(Xi )|,
where the data ranges from ‘i = 1’ to ‘i = N’ and N is
the window length.
• Mean Difference (MD): MD is calculated using data
points in previous and current windows. MD captures the
information on the magnitude shift, and is defined as:
MD = μprevious − μcurrent ,
where μprevious and μcurrent are the mean value of the
previous and current data windows, respectively.
• Peak Factor (PF): PF measures the severity of the crest of
the data during cyber attacks. A WMU close to the cyber
attack would have a larger PF than a WMU which is far
away from the cyber attack. PF is calculated following:
max(Xi )
PF = N . (8)
i=1 (Xi )
1 2
N distribution systems, while the experiment is evaluated and
The nearest WMU from the cyber attack location regard-
ing electrical distance will see more prominent cyber attack
signatures. The respective values of the above discussed sta-
tistical measures would be higher. However, it is unfeasible to
compare the scores of each measure computed above across
WMUs. Normalization helps in the identification of promi-
nent WMUs for a particular cyber attack by comparing the
single-point scores. In our case, the normalized impact score
is calculated as:
IS = PF × (σ + Range + MD).
2) Forming Subgraph and Subgraph Scanning: After cal-
culating the normalized impact score, the next step is to select
the top WMUs based on the scores. Several WMUs detect
specific cyber attacks as their system-level impact is higher. A
cyber attack would be seen by multiple WMUs, and a trans-
former tap change or a load change would be sensed locally
by WMUs at those buses, at adjacent buses, or WMUs placed
close to the cyber attack bus in terms of electrical distance.
The process of the subgraph scanning and cyber attack
localization are explained in Algorithm 2. It takes the cluster-
ing result matrix and cyber attack detection result as the inputs.
Authorized licensed use limited to: Chiba University. Downloaded on April 10,2025 at 05:54:56 UTC from IEEE Xplore. Restrictions apply.
IEEE TRANSACTIONS ON SMART GRID, VOL. 13, NO. 3, MAY 2022
Algorithm 2 Subgraph Scanning and Localization
Input clustering result matrix, cyber attack detection result.
Output Subgraph, Cyber Attack location
1: From the proposed spectral clustering result, select the
cluster which comprises the cyber attack nodes based on
the detection result.
2: Subgraph = selected cluster
3: Compute the Normalized Impact Score [Eq. (9)] for each
element in subgraph.
5: if Cyber attack location is not on the WMU bus then
Pick the WMU with 2nd highest IS
7: CyberAttackLocation is in between the 1st highest IS
WMU and 2nd highest IS WMU
return SubGraph, CyberAttackLocation
TABLE I
D ETAILS A BOUT FDI ATTACKS T OWARDS THE P OWER G RID
(6)
From the cyber attack detection result, the cluster including the
(7) cyber attack nodes will be selected. Then, the normalized IS
score of each element in the selected cluster will be calculated.
Depending on if the cyber attack location is on the WMU bus
or not, the output cyber attack location will be the node with
the highest IS score or between the first highest IS score node
and the second highest IS score node.
IV. E XPERIMENT
Our design is designed for the cyber attacks towards active
demonstrated with DERs in the study cases.
A. Simulation Setup
First, an IEEE 37-node distributed grid is built in OPAL-
RT. Based on the power grid topology, two PV farms and a
VSI based DER are connected to the grid shown in Fig. 3.
The smart grid system is connected to the main power grid
via node 799, so node 799 can be viewed as a voltage source.
The PV farm I (node 727) has a power generation of 390kW;
PV farm II (node 710) has a power generation of 120kW; The
(9)
DER (node 744) has a power generation of 130kW.
The FDI attacks modeled in Section II are implemented in
PV farms and DER. Three FDI attacks, which are shown in
Table I, are designed for compromising the converter controller
of different DERs. In addition, an FDI induced three-phase
short circuit fault is also simulated to verify the algorithm
feasibility.
Using the OSP method [35], the sensor placement results
in the IEEE 37-node distribution network model are obtained
(Fig. 3), where 14 waveform sensors should be placed at
the corresponding nodes to make the system numerically
observable. Therefore, we collect 98 (7 × 14) dimension
LI et al.: ADAPTIVE HIERARCHICAL CYBER ATTACK DETECTION AND LOCALIZATION IN ACTIVE DISTRIBUTION SYSTEMS
Fig. 3. A smart grid example with solar farms, which is based on the IEEE
37 node model. And the sensor locations from OSP are indicated by the black
filled circles.
Fig. 4. Current waveform examples captured by WMU sensors: (a) Node
744 under normal case; (b) Node 744 under cyber attack; (c) Node 744 when
node 706 is under cyber attack; (d) Node 733 when node 710 is under cyber
attack.
streaming data, where 3 phase currents, 3 phase voltages, and
1d time stamp are included. To fully observe the power system
behaviors, including both normal and abnormal activities, we
simulated one (1) minute long data. Because of the 10000 Hz
sampling frequency, the data length is 600001, resulting in a
data measurement matrix 98×600001 for each case. Thus, effi-
cient data analysis is required to process the extensive amount
of data. Figs. 4 and 5 show the examples of the WMU current
and voltage data samples in different cases, respectively.
B. Cyber Attack Detection
As described in Section III-A, our previous MLSTM model
is adopted to implement real-time cyber attack detection. We
also compare it with linear regression, CUSUM [38], and
DBSCAN [39]. The comparison results are shown in Table II.
In a quantitative data-driven experiment evaluation, there are
four important metrics: true positives (TP), true negatives
(TN), false positives (FP), and false negatives (FN). TP denotes
the rate of actual attack correctly predicted as an attack, TN
Authorized licensed use limited to: Chiba University. Downloaded on April 10,2025 at 05:54:56 UTC from IEEE Xplore. Restrictions apply.
2373
Fig. 5. Corresponding voltage waveforms to the current waveforms shown
in Fig. 4 captured by WMU sensors. Note that the waveform distortions are
more obvious in the current waveforms.
TABLE II
P ERFORMANCE OF D IFFERENT D ETECTORS
denotes the rate of actual normal correctly predicted as normal,
FP denotes the rate of actual attack is incorrectly predicted
as normal, FN denotes the rate of actual normal incorrectly
predicted as normal. Precision (Precision = TP/(TP + FP))
and recall (Recall = TP/(TP + FN)) are used to evalu-
ate the model’s performance in a more comprehensive way.
Precision shows what proportion of positive identifications
was actually correct, which quantifies the number of posi-
tive class predictions that actually belong to the positive class.
Recall tells what proportion of actual positives was identi-
fied correctly, which quantifies the number of positive class
predictions made out of all positive examples in the dataset. By
combining both Precision and Recall, we could have a more
accurate understanding of our model’s performance, especially
when dealing with an unbalanced dataset.
C. Active Distribution System Partition Results
To compare, we applied both the traditional spectral clus-
tering algorithm and the modified spectral clustering defined
in Algorithm 1 to implement the grid partitioning. We demon-
strate the power grid partitioning result based on the traditional
spectral clustering method in Fig. 6, and the result based on
the proposed method in Fig. 7. Our proposed method brings
in a more condensed and connected clustering result, making
more sense in the sub-region partitioning.
Two cases are discussed here. The first case is that a cyber
attack towards the PV farm inverter (node 727) happens.
Figs. 8 and 9 show the network partitioning results based on
the traditional spectral clustering and the proposed modified
spectral clustering method, respectively. Although most nodes
have the same clustering results, some nodes are showing
different output labels, such as nodes 702 and 732. The clus-
tering results in Fig. 8 has some problems, such as node 742,
2374
Fig. 6. Power grid partitioning result based on the traditional spectral cluster-
ing method in the IEEE 37-node model. Clustered grid nodes are in different
colors.
Fig. 7. Power grid partitioning result based on the modified spectral clustering
method in the IEEE 37-node model. Clustered grid nodes are in different
colors.
which should belong to the same cluster as nodes 705 and 702
because they were clustered together in the normal case shown
in Fig. 7 and the cyber attack does not happen near this sub-
region. The second case is that an FDI induced three-phase
ground fault (short circuit) at node 706.
Fig. 10 demonstrates the dynamic grid partitioning via tradi-
tional spectral clustering, while the proposed modified spectral
clustering result is shown in Fig. 11. Intuitively speaking, the
modified spectral clustering generates a better result, as the
nodes belonging to the same clusters are also geographically
located in the same sub-regions. In contrast, some node
clustering results in Fig. 10 do not entirely make sense.
To quantitatively analyze the grid partitioning results, we
employ the Silhouette score [40] as the index to evalu-
ate the performance of the clustering results. In general, a
higher Silhouette value indicates a closer electrical connection
Authorized licensed use limited to: Chiba University. Downloaded on April 10,2025 at 05:54:56 UTC from IEEE Xplore. Restrictions apply.
IEEE TRANSACTIONS ON SMART GRID, VOL. 13, NO. 3, MAY 2022
Fig. 8. Network partitioning result based on the traditional spectral clustering
when a FDI attack occurs at node 727.
Fig. 9. Network partitioning result based on the proposed clustering method
when a FDI attack occurs at node 727.
inside the sub-region and a looser connection among various
sub-regions. The results of the average Silhouette scores of
three different clustering methods in two cases are shown in
Table III.
We can observe that in both cases, the average Silhouette
scores of the proposed modified spectral clustering results
are generally higher than the other ways. A higher average
Silhouette score indicates that our proposed approach obtains
a superior supervised clustering result in terms of the correla-
tion or inner distance. Thus, in both qualitative and quantitative
analysis, our proposed approach achieves better results.
D. Cyber Attack Location in the Sub-Regions
After clustering nodes into different groups, a more accurate
cyber attack location should be estimated. To confirm the cyber
attack location, our proposed subgraph scanning and local-
ization algorithm is conducted, whose detail is explained in
LI et al.: ADAPTIVE HIERARCHICAL CYBER ATTACK DETECTION AND LOCALIZATION IN ACTIVE DISTRIBUTION SYSTEMS
Fig. 10. Network partitioning result based on the traditional spectral
clustering when a FDI attack occurs at node 706.
TABLE III
S ILHOUETTE S CORE TABLE FOR IEEE 37-N ODE M ODEL
Fig. 11. Network partitioning result based on the proposed modified spectral
clustering when a FDI attack occurs at node 706.
Algorithm 2. The statistical IS (impact score) of every poten-
tial cyber attack location would be calculated, and the node
getting highest IS score would be considered as the cyber
attack location or the place nearest to the cyber attack loca-
tion. Taking the FDI attack case at node 727 (Fig. 9) and fault
case at node 706 (Fig. 11) as the examples, we calculate the
IS score to determine the cyber attack location.
Authorized licensed use limited to: Chiba University. Downloaded on April 10,2025 at 05:54:56 UTC from IEEE Xplore. Restrictions apply.
2375
Fig. 12. IS scores for attack on node 727: (a) the whole topology and (b) the
subgraph. In both figures, node 727 obviously has the highest IS.
Fig. 13. Sub-regions (a) with the cyber attack and (b) without the cyber
attack in Fig. 11.
For the FDI attack case, combined with detection result and
clustering results, we located the target locations to node 709,
744, 727 as shown Fig. 9. There IS results are shown in the
right-side figure in Fig. 12, which shows that node 727’s IS is
the highest when the attack is happening, indicating the cyber
attack should be located in there, and it is actually correct. The
left figure shows the IS scores for all the nodes in our power
network. Among all the nodes, the node 727’s IS is still the
highest. It could capture some global topology information
but not exactly. Moreover, calculating global IS would cost
much more time than just calculating the nodes in the
sub-graph.
For the cyber attack case at node 706, combined with
detection result and clustering results, we located the target
locations to node 707, 714, 725 as shown Fig. 11. Fig. 13
shows two sub-regions with cyber attack (Fig. 13(a)) and
without cyber attack (Fig. 13(b)).
2376 IEEE TRANSACTIONS ON SMART GRID, VOL. 13, NO. 3, MAY 2022

Fig. 14. (a) IS score for FDI induced three phase short circuit fault on
node 706. (b) zoom in version of (a). From both figures, node 725 obviously
has the highest IS, which is nearest to the cyber attack location.
Fig. 15. NS score results: (a) FDI attack case and (b) FDI attack induced
fault case.

Their IS results are shown in Fig. 14. It shows that node TABLE IV
725’s IS is the highest when the fault is happening, but in P ERFORMANCE W ITH D IFFERENT L EVELS OF G AUSSIAN W HITE
this case, it’s not the same node; otherwise, the difference N OISE (C YBER ATTACK ON THE N ODE 744)
between each node should be more significant.Therefore, the
cyber attack location should be node 706, which is correct.
We evaluate our localization performance by comparing
with the NS (Normalized Score) in the reference [41], which
is calculated to locate the cyber attack location in the network
using micro-PMU data. Fig. 15 shows the NS results for the
nodes of the subgraph in both FDI attack cases. From the fig-
ure, we can see that the NS score works well in the ground TABLE V
P ERFORMANCE W ITH D IFFERENT L EVELS OF L APLACE
fault case. However, for the attack on node 727, the result N OISE (C YBER ATTACK ON THE N ODE 744)
leads us to the wrong location. The NS scores of Node 744
and 727 are higher than the cyber attack location node 725,
and they are not distinguishable, which means ours IS score
is more robust in terms of the waveform data.

E. Robustness and Sensitivity Analysis

To investigate the robustness and sensitivity of the proposed
method against various measurement noises, we add white
Gaussian noise to the signal with different Signal Noise Ratios
(SNRs). Table IV shows the result of an attack on node 744.
To get the detection accuracy and Silhouette score in the table,
we conduct 20 times experiments with random noise and cal-
culate the average. For the localization accuracy, we only take
account when the subgraph is correctly located. Then calcu-
late the average of 20 times experiments. From the result,
our proposed method has great robustness against noise, even
doing good when SNR is 5 dB. When SNR equals 0 dB,
the signal is submerged by the noise. Since the measurement
Authorized licensed use limited to: Chiba University. Downloaded on April 10,2025 at 05:54:56 UTC from IEEE Xplore. Restrictions apply.
noise may not follow Gaussian distribution, we also consid-
ered adding Laplace noise (μ = 0 and b = 1) to the signal.
Compared with normal distribution, the Laplace distribution
has more flatten or long tails data, which means it has big-
ger variance. The result is shown in Table V. From the result,
we can tell there is no significant difference between Laplace
noise and Gaussian noise. Both of them perform well until
the signal is almost overwhelmed by noise. It shows that our
method captures the characteristics of the sequential data as a
whole, which makes it of good robustness.
LI et al.: ADAPTIVE HIERARCHICAL CYBER ATTACK DETECTION AND LOCALIZATION IN ACTIVE DISTRIBUTION SYSTEMS
Fig. 16. IEEE 123-bus distribution system. The WMU sensors are marked
in yellow.
TABLE VI
WMU S ENSORS IN IEEE 123-BUS S YSTEM
Fig. 17. Power grid partitioning result based on the proposed spectral cluster-
ing method in the IEEE 123-bus model. Clustered grid nodes are in different
colors.
F. Performance in a Larger-Scale System
To show the scalability of the proposed method, we test
the proposed method on the widely used IEEE 123-bus distri-
bution system (Fig. 16), which contains the distribution lines
and loads in single-phase, two-phase, and three-phase [42]. To
guarantee the observability, WMU sensors are installed on 51
buses which is 41.5% of the total amount (details can be found
in Table VI).
Following the same setup of the previous IEEE 37-node
distributed grid experiment, the IEEE 123-bus system is built
in OPAL-RT as well. Three FDI attacks against DER1 and
DER2 have been modeled. Figs. 17 and 18 illustrate the par-
tition results when an FDI-induced three-phase ground short
circuit fault happens for traditional spectral clustering and our
proposed method, respectively. The quantitative results for all
Authorized licensed use limited to: Chiba University. Downloaded on April 10,2025 at 05:54:56 UTC from IEEE Xplore. Restrictions apply.
2377
Fig. 18. Power grid partitioning result based on the traditional spectral
clustering method in the IEEE 123-bus model. Clustered grid nodes are in
different colors.
TABLE VII
S ILHOUETTE S CORE TABLE FOR IEEE 123-B US M ODEL
cases are shown in Table VII. The proposed approach not only
works in this larger grid, but also generates superior results
compared to other methods.
G. Approach Feasibility Discussion
The voltage and current waveform measurements in our
study are provided by WMUs (Section III-A). Such emerg-
ing sensors are well-suited to study transient events in power
distribution systems [43]. Till now, WMU has been adopted in
a few applications, such as harmonic addition and cancellation
in transformers [8], sub-synchronous resonance analysis [12],
and power quality event localization [44]. Typically, a WMU
can report 256 readings per cycle [45]. To support synchro-
nized measurements at a such high rate, WMUs have a time
accuracy of 1 μ second [45]. In our IEEE 123-bus study case,
the sampling rate is 5000 Hz, namely around 83 readings per
cycle, which means the measurement provided by a typical
WMU is more than enough to locate nodes under attack.
V. C ONCLUSION
In this paper, we proposed an adaptive hierarchical cyber
attack localization approach for active distribution systems.
Electric waveform signals obtained by WMU sensors are used
to capture the abnormal features, which would be otherwise
ignored. To improve the efficiency, we propose a modified
spectral clustering method to first partition the whole large
network into smaller ‘coarse’ sub-regions. Next, the accurate
2378 IEEE TRANSACTIONS ON SMART GRID, VOL. 13, NO. 3, MAY 2022

‘fine’ cyber attack location can be determined by calculating

and analyzing Impact Score of each sensor in the potential
sub-region. Furthermore, we compare our method with other
methods in each step in cyber attack detection, sub-graph clus-
tering, and localization, respectively. The results from two
representative distribution grids show that our method shows
promising performances.

A PPENDIX
M ODELING D ISTRIBUTED E NERGY R ESOURCES Fig. A.1. Voltage source inverter (VSI) DER model.
With more and more DERs integrated into power system,
a growing number of security problems are being exposed
constantly. Also, the cyber-phyiscal security becomes prior- As shown in Fig. A.1, a DER model based on voltage source
ity especially considering the evolution of smart inverters in inverter is built. DC capacitor voltage represents the renewable
DERs. Here, FDI attacks on PV converter and voltage source energy, e.g., wind turbine, battery, etc. The droop control loop
inverter are modeled. is constructed in the controller, which can be expressed as,
ω = ωn − mp P,
A. Two-Stage Two-Level PV Converter Model 
As shown in the Fig. 2, two-stage PV converters are θ = ωn t − mp Pdt,
constructed. The first stage includes PV array and DC/DC v∗d = Vn − nq Q, v∗q = 0, (A.3)
converter. The PV array voltage Upv and current Ipv are the
input of DC/DC controller. The MPPT algorithm is applied in where ωn is the rated frequency, mp is active power droop
DC/DC controller so that PV array generates maximum power coefficient, nq is active power droop coefficient, P and Q are
to inverter. And the second stage comprises DC/AC inverter power reference. Also, the voltage and current control loop is
and LCL filter. In the DC/AC controller, voltage control loop modeled in the controller. Both of two control loop is achieved
is used to maintain DC link voltage and generate the current with a standard PI controller. The current control loop in the
∗ for the current control loop. The reactive power
reference Ifd VSI is same as in the PV converter. Thus, the model of voltage
control loop is built in the controller and determines the Ifq . control loop is only introduced as follow,
The current loop can be expressed as, ∗ −U

∗ ∗
 kiv Ucd cd
∗ −I Ifd = kpv Ucd − Ucd + − ωCf Ucq ,
ki Ifd fd s 
∗ ∗
Uid = kp Ifd − Ifd + − ωLf Ifq , ∗ −U
 kiv Ucd cd
s ∗ ∗
Ifq = kpv Ucd − Ucd + + ωCf Ucd , (A.4)
∗ s
ki Ifd − Ifd
∗ ∗ ∗
Uiq = kp Ifd − Ifd + + ωLf Ifd , (A.1) where, Ifd,q is current reference for current control loop, and
s Cf is the capacitor in LCL filter, kpv , kiv are the PI parameters,
where, Ifd,q is inverter side current in the LCL filter, and Lf is ∗
Ucd,q is voltage reference for voltage control loop, Ucd,q is the
∗
the inductance in LCL filter, kp , ki are the PI parameters, Uid,q capacitor voltage in d,q framework.
is the control signal to PWM. The inverter and LCL filter can
be modeled as follow,
R EFERENCES
1
I˙fd = (Uid − Ucd ) + ωIfq , [1] I. Džafić, R. A. Jabr, S. Henselmeyer, and T. Ðonlagić, “Fault location in
Lf distribution networks through graph marking,” IEEE Trans. Smart Grid,
1  vol. 9, no. 2, pp. 1345–1353, Mar. 2018.
I˙fq = Uiq − Ucq − ωIfd , [2] R. Bhargav, B. R. Bhalja, and C. P. Gupta, “Novel fault detection and
Lf localization algorithm for low-voltage DC microgrid,” IEEE Trans. Ind.
1  Informat., vol. 16, no. 7, pp. 4498–4511, Jul. 2020.
U˙cd = Ifd − Igd + ωUcq , [3] G. Wu, G. Wang, J. Sun, and J. Chen, “Optimal partial feedback attacks
Cf in cyber-physical power systems,” IEEE Trans. Autom. Control, vol. 65,
1  no. 9, pp. 3919–3926, Sep. 2020.
U˙cq = Ifq − Igq − ωUcd , [4] F. Li, Y. Shi, A. Shinde, J. Ye, and W.-Z. Song, “Enhanced cyber-
Cf physical security in Internet of Things through energy auditing,” IEEE
1  Internet Things J., vol. 6, no. 3, pp. 5224–5231, Jun. 2019.
˙ =
Igd Ucd − Ugd + ωIgq , [5] A. J. Wilson, D. R. Reising, R. W. Hay, R. C. Johnson, A. A. Karrar,
Lg and T. D. Loveless, “Automated identification of electrical disturbance
1  waveforms within an operational smart power grid,” IEEE Trans. Smart
˙ =
Igq Ucq − Ugq − ωIgd . (A.2) Grid, vol. 11, no. 5, pp. 4380–4389, Sep. 2020.
Lg [6] P. Dutta, A. Esmaeilian, and M. Kezunovic, “Transmission-line fault
analysis using synchronized sampling,” IEEE Trans. Power Del., vol. 29,
no. 2, pp. 942–950, Apr. 2014.
B. Model of DER Based on Voltage Source Inverter (VSI) [7] I. Sadeghkhani, M. E. H. Golshan, A. Mehrizi-Sani, J. M. Guerrero,
and A. Ketabi, “Transient monitoring function–based fault detection for
Besides the PV farm, some DERs do not only offer power inverter-interfaced microgrids,” IEEE Trans. Smart Grid, vol. 9, no. 3,
to the grid but also maintain stability of frequency and voltage. pp. 2097–2107, May 2018.

Authorized licensed use limited to: Chiba University. Downloaded on April 10,2025 at 05:54:56 UTC from IEEE Xplore. Restrictions apply.
LI et al.: ADAPTIVE HIERARCHICAL CYBER ATTACK DETECTION AND LOCALIZATION IN ACTIVE DISTRIBUTION SYSTEMS
[8] A. F. Bastos, S. Santoso, W. Freitas, and W. Xu, “SynchroWaveform
measurement units and applications,” in Proc. IEEE Power Energy Soc.
Gen. Meeting (PESGM), Atlanta, GA, USA, 2019, pp. 1–5.
[9] (Schweitzer Eng. Lab., Pullman, WA, USA). SEL-T400L Time
Domain Line Protection. Accessed: Jul. 31, 2020. [Online]. Available:
https://selinc.com/ products/T400L/
[10] (Candura Instrum., Oakville, ON, Canada). iPSR Intelligent Power
System Recorder. Accessed: Jul. 31, 2020. [Online]. Available:
https://www.candura.com/products/ipsr.html
[11] D. Borkowski, A. Wetula, and A. Bień, “Contactless measurement of
substation busbars voltages and waveforms reconstruction using electric
field sensors and artificial neural network,” IEEE Trans. Smart Grid,
vol. 6, no. 3, pp. 1560–1569, May 2015.
[12] B. Gao, R. Torquato, W. Xu, and W. Freitas, “Waveform-based method
for fast and accurate identification of subsynchronous resonance events,”
IEEE Trans. Power Syst., vol. 34, no. 5, pp. 3626–3636, Sep. 2019.
[13] F. Li et al., “Online distributed IoT security monitoring with
multidimensional streaming big data,” IEEE Internet Things J., vol. 7,
no. 5, pp. 4387–4394, May 2020.
[14] F. Li, A. Shinde, Y. Shi, J. Ye, X.-Y. Li, and W.-Z. Song, “System
statistics learning-based IoT security: Feasibility and suitability,” IEEE
Internet Things J., vol. 6, no. 4, pp. 6396–6403, Aug. 2019.
[15] F. Li et al., “Detection and diagnosis of data integrity attacks in solar
farms based on multilayer long short-term memory network,” IEEE
Trans. Power Electron., vol. 36, no. 3, pp. 2495–2498, Mar. 2021.
[16] A. Wang and J. Shi, “Holistic modeling and analysis of multistage
manufacturing processes with sparse effective inputs and mixed profile
outputs,” IISE Trans., vol. 53, no. 5, pp. 582–596, 2021.
[17] J. Ye et al., “Cyber–physical security of powertrain systems in modern
electric vehicles: Vulnerabilities, challenges, and future visions,” IEEE
J. Emerg. Sel. Topics Power Electron., vol. 9, no. 4, pp. 4639–4657,
Aug. 2021.
[18] F. Li et al., “Detection and identification of cyber and physical
attacks on distribution power grids with PVs: An online high-
dimensional data-driven approach,” IEEE J. Emerg. Sel. Topics
Power Electron., vol. 10, no. 1, pp. 1282–1291, Feb. 2022,
[Online]. Available: https://ieeexplore.ieee.org/document/8847621,
doi: 10.1109/JESTPE.2019.2943449.
[19] J. Zhang, S. Sahoo, J. C.-H. Peng, and F. G. Blaabjerg, “Mitigating
concurrent false data injection attacks in cooperative dc microgrids,”
IEEE Trans. Power Electron., vol. 36, no. 8, pp. 9637–9647, Aug. 2021.
[20] M. P. Tcheou et al., “The compression of electric signal waveforms for
smart grids: State of the art and future trends,” IEEE Trans. Smart Grid,
vol. 5, no. 1, pp. 291–302, Jan. 2014.
[21] Y.-C. Chang and T.-C. Huang, “An interactive smart grid communi-
cation approach for big data traffic,” Comput. Electr. Eng., vol. 67,
pp. 170–181, Apr. 2018.
[22] H. Maaß et al., “Data processing of high-rate low-voltage dis-
tribution grid recordings for smart grid monitoring and analysis,”
EURASIP J. Adv. Signal Process., p. 14, 2015. [Online]. Available:
https://doi.org/10.1186/s13634-015-0203-4
[23] X. Liang, S. A. Wallace, and D. Nguyen, “Rule-based data-driven analyt-
ics for wide-area fault detection using synchrophasor data,” IEEE Trans.
Ind. Appl., vol. 53, no. 3, pp. 1789–1798, May/Jun. 2017.
[24] B. Wang, H. Wang, L. Zhang, D. Zhu, D. Lin, and S. Wan, “A
data-driven method to detect and localize the single-phase grounding
fault in distribution network based on synchronized phasor measure-
ment,” EURASIP J. Wireless Commun. Netw., pp. 1–13, 2019. [Online].
Available: https://doi.org/10.1186/s13638-019-1521-2
[25] I. Niazazari and H. Livani, “A PMU-data-driven disruptive event clas-
sification in distribution systems,” Electr. Power Syst. Res., vol. 157,
pp. 251–260, Apr. 2018.
[26] I. Niazazari, R. J. Hamidi, H. Livani, and R. Arghandeh, “Cause
identification of electromagnetic transient events using spatiotemporal
feature learning,” Int. J. Electr. Power Energy Syst., vol. 123, Dec. 2020,
Art. no. 106255.
[27] S. F. Zarei, H. Mokhtari, and F. Blaabjerg, “Fault detection and pro-
tection strategy for islanded inverter-based microgrids,” IEEE J. Emerg.
Sel. Topics Power Electron., vol. 9, no. 1, pp. 472–484, Feb. 2021.
[28] Y. He, G. J. Mendis, and J. Wei, “Real-time detection of false data injec-
tion attacks in smart grid: A deep learning-based intelligent mechanism,”
IEEE Trans. Smart Grid, vol. 8, no. 5, pp. 2505–2516, Sep. 2017.
[29] S. Wang, S. Bi, and Y.-J. A. Zhang, “Locational detection of the
false data injection attack in a smart grid: A multilabel classifica-
tion approach,” IEEE Internet Things J., vol. 7, no. 9, pp. 8218–8227,
Sep. 2020.
Authorized licensed use limited to: Chiba University. Downloaded on April 10,2025 at 05:54:56 UTC from IEEE Xplore. Restrictions apply.
2379
[30] B. M. R. Amin, S. Taghizadeh, M. S. Rahman, M. J. Hossain,
V. Varadharajan, and Z. Chen, “Cyber attacks in smart grid–dynamic
impacts, analyses and recommendations,” IET Cyber-Phys. Syst. Theory
Appl., vol. 5, no. 4, pp. 321–329, 2020.
[31] M. Stănculescu, S. Deleanu, P. C. Andrei, and H. Andrei, “A case study
of an industrial power plant under cyberattack: Simulation and analysis,”
Energies, vol. 14, no. 9, p. 2568, 2021.
[32] P. Zhuang, R. Deng, and H. Liang, “False data injection attacks
against state estimation in multiphase and unbalanced smart distribu-
tion systems,” IEEE Trans. Smart Grid, vol. 10, no. 6, pp. 6000–6013,
Nov. 2019.
[33] R. Deng, P. Zhuang, and H. Liang, “False data injection attacks against
state estimation in power distribution systems,” IEEE Trans. Smart Grid,
vol. 10, no. 3, pp. 2871–2881, May 2018.
[34] M. Liu, C. Zhao, Z. Zhang, R. Deng, and P. Cheng, “Analysis of moving
target defense in unbalanced and multiphase distribution systems con-
sidering voltage stability,” in Proc. IEEE Int. Conf. Commun. Control
Comput. Technol. Smart Grids (SmartGridComm), Aachen, Germany,
2021, pp. 207–213.
[35] M. Jamei et al., “Phasor measurement units optimal placement and
performance limits for fault localization,” IEEE J. Sel. Areas Commun.,
vol. 38, no. 1, pp. 180–192, Jan. 2020.
[36] J. Shi and J. Malik, “Normalized cuts and image segmentation,”
IEEE Trans. Pattern Anal. Mach. Intell., vol. 22, no. 8, pp. 888–905,
Aug. 2000.
[37] U. Von Luxburg, “A tutorial on spectral clustering,” Stat. Comput.,
vol. 17, no. 4, pp. 395–416, 2007.
[38] J. D. Healy, “A note on multivariate CUSUM procedures,”
Technometrics, vol. 29, no. 4, pp. 409–412, 1987.
[39] E. Schubert, J. Sander, M. Ester, H. P. Kriegel, and X. Xu, “DBSCAN
revisited, revisited: Why and how you should (still) use DBSCAN,”
ACM Trans. Database Syst., vol. 42, no. 3, pp. 1–21, 2017.
[40] R. Xu and D. Wunsch, “Survey of clustering algorithms,” IEEE Trans.
Neural Netw., vol. 16, no. 3, pp. 645–678, May 2005.
[41] S. Pandey, A. K. Srivastava, and B. G. Amidan, “A real time event detec-
tion, classification and localization using synchrophasor data,” IEEE
Trans. Power Syst., vol. 35, no. 6, pp. 4421–4431, Nov. 2020.
[42] H. Jiang and Y. Zhang, “Short-term distribution system state forecast
based on optimal synchrophasor sensor placement and extreme learning
machine,” in Proc. IEEE Power Energy Soc. Gen. Meeting (PESGM),
Boston, MA, USA, 2016, pp. 1–5.
[43] M. Izadi and H. Mohsenian-Rad, “Synchronous waveform measure-
ments to locate transient events and incipient faults in power distribution
networks,” IEEE Trans. Smart Grid, vol. 12, no. 5, pp. 4295–4307,
Sep. 2021.
[44] M. Izadi and H. Mohsenian-Rad, “Event location identification in dis-
tribution networks using waveform measurement units,” in Proc. IEEE
PES Innov. Smart Grid Technol. Eur. (ISGT-Europe), 2020, pp. 924–928.
[45] “iPSRTM Intelligent Power System Recorder.” Candura Instruments.
[Online]. Available: https://www.candura.com/products/ipsr.html
(accessed Jul. 1, 2021).
Qi Li (Graduate Student Member, IEEE) received
the B.S. degree in optoelectric information science
and engineering from Chongqing University in 2014,
and the M.S. degree in computer engineering from
Chongqing University, Chongqing, China, in 2019.
He is currently pursuing the Ph.D. degree with the
University of Georgia, Athens, GA, USA, where he
is also a Research Assistant. His current research
focuses on cyber–physical systems and distributed
system.
Jinan Zhang (Graduate Student Member, IEEE)
received the B.S. degree from North China Electric
Power University in 2012, and the M.S. degree
in electrical engineering from Tianjin University,
Tianjin, China, in 2015. He is currently pursuing the
Ph.D. degree with the University of Georgia, Athens,
GA, USA, where he is also a Research Assistant. His
current research focuses on security and resilience in
power-electronics-based power systems.
2380 IEEE TRANSACTIONS ON SMART GRID, VOL. 13, NO. 3, MAY 2022

Junbo Zhao (Senior Member, IEEE) received the Wenzhan Song (Senior Member, IEEE) received the
Ph.D. degree from the Bradley Department of Ph.D. degree in computer science from the Illinois
Electrical and Computer Engineering, Virginia Tech Institute of Technology in 2005, the B.S. and M.S.
in 2018. He is an Assistant Professor with the degrees from the Nanjing University of Science
Department of Electrical and Computer Engineering, and Technology in 1997 and 1999, respectively. He
University of Connecticut. He was an Assistant is a Chair Professor of Electrical and Computer
Professor and a Research Assistant Professor with Engineering with the University of Georgia. His
Mississippi State University and Virginia Tech from research focuses on cyber-physical systems and their
2019 to 2021 and from 2018 to 2019, respec- applications in energy, environment, food, and health
tively. He did the summer internship with Pacific sectors. He received NSF CAREER award in 2010.
Northwest National Laboratory in 2017. He is the
Principal Investigator for a multitude of projects funded by the National
Science Foundation, the Department of Energy, National Laboratories, and
Eversource Energy. He has published three book chapters and more than
100 peer-reviewed journal and conference papers. His research interests are
cyber-physical power system modeling, monitoring, uncertainty quantifica-
tion, learning, dynamics, stability control, and cyber security with DERs. He
has been listed as the 2020 and 2021 World’s Top 2% Scientists released
by Stanford University in both Single-Year and Career tracks. He is the
receipt of the best paper awards of the 2020 and 2021 IEEE PES General
Meeting (3 papers), IEEE I&CPS Asia 2021, and the 2020 Journal of
Modern Power Systems and Clean Energy, Top 3 Associate Editor Award of
IEEE T RANSACTIONS S MART G RID in 2020, the 2020 IEEE PES Chapter
Outstanding Engineer Award, and the 2021 IEEE PES Chapter Outstanding
Volunteer Award. He is currently the Chair of the IEEE Task Force on Power
System Dynamic State and Parameter Estimation and IEEE Task Force on
Cyber–Physical Interdependency for Power System Operation and Control, the
Co-Chair of the IEEE Working Group on Power System Static and Dynamic
State Estimation, the Secretary of IEEE PES Bulk Power System Operation
Subcommittee and IEEE Task Force on Synchrophasor Applications in Power
System Operation and Control. He serves as an Associate Editor of IEEE
T RANSACTIONS ON P OWER S YSTEMS, IEEE T RANSACTIONS ON S MART
G RID, International Journal of Electrical Power & Energy Systems, the North
America Regional Editor of the IET Renewable Power Generation, and a
Subject Editor of IET Generation, Transmission & Distribution.

Jin Ye (Senior Member, IEEE) received the B.S. and

M.S. degrees in electrical engineering from Xi’an
Jiaotong University, Xi’an, China, in 2008 and 2011,
respectively, and the Ph.D. degree in electrical engi-
neering from McMaster University, Hamilton, ON,
Canada, in 2014.
She is currently an Assistant Professor of
Electrical Engineering and the Director of the
Intelligent Power Electronics and Electric Machines
Laboratory, University of Georgia, Athens, GA,
USA. Her current research interests include power
electronics, electric machines, energy management systems, smart grids,
electrified transportation, and cyber-physical systems. She is the General
Chair of 2019 IEEE Transportation Electrification Conference and Expo,
and the Publication Chair and Women in Engineering Chair of 2019
IEEE Energy Conversion Congress and Expo. She is an Associate
Editor for IEEE T RANSACTIONS ON P OWER E LECTRONICS, IEEE
O PEN J OURNAL OF P OWER E LECTRONICS, IEEE T RANSACTIONS ON
T RANSPORTATION E LECTRIFICATION, and IEEE T RANSACTIONS ON
V EHICULAR T ECHNOLOGY.
Fangyu Li (Member, IEEE) received the bache-
lor’s degree in electrical engineering from Tsinghua
University in 2009, the master’s degree in electri-
cal engineering from Beihang University in 2013,
and the Ph.D. degree in computational geophysics
from The University of Oklahoma in 2017. From
2017 to 2020, he was a Postdoctoral Fellow with
the College of Engineering, University of Georgia.
From 2020 to 2021, he was an Assistant Professor
with the Department of Electrical and Computer
Engineering, Kennesaw State University. He is cur-
rently a Full Professor and a Ph.D. Supervisor with the Faculty of Information
Technology, Beijing University of Technology. His research interests include
complex signal processing, machine learning, deep learning, distributed com-
puting, complex system modeling and monitoring, Internet of Things, and
cyber–physical systems.

Authorized licensed use limited to: Chiba University. Downloaded on April 10,2025 at 05:54:56 UTC from IEEE Xplore. Restrictions apply.