Auxiliary Network-Enabled Attack Detection and Resilient Control of Islanded AC Microgrid

Vaibhav Vaishnav, , Anoop Jain, , and Dushyant Sharma V. Vaishnav and A. Jain are with the Department of Electrical Engineering, Indian Institute of Technology Jodhpur 342030, India (e-mail: vaishnav.2@iitj.ac.in; anoopj@iitj.ac.in). D. Sharma is with Department of Electrical Engineering, Indian Institute of Technology (Indian School of Mines) Dhanbad 826004, India (e-mail: dushyant@iitism.ac.in).

Abstract

This paper proposes a cyber-resilient distributed control strategy equipped with attack detection capabilities for islanded AC microgrids in the presence of bounded stealthy cyber attacks affecting both frequency and power information exchanged among neighboring distributed generators (DGs). The proposed control methodology relies on the construction of an auxiliary layer and the establishment of effective inter-layer cooperation between the actual DGs in the control layer and the virtual DGs in the auxiliary layer. This cooperation aims to achieve robust frequency restoration and proportional active power-sharing. It is shown that the in situ presence of a concealed auxiliary layer not only guarantees resilience against stealthy bounded attacks on both frequency and power-sharing but also facilitates a network-enabled attack identification mechanism. The paper provides rigorous proof of the stability of the closed-loop system and derives bounds for frequency and power deviations under attack conditions, offering insights into the impact of the attack signal, control and pinning gains, and network connectivity on the system’s convergence properties. The performance of the proposed controllers is illustrated by simulating a networked islanded AC microgrid in a Simulink environment showcasing both attributes of attack resilience and attack detection.

Index Terms:

AC microgrids, cyber-security, network-enabled attack detection, resilient control, stealthy attacks.

I Introduction

Distributed control has been the most widely adopted strategy over the past decade to exercise frequency and voltage control of islanded AC microgrids [1]. The cooperation among the DGs in a microgrid relies on local information exchange over a sparse communication network, which is vulnerable to cyber attacks [2]. Such attacks, commonly known as false data injection (FDI) attacks, jeopardize the integrity of information transmitted across communication channels and have garnered significant attention in resilient microgrid control [3]. A trust factor-based control regime was proposed in [4] to synchronize the frequencies of DGs under attack, by real-time monitoring of a confidence factor associated with all the neighboring DGs. Wang et al.[5] proposed cyber-resilient adaptive controllers for frequency and voltage restoration with active/reactive power-sharing in networked AC/DC microgrids. These controllers utilize time-varying adaptive gains based on frequency, voltage, and power errors. An auxiliary state was introduced in [6] to make conventional distributed frequency consensus protocol cyber resilient and maintain frequency synchronization and proportional active power-sharing. Recently, [7] proposed attack magnitude-dependent time-variant communication weights, to implement an adaptive frequency regulation strategy using the most optimal communication channels in the presence of multiple link attacks.

Apart from incorporating cyber resilience in the control framework, topology switching induced by different types of attack detection techniques has been the other counterpart of attack mitigation strategies in microgrid control. These techniques can be further classified into (a) system-based [8, 9, 10] and (b) data-based approaches [11, 12], where the states of system under consideration are continuously estimated using an observer in (a), while historical training data is used for attack detection for redundancy in (b). To the best of the authors’ knowledge, the concepts of attack resilience and attack detection have often been addressed separately in the microgrid control literature. Therefore, designing a suitable distributed control framework together with resilience and detection capabilities is a crucial research direction for ensuring the safety and security of microgrid control.

In recent times, cyber adversaries have evolved to employ increasingly sophisticated and deceptive stealthy attacks [13] that might be challenging to ascertain using novel detection strategies like [8, 9, 10, 11, 12]. Equipped with the complete knowledge of dynamics and control architecture of the system, the attacks are now specifically designed as bounded intermittent disturbances with state-dependent linear/nonlinear dynamics [13, 14] which can easily deceive state observers and showcase zero neighborhood error, even when the neighboring DGs are out of synchronization [15]. In view of such bounded stealthy attacks, a virtual hidden layer-based cyber resilient framework was proposed in [16] for distributed control of networked systems. Motivated by [16], in this paper, we propose auxiliary virtual network-enabled distributed resilient control for frequency synchronization and proportional active power-sharing among a group of inverter-based DGs.

Distributed controllers adopting the aforementioned idea of the virtual layer have been previously developed in [17, 18, 19, 20], addressing the problem of frequency synchronization in microgrids. However, these works do not emphasize the need for a dedicated power controller that can provide resilience against any possible attack on power-sharing between neighboring DGs. The distributed secondary controllers in [17, 18, 19, 20] are devised to provide a frequency set point to the droop-based primary control which depends on the inherent linear relationship between frequency and active power [21]. However, any FDI attack affecting the sharing of active power can significantly hamper system frequency and lead to deviations in power demand beyond the rated values of the respective DGs. Therefore, a resilient power controller is obligatory for preserving the resilience of the frequency controller against cyber attacks. Motivated by this fact, in this paper, we design resilient frequency and power controllers capable of functioning in the presence of simultaneous attacks on both frequency and active power within a microgrid.

It is also evident to mention that the stability under proposed controllers in [16, 17, 19, 20] is leveraged by assumptions on the magnitude of resilient control gain and inclusion of attack vector in the Lyapunov candidate function. However, considering that a cyber attack is an external breach that is completely unknown to both the system and the control engineer, establishing the closed-loop stability of a cyber-resilient control system relying solely on the state dynamics of the system appears to be a more practical and mathematically viable approach. Further, the control architecture inclusive of an auxiliary layer hidden from the attacker provides an alternate safeguarded path for communication among neighboring DGs, thereby giving a provision to compare and detect any discrepancy in information being shared through the actual cyber layer. Leveraging this, we propose a straightforward test for detecting an attack, as compared to the works [17, 18, 19, 20]. In the light of above discussion, the major contributions of this paper can be summarized as follows:

i)

Relying on an auxiliary layer, we propose frequency and power-distributed controllers as leader-follower and leaderless resilient cooperative systems, respectively, for frequency regulation and proportional active power-sharing in an islanded AC microgrid, under the presence of FDI attacks affecting both frequency and power-sharing between the neighboring DGs. The FDI attacks are uniformly bounded and governed by the dynamics having finite $\mathcal{L}_{2}$ gain.
ii)

Due to the difference in the nature of cooperation and distributed consensus protocols, we provide separate stability analyses under frequency and power attacks and obtain analytical bounds characterizing the deviations of frequency and power from their steady-state value under no-attack conditions. It is shown that these bounds depend on the underlying network topology, the magnitude of the attack signals, pinning gain and a gain term decided by the control designer.
iii)

As a byproduct of auxiliary layer-based control design, we propose a network-enabled attack detection mechanism showcasing secured propagation of control variables between the cyber and auxiliary layer, thereby devising a detection test for surveillance of any possible attack in the cyber layer.

Additionally, an extensive simulation study is presented under the simultaneous presence of both cyber attacks and load perturbations. The remnant of this paper is arranged as follows: Section I commences with an introduction, summarizing mathematical preliminaries and a brief review of secondary droop control. Section II describes system architecture and attack model and formulates the problem. Section III proposes a resilient frequency controller and obtains various bounds characterizing the effect of attack and network connectivity on the steady-sate frequency error. The philosophy behind resilient power controllers is discussed under Section IV. Section V explains the auxiliary network-enabled attack identification scheme and proposes a generalized test for detecting the attacks. Lastly, Section VI presents simulation case studies, before concluding the paper in Section VII.

I-A Notations, Graph Theory, and Mathematical Preliminaries

Throughout the paper, $\mathbb{R}$ denotes the set of real numbers, and $\textbf{{0}}_{n}=[0,\ldots,0]^{T}\in\mathbb{R}^{n},\textbf{{1}}_{n}=[1,\ldots,% 1]^{T}\in\mathbb{R}^{n}$ . For $x=[x_{1},\ldots,x_{n}]^{T}\in\mathbb{R}^{n}$ , $\|x\|$ represents its Euclidean norm. The complex number is represented by $j_{c}=\sqrt{-1}$ . The symbol $\otimes$ denotes the Kronecker product of two matrices. $\lambda(M)$ represents an eigenvalue of any square matrix $M\in\mathbb{R}^{n\times n}$ , $M^{T}$ is its transpose and $\|M\|$ denotes its operator (or induced) 2-norm such that $\|M\|=\sqrt{\lambda_{\max}(M^{T}M)}$ , where $\lambda_{\max}$ is the maximum eigenvalue of the symmetric matrix $M^{T}M$ . Consider a network of $n$ DGs, described as an undirected graph $\mathcal{G}=(\mathcal{V},\mathcal{E})$ , with node set $\mathcal{V}=\{1,\ldots,n\}$ and edge set $\mathcal{E}\subset\mathcal{V}\times\mathcal{V}$ . The information flow between $i^{\text{th}}$ and $j^{\text{th}}$ nodes can be represented by an undirected edge $(i,j)\in\mathcal{E}\Leftrightarrow(j,i)\in\mathcal{E}$ . The set of neighbors of the $i^{\text{th}}$ node is denoted by $\mathcal{N}_{i}$ = $\{j:(i,j)\in\mathcal{E},j\neq i\}$ . The adjacency matrix of $\mathcal{G}$ is denoted by $\mathcal{A}$ = $[a_{ij}]\in\mathbb{R}^{n\times n}$ with $a_{ij}=1\Leftrightarrow(i,j)\in\mathcal{E}$ , else $a_{ij}=0$ . The Laplacian matrix of $\mathcal{G}$ is denoted by $L=[\ell_{ij}]\in\mathbb{R}^{n\times n}$ , where $\ell_{ii}=\mathcal{\sum}_{j\in\mathcal{N}_{i}}a_{ij}$ and $\ell_{ij}=-a_{ij}$ for $i\neq j$ . For an undirected and connected graph $\mathcal{G}$ , the eigenvalues of the Laplacian $L\in\mathbb{R}^{n\times n}$ can be arranged in the ascending order as $0=\lambda_{1}(L)\leq\lambda_{2}(L)\leq\cdots\leq\lambda_{n}(L)$ . The following lemmas will be useful in the subsequent analysis of this paper:

Lemma 1 ([22], [23]).

Let $\mathcal{G}$ be an undirected and connected graph with Laplacian $L\in\mathbb{R}^{n\times n}$ , and $B={\rm diag}\{b_{1},\ldots,b_{n}\}\in\mathbb{R}^{n\times n}$ be a diagonal matrix with diagonal entries $b_{i}>0,\forall i$ . Then, the matrix $L+B$ is positive-definite.

Lemma 2 ([24]).

Consider a uniformly bounded signal $\|p(t)\|\leq\Omega,\ \forall t\geq 0$ , where $\Omega$ is a positive constant. Then, for a Hurwitz matrix $Q$ , there exists a constant vector $\Psi$ and some finite-time $T$ such that following holds true for all $t\geq T$ :

\left\|\int_{0}^{t}{\rm e}^{Q(t-\tau)}p(\tau)d\tau\right\|\leq\left\|\int_{0}^% {t}{\rm e}^{Q(t-\tau)}\Psi d\tau\right\|.

I-B Distributed Secondary Droop Control

Droop control exploits the linear dependence of frequency on active power, causing the frequency of an inverter-based DG to droop with its output active power [25], according to the relation

\omega_{i}=\omega_{o_{i}}-m_{P_{i}}P_{i},

(1)

where $\omega_{i}$ is angular frequency, $\omega_{o_{i}}$ is the nominal angular frequency, $P_{i}$ is measured output active power and $m_{P_{i}}$ is the droop coefficient associated with the $i^{\text{th}}$ DG. Due to primary droop control, since the inverter’s frequency undergoes a deviation from its nominal value, a suitable secondary control needs to be designed to restore the frequency of all the inverters to nominal microgrid frequency [21]. This is realized by cooperation among all the DGs at the secondary control level and designing distributed controllers $u_{\omega_{i}}=\dot{\omega}_{i}$ and $u_{P_{i}}=m_{P_{i}}\dot{P}_{i}$ for frequency and active power for each $i$ . Using these, the nominal frequency is obtained from (1) as:

\dot{\omega}_{o_{i}}=\dot{\omega}_{i}+m_{P_{i}}\dot{P}_{i}\implies\omega_{o_{i% }}=\int u_{\omega_{i}}~{}dt+\int u_{P_{i}}~{}dt,\ \forall i.

(2)

In the subsequent analysis, we use the vectors $\omega=[\omega_{1},\ldots,\omega_{n}]^{T}\in\mathbb{R}^{n}$ , $P=[P_{1},\ldots,P_{n}]^{T}\in\mathbb{R}^{n}$ and $m_{P}P=[m_{P_{1}}P_{1},\ldots,m_{P_{n}}P_{n}]^{T}\in\mathbb{R}^{n}$ to represent the frequency, power, and droop-coefficient associated active power for the network of $n$ DGs.

Refer to caption — Figure 1: Microgrid network and control architecture.

II System Description and Problem Statement

II-A System Description

Consider a microgrid network comprising $n$ DGs in the physical layer, along with the associated control layer $\Sigma$ and the auxiliary layer $\Pi$ , as shown in Fig. 1. Each DG is equipped with individual primary and secondary controllers where frequency $\omega_{i}$ and active power $P_{i}$ are the physical state variables to be controlled for each $i$ . According to (2), the secondary control generates nominal frequency to the primary droop controller for computing the actual frequency $\omega_{i}$ of the $i^{\text{th}}$ DG. Consequently, both frequency and the average active power signals of the DGs are shared among them according to the communication network at the control layer $\Sigma$ for designing frequency and power controllers.

However, owing to the attacker’s knowledge about the control layer, the communication network over $\Sigma$ is vulnerable to FDI attacks on both frequency and power signals, deviating the system from the desired cooperative control objectives. To account for these attacks, our approach relies on the construction of an auxiliary layer $\Pi$ and its integration with $\Sigma$ to assure resiliency toward frequency regulation and proportional active power-sharing. The auxiliary nodes in $\Pi$ are considered to have their own state dynamics but the same inter-agent interaction network as in $\Sigma$ . Further, there exists a hidden network connecting the corresponding nodes in $\Sigma$ and $\Pi$ (see Fig. 1).

Under an FDI attack, the frequency and power signals received at a particular node in $\Sigma$ may be different from the one transmitted by the neighboring nodes and can be expressed as:

\check{\omega}_{ij}={\omega}_{j}+\delta_{ij}^{\omega},\quad\check{P}_{ij}={P}_% {j}+\delta_{ij}^{P},\quad j\in\mathcal{N}_{i}\cup\{i\},

(3)

where $\check{\omega}_{ij}$ is the frequency signal received at node $i$ from node $j$ , ${\omega}_{j}$ is the actual frequency of the $j^{\text{th}}$ DG, and $\delta_{ij}^{\omega}$ is the FDI attack affecting the link connecting nodes $i$ and $j$ . Similar notations can be defined for $\check{P}_{ij}$ . The total external injection at the $i^{\text{th}}$ node can be written as $\sum_{j\in\mathcal{N}_{i}\cup\{i\}}\delta_{ij}^{\omega}=d_{\omega_{i}}$ (resp., for power as $\sum_{j\in\mathcal{N}_{i}\cup\{i\}}\delta_{ij}^{P}=d_{P_{i}}$ ), leading to the attack vector $d_{\omega}=[d_{\omega_{1}},\ldots,d_{\omega_{n}}]^{T}$ (resp., $d_{P}=[d_{P_{1}},\ldots,d_{P_{n}}]^{T}$ ) for the $n$ nodes in $\Sigma$ . In general, an attacker might employ an FDI attack varying as per the real-time states of the system, which dies out as the system states become stable. Such kinds of attacks deviate the system from achieving the desired convergence properties and even make it unstable while being stealthy [16]. In this paper, we model the frequency attack (resp., power attack) as a function of states $\omega_{i}$ (resp., $P_{i}$ ) and time $t$ such that $d_{\omega}(\omega,t)$ (resp., $d_{P}(P,t)$ ) satisfies the following assumption:

Assumption 1.

The injections $d_{\omega}(\omega,t)$ and $d_{P}(P,t)$ are uniformly bounded for bounded $\omega$ and $P$ , that is, there exist positive constants $\bar{D}_{\omega},\bar{D}_{P}$ such that $\|d_{\omega}(\omega,t)\|\leq\bar{D}_{\omega}$ and $\|d_{P}(P,t)\|\leq\bar{D}_{P}$ for all $\omega\in\mathbb{R}^{n},P\in\mathbb{R}^{n}$ and $t\geq 0$ . In particular, if these attacks are generated by the dynamics,

\dot{d}_{\omega}=f_{\omega}(d_{\omega},\omega);\quad\dot{d}_{P}=f_{P}(d_{P},P),

(4)

these must have a finite $\mathcal{L}_{2}$ -gain.

The relevance of this assumption lies in the fact that an intelligent attacker always aims at inserting a bounded attack signal, as the injections with large magnitude are easy to detect and will be rejected before they spread across the network. Further, dynamics (4) having finite $\mathcal{L}_{2}$ -gain implies that $d_{\omega}$ and $d_{P}$ settle down to some value, as $\omega$ and $P$ reach the steady-state, respectively.

II-B Problem Statement

Consider $n$ DGs, connected via an undirected and connected graph $\mathcal{G}$ , as shown in Fig. 1. Assume that the DGs be governed by the droop-based frequency dynamics (2) and subject to frequency and power attacks $d_{\omega}$ and $d_{P}$ in control layer $\Sigma$ , according to Assumption 1. Let $z=[z_{1},\ldots,z_{n}]^{T}\in\mathbb{R}^{n}$ be the state vector associated with the auxiliary nodes and $\omega^{*}>0$ be the desired value of the microgrid frequency. Based on the integration between $\Sigma$ and $\Pi$ layers, design the vector functions $\mathcal{F}^{c}_{\omega}(\omega,z),\mathcal{F}^{a}_{\omega}(\omega,z),\mathcal% {F}^{c}_{P}(P,z),\mathcal{F}^{a}_{P}(P,z)$ such that the following auxiliary-state coupled dynamics, under the frequency and power attacks $d_{\omega}$ and $d_{P}$ , disseminated over $\Sigma$ using Laplacian $L$ , respectively,

S_{\omega}:\begin{dcases*}\dot{\omega}&= $\mathcal{F}^{c}_{\omega}(\omega,z)+% Ld_{\omega}$\\ \dot{z}&= $\mathcal{F}^{a}_{\omega}(\omega,z)$\end{dcases*},\ S_{P}:\begin{% dcases*}m_{P}\dot{P}&= $\mathcal{F}^{c}_{P}(P,z)+Ld_{P}$\\ \dot{z}&= $\mathcal{F}^{a}_{P}(P,z)$\end{dcases*},

(5)

assures that the following hold true for some small constants $\epsilon_{\omega}>0$ and $\epsilon_{P}>0$ :

(P1)

Frequency is maintained at the desired nominal value for all the DGs, that is, $\lim_{t\to\infty}\|\omega(t)-\omega^{*}\boldsymbol{1}_{n}\|\leq\epsilon_{\omega}$ .
(P2)

Power is shared among the DGs in proportion to their droop coefficients, that is, $\lim_{t\to\infty}\|m_{P}P-\Delta_{P}\boldsymbol{1}_{n}\|\leq\epsilon_{P}$ , where $\Delta_{P}=(1/n)\sum_{i=1}^{n}m_{P_{i}}P_{i}(0)$ is a constant.

Additionally,

(P3)

Based on the integration of $\Sigma$ and $\Pi$ , propose an attack detection mechanism such that non-zero FDI attacks $\delta_{ij}^{\omega}$ and $\delta_{ij}^{P}$ , as defined in (3), are detected for all $(i,j)\in\mathcal{E}$ .

III Distributed Attack Resilient Frequency control

For resiliency towards frequency attacks $d_{\omega}$ , we propose the system $S_{\omega}$ in (5) as follows:

	$\displaystyle\dot{\omega}$	$\displaystyle=A\omega+\beta Az+B\omega^{*}+Ld_{\omega}$		(6a)
	$\displaystyle\dot{z}$	$\displaystyle=Az-\beta A\omega+\beta C\omega^{*},$		(6b)

where $\omega^{*}$ is the reference frequency fed to the leader DGs in the group. The matrix $A$ is given by

	$\displaystyle A=-\begin{bmatrix}\sum_{j=1}^{n}a_{1j}&-a_{12}&\ldots&-a_{1n}\\ -a_{21}&\sum_{j=1}^{n}a_{2j}&\ldots&-a_{2n}\\ \vdots&\vdots&\vdots&\vdots\\ -a_{n1}&-a_{n2}&\ldots&\sum_{j=1}^{n}a_{nj}\end{bmatrix}$		(11)
	$\displaystyle-\begin{bmatrix}g_{1}&0&\ldots&0\\ 0&g_{2}&\ldots&0\\ \vdots&\vdots&\vdots&\vdots\\ 0&0&\ldots&g_{n}\end{bmatrix}=-(L+G),$		(16)

where $G$ is a diagonal matrix with its entries $g_{i}$ represents the pinning gain, such that $g_{i}=1$ if the $i^{\text{th}}$ DG is a leader and $0$ otherwise. Further, $\beta>0$ is a gain factor and the vectors $B$ and $C$ are defined as $B\coloneqq G\boldsymbol{1}_{n}$ and $C\coloneqq A\boldsymbol{1}_{n}$ . In (III), matrices $A$ and $B$ are such that the frequency controller $\dot{\omega}_{i}$ of the $i^{\text{th}}$ DG contains relative frequency term $\sum_{j\in\mathcal{N}_{i}}(\omega_{j}-\omega_{i})$ (because of the Laplacian $L$ ) responsible for frequency consensus, and the term $g_{i}(\omega_{i}-\omega^{\star})$ associated with the pinning gain $g_{i}$ , shapes the solution trajectories such that consensus occurs at the desired frequency $\omega^{\star}$ . The interconnection between the two layers $\Sigma$ and $\Pi$ is realized by the matrix $\beta A$ , associated with (i) the auxiliary state vector $z$ in the $\dot{\omega}$ in dynamics (6a), and (ii) the actual frequency vector $\omega$ in the $\dot{z}$ dynamics (6b). Note that the auxiliary state vector $z$ has no physical significance and may assume any steady-sate value. We have the following lemma relating matrices $A,B,C$ and $G$ :

Lemma 3.

Consider system (III) with matrix $A$ in (11). Then, $A\boldsymbol{1}_{n}=-B$ and $C=-G$ for an undirected and connected graph $\mathcal{G}$ .

Proof.

Multiplying by $\boldsymbol{1}_{n}$ on both sides of (11), we have that $A\boldsymbol{1}_{n}=-L\boldsymbol{1}_{n}-G\boldsymbol{1}_{n}=-G\boldsymbol{1}_% {n}=-B$ , since $L\boldsymbol{1}_{n}=\boldsymbol{0}_{n}$ for an undirected and connected graph. Further, since $C\coloneqq A\boldsymbol{1}_{n}$ by definition, it follows that $C=-G$ . ∎

For further analysis, let us introduce the frequency error vector

e_{\omega}=\omega-\omega^{*}\boldsymbol{1}_{n},

(17)

using which, (III) can be expressed as:

	$\displaystyle\dot{e}_{\omega}$	$\displaystyle=Ae_{\omega}+\beta Az+A\omega^{}\boldsymbol{1}_{n}+B\omega^{}+% Ld_{\omega}$
	$\displaystyle\dot{z}$	$\displaystyle=Az-\beta A(e_{\omega}+\omega^{}\boldsymbol{1}_{n})+\beta C% \omega^{}.$

Following Lemma 3, the above equations are simplified as:

	$\displaystyle\dot{e}_{\omega}$	$\displaystyle=Ae_{\omega}+\beta Az+Ld_{\omega}$		(18a)
	$\displaystyle\dot{z}$	$\displaystyle=Az-\beta Ae_{\omega}.$		(18b)

Let $\xi_{\omega}=[e_{\omega}^{T},z^{T}]^{T}\in\mathbb{R}^{2n}$ be the joint state vector, using which, (III) can be written in the compact form as:

\dot{\xi}_{\omega}=\mathcal{K}\xi_{\omega}+D_{\omega},

(19)

where $D_{\omega}=[(Ld_{\omega})^{T},\boldsymbol{0}_{n}^{T}]^{T}\in\mathbb{R}^{2n}$ and the block matrix $\mathcal{K}_{2n\times 2n}$ is given by

\mathcal{K}=\begin{bmatrix}A&\beta A\\ -\beta A&A\end{bmatrix}.

(20)

Lemma 4.

The block matrix $\mathcal{K}$ in (20) is Hurwitz.

Proof.

Using Kronecker product, (20) can be written as $\mathcal{K}=\Phi\otimes A$ , where

\Phi=\begin{bmatrix}1&\beta\\ -\beta&1\end{bmatrix},

(21)

is a $2\times 2$ matrix with eigenvalues $\lambda(\Phi)=1\pm j_{c}\beta$ . Further, since graph $\mathcal{G}$ is undirected and connected, $L$ is positive semi-definite [22]. Also, matrix $G$ contains at least one non-zero diagonal entry (as there is at least one leader in the group). Using Lemma 1 from Subsection I-A, it can be stated that $L+G$ is symmetric and positive-definite. Alternatively, $A=-(L+G)$ , as defined in (11), is symmetric and negative-definite, and hence, has all real and strictly negative eigenvalues $\lambda_{i}(A)<0,\forall i=1,\ldots,n$ . Now, using the multiplicative property of Kronecker product [26, Theorem 4.2.12], it can be inferred that $\lambda_{i}(\mathcal{K})=\lambda_{i}(\Phi)\lambda_{i}(A),\forall i=1,\ldots,2n$ . Alternatively, all $2n$ eigenvalues of $\mathcal{K}$ are complex conjugate having strictly negative real part, implying that $\mathcal{K}$ is Hurwitz. ∎

For better motivation and simplicity, we first discuss that the proposed framework (19) assures the frequency consensus in the absence of an attack, followed by the result in the attacked scenario.

Lemma 5 (Frequency control in absence of attack).

If $d_{\omega}\equiv\boldsymbol{0}_{n}$ , the dynamics (19) assures that $\omega\to\omega^{\star}\boldsymbol{1}_{n}$ as $t\to\infty$ .

Proof.

For $d_{\omega}\equiv\boldsymbol{0}_{n}$ , (19) becomes $\dot{\xi}_{\omega}=\mathcal{K}\xi_{\omega}$ and has the solution $\xi_{\omega}(t)={\rm e}^{\mathcal{K}t}\xi_{\omega}(0)$ . Now, it is straightforward to conclude that $\xi_{\omega}\to\boldsymbol{0}_{2n}$ at $t\to\infty$ , since $\mathcal{K}$ is Hurwitz (see Lemma 4). In other words, $\omega\to\omega^{\star}\boldsymbol{1}_{n}$ as $t\to\infty$ in absence of $d_{\omega}$ (the steady-state value of the auxiliary state $z$ is not important). ∎

If $d_{\omega}\neq\boldsymbol{0}_{n}$ , we have the following convergence theorem for microgrid frequency, addressing the problem (P1).

Theorem 1 (Frequency control in presence of attack).

Consider the system (19) where the frequency attack signal $d_{\omega}\neq\boldsymbol{0}_{n}$ satisfies Assumption 1. Then, for a sufficiently large value of gain $\beta$ , the frequencies of all DGs remain in a small neighborhood of nominal frequency, i.e., $\|\omega-\omega^{\star}\boldsymbol{1}_{n}\|\leq\epsilon_{\omega}$ for some small $\epsilon_{\omega}>0$ .

Before proceeding to the proof, we first discuss the below important result:

Lemma 6.

Let $\mathcal{H}_{\beta}=\begin{bmatrix}(A+{\beta}^{2}A)^{-1}\\ \beta(A+{\beta}^{2}A)^{-1}\end{bmatrix}$ be a block matrix of dimension $2n\times n$ , where $A$ is given by (11). The operator norm of $\mathcal{H}_{\beta}$ is given by

\|\mathcal{H}_{\beta}\|=\frac{1}{\lambda_{\min}(L+G)\sqrt{1+\beta^{2}}}.

Proof.

Using Kronecker product, the matrix $\mathcal{H}_{\beta}$ can be rewritten as $\mathcal{H}_{\beta}=\begin{bmatrix}\frac{1}{1+\beta^{2}}\\ \frac{\beta}{1+\beta^{2}}\end{bmatrix}\otimes A^{-1}$ . Taking operator norm on both sides, we have

\|\mathcal{H}_{\beta}\|=\left\|\begin{bmatrix}\frac{1}{1+\beta^{2}}\\ \frac{\beta}{1+\beta^{2}}\end{bmatrix}\otimes A^{-1}\right\|=\left\|\begin{% bmatrix}\frac{1}{1+\beta^{2}}\\ \frac{\beta}{1+\beta^{2}}\end{bmatrix}\right\|\|A^{-1}\|,

using the property $\|\mathcal{A}\otimes\mathcal{B}\|=\|\mathcal{A}\|\|\mathcal{B}\|$ of the operator norms for Kronecker products of two matrices $\mathcal{A}$ and $\mathcal{B}$ [27, Theorem 8, p. 412]. Note that $\left\|\begin{bmatrix}\frac{1}{1+\beta^{2}}\\ \frac{\beta}{1+\beta^{2}}\end{bmatrix}\right\|=\frac{1}{\sqrt{1+\beta^{2}}}$ and $\|A^{-1}\|=\sqrt{\lambda_{\max}((A^{-1})^{T}A^{-1})}$ . From (11), it is straightforward to check that $A^{T}=A\implies(A^{T})^{-1}=A^{-1}\implies(A^{-1})^{T}=A^{-1}$ . The last relation can also be rewritten as $((-A)^{-1})^{T}=(-A)^{-1}$ , where matrix $-A$ is positive-definite. Using this, one can write $\|A^{-1}\|=\sqrt{\lambda_{\max}((-A^{-1})^{T}(-A)^{-1})}=\lambda_{\max}(-A^{-1% })=\frac{1}{\lambda_{\min}(-A)}$ . Consequently, it can be concluded using (11) that $\|\mathcal{H}_{\beta}\|=\frac{1}{\lambda_{\min}(L+G)\sqrt{1+\beta^{2}}}$ , and hence, proving the result. ∎

We are now ready to prove Theorem 1.

Proof of Theorem 1.

If $d_{\omega}\neq\boldsymbol{0}_{n}$ , the solution of linear system (19) is obtained as $\xi_{\omega}(t)={\rm e}^{\mathcal{K}t}\xi_{\omega}(0)+\int_{0}^{t}{\rm e}^{% \mathcal{K}(t-\tau)}D_{\omega}d\tau$ . Now, taking $\mathcal{L}_{2}$ norm on both sides and applying the Cauchy–Schwarz inequality results in $\lim_{t\to\infty}\|\xi_{\omega}(t)\|\leq\lim_{t\to\infty}\|{\rm e}^{\mathcal{K% }t}\xi_{\omega}(0)\|+\lim_{t\to\infty}\|\int_{0}^{t}{\rm e}^{\mathcal{K}(t-% \tau)}D_{\omega}d\tau\|$ . Since $\lim_{t\to\infty}\|{\rm e}^{\mathcal{K}t}\xi_{\omega}(0)\|\to 0$ , as $\mathcal{K}$ is Hurwitz (see Lemma 4), it can be written that $\lim_{t\to\infty}\|\xi_{\omega}(t)\|\leq\lim_{t\to\infty}\|\int_{0}^{t}{\rm e}% ^{\mathcal{K}(t-\tau)}D_{\omega}d\tau\|$ . Note that $D_{\omega}$ is uniformly bounded, as it is $d_{\omega}$ , according to Assumption 1. Now, it immediately follows from Lemma 2 (from Subsection I-A) that there exists a time-independent vector $\hat{d}_{\omega}\in\mathbb{R}^{n}$ with $\|\hat{d}_{\omega}\|\leq\bar{D}_{\omega}$ (where $\bar{D}_{\omega}$ is defined in Assumption 1) such that $\|\int_{0}^{t}{\rm e}^{\mathcal{K}(t-\tau)}D_{\omega}(\tau)d\tau\|\leq\|\int_{% 0}^{t}{\rm e}^{\mathcal{K}(t-\tau)}\hat{D}_{\omega}d\tau\|$ for some constant vector $\hat{D}_{\omega}=[(L\hat{d}_{\omega})^{T},\boldsymbol{0}_{n}^{T}]^{T}\in% \mathbb{R}^{2n}$ for all $t\geq T$ . This implies that $\lim_{t\to\infty}\|\xi_{\omega}(t)\|\leq\lim_{t\to\infty}\|\int_{0}^{t}{\rm e}% ^{\mathcal{K}(t-\tau)}\hat{D}_{\omega}d\tau\|$ , which on further simplification results in $\lim_{t\to\infty}\|\xi_{\omega}(t)\|\leq\|\mathcal{K}^{-1}\hat{D}_{\omega}\|$ . Note that $\mathcal{K}$ is invertible as it has all non-zero eigenvalues (Lemma 4) and its inverse is given by [28, Theorem 0.7.3]:

\mathcal{K}^{-1}=\begin{bmatrix}\mathcal{M}_{11}&\mathcal{M}_{12}\\ \mathcal{M}_{21}&\mathcal{M}_{22}\end{bmatrix},

(22)

using which, it holds that

\lim_{t\to\infty}\|\xi_{\omega}(t)\|\leq\left\|\begin{bmatrix}\mathcal{M}_{11}% (L\hat{d}_{\omega})\\ \mathcal{M}_{21}(L\hat{d}_{\omega})\end{bmatrix}\right\|,

(23)

where $\mathcal{M}_{11}=(\mathcal{K}_{11}-\mathcal{K}_{12}\mathcal{K}_{22}^{-1}% \mathcal{K}_{21})^{-1}$ and $\mathcal{M}_{21}=\mathcal{K}_{22}^{-1}\mathcal{K}_{21}(\mathcal{K}_{12}% \mathcal{K}_{22}^{-1}\mathcal{K}_{21}-\mathcal{K}_{11})^{-1}$ [28, Theorem 0.7.3], with $\mathcal{K}_{11}=\mathcal{K}_{22}=A$ and $\mathcal{K}_{12}=-\mathcal{K}_{21}=\beta A$ , from (20). Substituting these, we get $\mathcal{M}_{11}=(A+{\beta}^{2}A)^{-1}$ and $\mathcal{M}_{21}=\beta(A+{\beta}^{2}A)^{-1}$ , and hence,

\lim_{t\to\infty}\left\|\begin{bmatrix}e_{\omega}(t)\\ z(t)\end{bmatrix}\right\|\leq\left\|\begin{bmatrix}(A+{\beta}^{2}A)^{-1}\\ \beta(A+{\beta}^{2}A)^{-1}\end{bmatrix}\right\|\|L\hat{d}_{\omega}\|=\|% \mathcal{H}_{\beta}\|\|L\hat{d}_{\omega}\|,

where we have replaced the first term by $\|\mathcal{H}_{\beta}\|$ , using Lemma 6. Since $\|L\hat{d}_{\omega}\|\leq\|L\|\|\hat{d}_{\omega}\|=\sqrt{\lambda_{\max}(L^{T}L% )}\|\hat{d}_{\omega}\|=\lambda_{\max}(L)\|\hat{d}_{\omega}\|$ (since $L=L^{T}$ for an undirected and connected graph $\mathcal{G}$ ) and $\|\hat{d}_{\omega}\|\leq\bar{D}_{\omega}$ (see Assumption 1), it holds that

\lim_{t\to\infty}\left\|\begin{bmatrix}e_{\omega}(t)\\ z(t)\end{bmatrix}\right\|\leq\frac{\lambda_{\max}(L)\bar{D}_{\omega}}{\lambda_% {\min}(L+G)\sqrt{1+\beta^{2}}},

(24)

exploiting Lemma 6. From (24), one can conclude that $\|e_{\omega}(t)\|\leq\epsilon_{\omega}$ as $t\to\infty$ , with $\epsilon_{\omega}=\frac{\lambda_{\max}(L)\bar{D}_{\omega}}{\lambda_{\min}(L+G)% \sqrt{1+\beta^{2}}}$ . Further, since $\epsilon_{\omega}$ is small for sufficiently large values of gain $\beta$ (which is a design parameter), $\omega$ converges to a small neighborhood around ${\omega}^{*}\boldsymbol{1}_{n}$ as $t\to\infty$ , using (17). ∎

Remark 1.

It can be inferred from inequality (24) that the steady-state bound $\epsilon_{\omega}$ is:

•

proportional to the maximum eigenvalue $\lambda_{\max}(L)$ of Laplacian $L$ and the attack bound $\bar{D}_{\omega}$ . If the graph $\mathcal{G}$ has minimal connectivity (i.e., small $\lambda_{\max}(L)$ ), the attacker will have fewer links to target, and hence, will have relatively less impact.
•

inversely proportional to the minimum eigenvalue $\lambda_{\min}(L+G)$ of matrix $L+G$ and the design parameter $\beta$ . Beside selecting large $\beta$ , it is possible to make $\lambda_{\min}(L+G)$ large by choosing the large value of pinning gain $g_{i}$ , since $\lambda_{\min}(L+G)\geq\lambda_{\min}(L)+\min_{i}\{g_{i}\}=\min_{i}\{g_{i}\}$ , using Weyl’s theorem [28, Chapter 4, p. 239] and the fact that $\lambda_{\min}(L)=0$ . Therefore, $\lambda_{\min}(L+G)$ primarily influenced by the pinning gain $g_{i}$ .

In summary, it is evident that the effect of varying $\beta$ is more dominant on the value of $\epsilon_{\omega}$ , as compared to $g_{i}$ , and can be decided appropriately by the user.

IV Distributed Attack Resilient Power Control

Unlike frequency control, the implementation of the distributed power controller is done in a leaderless configuration to assure the proportional power-sharing among the DGs, leading to the system $S_{P}$ in (5) as follows:

	$\displaystyle m_{P}\dot{P}$	$\displaystyle=-L(m_{P}P)+\beta Lz+L{d_{P}}$		(25a)
	$\displaystyle\dot{z}$	$\displaystyle=-Lz-\beta L(m_{P}P),$		(25b)

where Laplacian $L$ is associated with the state vector $m_{P}P$ , instead of matrix $A$ as in (III). Here, the interconnection between $\Sigma$ and $\Pi$ is realized by the matrix $\beta L$ . Defining power-sharing error as (where $\Delta_{P}$ is defined in Problem (P2))

e_{P}=m_{P}P-\Delta_{P}\boldsymbol{1}_{n},

(26)

(IV) can be expressed in terms of $e_{P}$ as:

	$\displaystyle\dot{e}_{P}$	$\displaystyle=-Le_{P}+\beta Lz+Ld_{P}$		(27a)
	$\displaystyle\dot{z}$	$\displaystyle=-\beta Le_{P}-Lz.$		(27b)

We have the following lemma in absence of power attacks:

Lemma 7 (Power-sharing control in absence of attack).

If $d_{P}\equiv\boldsymbol{0}_{n}$ , the dynamics (IV) assures that $P\to\Delta_{P}\boldsymbol{1}_{n}$ as $t\to\infty$ .

Proof.

Consider the candidate Lyapunov function $V_{P}=0.5e_{p}^{T}e_{p}+0.5z^{T}z$ , whose time-derivative along (IV) with $d_{P}\equiv\boldsymbol{0}_{n}$ is obtained as $\dot{V}_{p}=e_{p}^{T}\dot{e}_{p}+z^{T}\dot{z}=e_{p}^{T}[-L(m_{P}P)+\beta Lz]+z% ^{T}[-Lz-\beta L(m_{p}P)]$ , where we used the fact that $L\Delta_{P}\boldsymbol{1}_{n}=\boldsymbol{0}_{n}$ for an undirected and connected graph $\mathcal{G}$ . On further simplification, one can get that $\dot{V}_{P}=-e_{p}^{T}Le_{p}-z^{T}Lz\leq 0$ , which is negative semi-definite. Now, using LaSalle’s invariance theorem [29, Corollary 4.2, p. 129], it can be concluded that $e_{P}=z=\boldsymbol{0}_{n}$ is the desired equilibrium point, implying that, $P\to\Delta_{P}\boldsymbol{1}_{n}$ as $t\to\infty$ , using (26). ∎

In case $d_{P}\neq\boldsymbol{0}_{n}$ , the analysis is different from the earlier Theorem 1, as the system matrix $L$ in (IV) has one zero eigenvalue and rest positive eigenvalues for an undirected and connected graph $\mathcal{G}$ . To proceed further, we filter out the dynamics associated with the simple zero eigenvalue by using the transformation:

e_{P}=T\begin{bmatrix}\bar{e}_{P}\\ \tilde{e}_{P}\end{bmatrix},\ z=T\begin{bmatrix}\bar{z}\\ \tilde{z}\end{bmatrix},\ d_{P}=T\begin{bmatrix}\bar{d}_{P}\\ \tilde{d}_{P}\end{bmatrix},

(28)

where $\bar{e}_{P},\bar{z},\bar{d}_{P}\in\mathbb{R}$ and $\tilde{e}_{P},\tilde{z},\tilde{d}_{P}\in\mathbb{R}^{n-1}$ and the transformation $T=[v_{1},\ldots,v_{n}]$ with $v_{i}$ being the left eigenvector associated with $\lambda_{i}(L)$ , $i=1,\ldots,n$ . Using transformation $T$ , $L$ can be diagonalized as:

T^{-1}LT=\begin{bmatrix}\lambda_{1}(L)&0&\cdots&0\\ 0&\lambda_{2}(L)&\cdots&0\\ \vdots&\vdots&\ddots&\vdots\\ 0&0&\cdots&\lambda_{n}(L)\end{bmatrix}=\begin{bmatrix}\begin{array}[]{c|c}0&% \boldsymbol{0}^{T}_{n-1}\\ \hline\cr\boldsymbol{0}_{n-1}&\mathcal{R}\end{array}\end{bmatrix},

(29)

where $\mathcal{R}\in\mathbb{R}^{(n-1)\times(n-1)}$ is a diagonal matrix comprising non-zero eigenvalues of $L$ . Using (28), (IV) can be rewritten as:

	$\displaystyle\begin{bmatrix}\dot{\bar{e}}_{P}\\ \dot{\tilde{e}}_{P}\end{bmatrix}$	$\displaystyle=-T^{-1}LT\begin{bmatrix}\bar{e}_{P}\\ \tilde{e}_{P}\end{bmatrix}+\beta T^{-1}LT\begin{bmatrix}\bar{z}\\ \tilde{z}\end{bmatrix}+T^{-1}LT\begin{bmatrix}\bar{d}_{P}\\ \tilde{d}_{P}\end{bmatrix},$		(30i)
	$\displaystyle\begin{bmatrix}\dot{\bar{z}}\\ \dot{\tilde{z}}\end{bmatrix}$	$\displaystyle=-\beta T^{-1}LT\begin{bmatrix}\bar{e}_{P}\\ \tilde{e}_{P}\end{bmatrix}-T^{-1}LT\begin{bmatrix}\bar{z}\\ \tilde{z}\end{bmatrix}.$		(30p)

Now, using (29), since $\dot{\bar{e}}_{P}=\dot{\bar{z}}=0$ , (IV) further reduces to

	$\displaystyle\dot{\tilde{e}}_{p}$	$\displaystyle=-\mathcal{R}\tilde{e}_{P}+\beta\mathcal{R}\tilde{z}+\mathcal{R}% \tilde{d}_{p}$	(31a)
	$\displaystyle\dot{\tilde{z}}$	$\displaystyle=-\beta\mathcal{R}\tilde{e}_{P}-\mathcal{R}\tilde{z},$	(31b)
which can be expressed in the compact form as:

\dot{\xi}_{P}=\tilde{\mathcal{K}}\xi_{P}+\tilde{D}_{P},

(32)

where $\xi_{P}=[{\tilde{e}_{P}}^{T},\tilde{z}^{T}]^{T}\in\mathbb{R}^{2(n-1)}$ , $\tilde{D}_{P}=[(\mathcal{R}\tilde{d}_{p})^{T},\boldsymbol{0}_{n-1}^{T}]^{T}\in% \mathbb{R}^{2(n-1)}$ and

\displaystyle\tilde{\mathcal{K}}=\begin{bmatrix}-\mathcal{R}&\beta\mathcal{R}% \\ -\beta\mathcal{R}&-\mathcal{R}\end{bmatrix}=\begin{bmatrix}-1&\beta\\ -\beta&-1\end{bmatrix}\otimes\mathcal{R}=\tilde{\Phi}\otimes\mathcal{R}.

(37)

Since $\lambda(\tilde{\Phi})=-1\pm j_{c}\beta$ and $\mathcal{R}$ is a positive definite matrix by construction, $\tilde{\mathcal{K}}$ is Hurwitz and has $2(n-1)$ strictly negative eigenvalues in accordance with Lemma 4. We are now ready to state the following convergence result, solving Problem (P2):

Theorem 2 (Power-sharing control in presence of attack).

Consider the system (IV) where the power attack signal $d_{P}\neq\boldsymbol{0}_{n}$ satisfies Assumption 1. Then, for a sufficiently large value of $\beta$ , the vector $m_{P}P$ remains in a small neighborhood of its nominal value while sharing proportional active power, i.e., $\|m_{P}P-\Delta_{P}\boldsymbol{1}_{n}\|\leq\epsilon_{P}$ for some small $\epsilon_{P}$ .

Proof.

The solution of (32) is given by $\xi_{P}(t)={\rm e}^{\tilde{\mathcal{K}}t}\xi_{P}(0)+\int_{0}^{t}{\rm e}^{% \tilde{\mathcal{K}}(t-\tau)}\tilde{D}_{p}d\tau$ . Upon taking norm on both sides and following similar steps as in the proof of Theorem 1, one can obtain $\lim_{t\to\infty}\|\xi_{P}(t)\|\leq\|\tilde{\mathcal{K}}^{-1}\hat{D}_{P}\|$ , where $\hat{D}_{P}=[(\mathcal{R}\hat{d}_{P})^{T},\boldsymbol{0}_{n-1}^{T}]^{T}\in% \mathbb{R}^{2(n-1)}$ for some time-independent vector $\hat{d}_{P}\in\mathbb{R}^{n-1}$ satisfying $\|\hat{d}_{P}\|\leq\bar{D}_{P}$ (see Assumption 1 for $\bar{D}_{P}$ ) such that $\|\int_{0}^{t}{\rm e}^{\tilde{\mathcal{K}}(t-\tau)}\tilde{D}_{p}(\tau)d\tau\|% \leq\|\int_{0}^{t}{\rm e}^{\tilde{\mathcal{K}}(t-\tau)}\hat{D}_{P}d\tau\|$ , according to Lemma 2 from Subsection I-A. Now, similar to (24), it can be concluded that

\lim_{t\to\infty}\left\|\begin{bmatrix}\tilde{e}_{P}(t)\\ \tilde{z}(t)\end{bmatrix}\right\|\leq\lambda_{\max}(\mathcal{R})\left\|\begin{% bmatrix}(\mathcal{R}+{\beta}^{2}\mathcal{R})^{-1}\\ \beta(\mathcal{R}+{\beta}^{2}\mathcal{R})^{-1}\end{bmatrix}\right\|\bar{D}_{P}.

(38)

Now, exploiting Lemma 6 by replacing $A$ by $\mathcal{R}$ , it can be obtained that

\lim_{t\to\infty}\left\|\begin{bmatrix}\tilde{e}_{P}(t)\\ \tilde{z}(t)\end{bmatrix}\right\|\leq\frac{\lambda_{\max}(\mathcal{R})\bar{D}_% {P}}{\lambda_{\min}(\mathcal{R})\sqrt{1+\beta^{2}}}=\frac{\lambda_{\max}(L)% \bar{D}_{P}}{\lambda_{2}(L)\sqrt{1+\beta^{2}}},

(39)

since $\lambda_{\max}(\mathcal{R})=\lambda_{\max}(L)$ and $\lambda_{\min}(\mathcal{R})=\lambda_{2}(L)$ by construction, where $\lambda_{2}(L)$ is the Fielder eigenvalue of the Laplacian $L$ . From (39), it can be concluded that $\|\tilde{e}_{P}(t)\|\leq\epsilon_{P}$ (and hence, $\|{e}_{P}(t)\|\leq\epsilon_{P}$ ) as $t\to\infty$ , where $\epsilon_{P}=\frac{\lambda_{\max}(L)\bar{D}_{P}}{\lambda_{2}(L)\sqrt{1+\beta^{% 2}}}$ . Furthermore, for sufficiently large values of gain $\beta$ , $\epsilon_{P}$ assumes small value, and hence, $m_{P}P$ converges to a small neighborhood around $\Delta_{P}\boldsymbol{1}_{n}$ as $t\to\infty$ , using (26). ∎

V Attack Detection: Exploring Interaction Between Control and Auxiliary Layers

Addressing Problem (P3), this section proposes an attack detection method relying on the interaction between the control layer $\Sigma$ and auxiliary layer $\Pi$ in Fig. 1. For brevity and clarity, we provide a discussion for the frequency attacks $d_{\omega}$ affecting dynamics $S_{\omega}$ in (5). However, it is equally applicable to the power attacks $d_{P}$ appearing in the dynamics $S_{P}$ .

Since the layer $\Sigma$ is vulnerable to attacks injected by the attacker as compared to the secured and hidden layer $\Pi$ , one can exploit the layer $\Pi$ to check the authenticity of the information shared between two nodes in the layer $\Sigma$ . As shown in Fig. 1, the layer $\Pi$ contains a set of (virtual) nodes, directly associated with individual (actual) nodes in the layer $\Sigma$ . Consequently, the $i^{\text{th}}$ node in $\Sigma$ has state information $z_{i}$ of the associated node in $\Pi$ and similarly the $i^{\text{th}}$ node in $\Pi$ has information $\omega_{i}$ of the associated node in $\Sigma$ . Further, both the layers are connected to each other via interconnection matrices $\beta A$ . With respect to the $i^{\text{th}}$ node, (III) can be rewritten, by segregating terms on the basis of the contributions by the $i^{\text{th}}$ node itself and the neighboring nodes in both $\Sigma$ and $\Pi$ layers, as follows [30]:

$\displaystyle\dot{\omega}_{i}$	$\displaystyle=A_{[i]}\omega-\beta(\|\mathcal{N}_{i}\|+g_{i})z_{i}+\sum_{j\in% \mathcal{N}_{i}}\beta z_{j}+g_{i}{\omega}^{*}+L_{[i]}d_{\omega}$	(40a)
$\displaystyle\dot{z}_{i}$	$\displaystyle=-(\|\mathcal{N}_{i}\|+g_{i})z_{i}+\beta(\|\mathcal{N}_{i}\|+g_{i})% \omega_{i}+\sum_{j\in\mathcal{N}_{i}}(z_{j}-\beta{\omega}_{j})$
	$\displaystyle\qquad-\beta g_{i}{\omega}^{*},$	(40b)

where $A_{[i]},L_{[i]}$ denote the $i^{\text{th}}$ row of matrices $A$ and $L$ , respectively. Further, $g_{i}=1$ if the node $i$ is the leader, else $g_{i}=0$ . The following observations are straightforward toward practical implementation of (V):

•

In (40a), the $i^{\text{th}}$ node in $\Sigma$ has access to the information $\beta z_{j}$ of the neighboring nodes in $\Pi$ via its corresponding $i^{\text{th}}$ node in $\Pi$ , shared through the interaction network between $\Sigma$ and $\Pi$ , as shown in Fig. 2(a). The implementation of remaining terms in (40a) is straightforward.
•

Analogously, in (40b), the $i^{\text{th}}$ node in $\Pi$ has information $z_{j}-\beta\omega_{j}$ from the neighboring nodes in $\Pi$ itself where the information $-\beta\omega_{j}$ is shared through the interaction between the two layers, as shown Fig. 2(b). Again, the implementation of the remaining terms in (40b) is straightforward.

From the above discussion, it is clear that the $i^{\text{th}}$ node in $\Sigma$ has access to the following two pieces of additional information due to the interaction between $\Sigma$ and $\Pi$ :

\displaystyle\bar{z}_{ij}=\beta z_{j},\qquad\bar{\omega}_{ij}=z_{j}-\beta{% \omega}_{j},

(41)

where notations $\bar{\omega}_{ij}$ and $\bar{z}_{ij}$ are used to emphasize that these signals contain information about the neighboring nodes $j$ in $\Pi$ . According to (41), the $i^{\text{th}}$ node estimates the frequency received from the $j^{\text{th}}$ node in $\Pi$ as:

\hat{\omega}_{ij}=\frac{1}{\beta}\left[\frac{\bar{z}_{ij}}{\beta}-\bar{\omega}% _{ij}\right],

(42)

which can be compared with the actual frequency signal $\check{\omega}_{ij}$ in (3) received at the $i^{\text{th}}$ node to testify whether the communication link $(i,j)\in\mathcal{E}$ in $\Sigma$ is under attack or not. Consequently, if $\hat{\omega}_{ij}\neq\check{\omega}_{ij}$ , the corresponding $(i,j)^{\text{th}}$ link is declared to be under attack. Once the corrupted communication link is identified, it can be isolated (provided the remaining network contains a spanning tree) from the rest of the control layer till the time attack remains prevalent in the network.

Remark 2.

It is essential to emphasize that the attack detection approach described above is a byproduct of the interaction between $\Sigma$ and $\Pi$ . It can be employed if there is a specific need to isolate any corrupted link, thereby enhancing the accuracy of the steady-state behavior. However, it’s crucial to note that the isolation of any link is not mandatory for the proper functioning of the proposed resilient controllers (III) and (IV) for some finite $\epsilon_{\omega}$ and $\epsilon_{P}$ . Moreover, the isolation between the layers $\Sigma$ and $\Pi$ can be ensured using contemporary communication network slicing approaches, such as cloud computing management and software-defined networking [31, 32]. These advanced techniques provide effective mechanisms for segregating communication channels and ensuring the secure operation of the system.

TABLE I: System Parameters

Parameter	Value
Droop gain ( $m_{P_{1}},m_{P_{2}}$ )	$2\times 10^{-3}$
Droop gain ( $m_{P_{3}},m_{P_{4}}$ )	$3\times 10^{-3}$
Filter inductance ( $L_{f}$ )	$1.35$ mH
Filter capacitance ( $C_{f}$ )	$50$ $\mu$ F
Coupling inductance ( $L_{c}$ )	$0.35$ mH
Line impedance ( $\rm{Z_{1}},\rm{Z_{2}}$ )	$R=1.2\Omega$ , $L=$ 12mH
Line impedance ( $\rm{Z_{3}},\rm{Z_{4}}$ )	$R=1\Omega$ , $L=$ 10mH
Line impedance ( $\rm{Z_{5}},\rm{Z_{6}}$ )	$R=0.8\Omega$ , $L=$ 8mH
Line impedance ( $\rm{Z_{7}},\rm{Z_{8}}$ )	$R=0.5\Omega$ , $L=$ 5mH
Loads ( $\rm{L_{1},L_{3},L_{5}}$ )	$P=7$ kW, $Q=4$ kVar
Loads ( $\rm{L_{2},L_{4}}$ )	$P=10$ kW, $Q=5$ kVar

VI Simulation Case Studies

Consider a 3-phase, 415 V islanded AC microgrid as shown in Fig. 3, which comprises $4$ DGs, connected through $8$ transmission lines and $5$ loads, whose values are as listed in Table I. The DGs are connected as per the undirected and connected communication topology, as shown in Fig. 3, which has the following Laplacian:

L=\begin{bmatrix}2&-1&0&-1\\ -1&2&-1&0\\ 0&-1&2&-1\\ -1&0&-1&2\end{bmatrix}.

Assume that DG $1$ acts as the leader and has access to reference frequency $\omega^{*}=314$ rad/s ( $f^{*}=\omega^{*}/2\pi=50$ Hz), with all the remaining DGs acting as fully connected followers. Therefore, the pinning gain $g_{1}=1$ and $g_{i}=0$ for $i=2,3,4$ . Associated with each DG, there exist control and auxiliary nodes in the layers $\Sigma$ and $\Pi$ , respectively. Consequently, the matrices $A,B,C$ in (III) can be obtained as

A=\begin{bmatrix}-3&1&0&1\\ 1&-2&1&0\\ 0&1&-2&1\\ 1&0&1&-2\end{bmatrix},\ B=\begin{bmatrix}1\\ 0\\ 0\\ 0\end{bmatrix},\ C=A\boldsymbol{1}_{n}=\begin{bmatrix}-1\\ 0\\ 0\\ 0\end{bmatrix}.

According to Lemma 5 and Lemma 7, one can easily verify that, in the absence of any attack, the frequencies of all the DGs converge to $314$ rad/s, while DGs 1, 2 and DGs 3, 4 share equal active power as per their equal droop coefficients. We now analyze protocols (III) and (IV) in case of an attack as discussed below.

VI-A Controller performance under attacked condition

According to Assumption 1, we consider that the frequency and power attacks are governed by the dynamics:

\dot{d}_{\omega}=F_{\omega}d_{\omega}+G_{\omega}\omega,

(43)

where

F_{\omega}=\begin{bmatrix}-5&0&0&0\\ 0&-3&0&0\\ 0&0&-5&0\\ 0&0&0&-3\end{bmatrix},

G_{\omega}=\begin{bmatrix}-0.001&-0.002&-0.003&-0.004\\ -0.003&-0.001&-0.004&-0.002\\ 0.004&0.003&0.002&0.001\\ 0.002&0.004&0.001&0.003\end{bmatrix}.

and

\dot{d}_{P}=F_{p}d_{P}+G_{P}(m_{P}P),

(44)

where

F_{P}=\begin{bmatrix}-2.5&0&0&0\\ 0&-3&0&0\\ 0&0&-2.5&0\\ 0&0&0&-3\end{bmatrix},

G_{P}=\begin{bmatrix}-0.035&-0.036&-0.037&-0.038\\ -0.088&-0.085&-0.086&-0.087\\ 0.037&0.038&0.035&0.036\\ 0.086&0.087&0.088&0.085\end{bmatrix}.

Please note that these frequency and power attacks (43) and (44) are completely unknown to the controller and are initialized in the system as injections by the attacker at a given time. To emphasize the importance of introducing an auxiliary layer in the distributed control framework, we now discuss the performance of proposed controllers in the absence and presence of $\Pi$ , followed by the effect of load perturbations.

VI-A1 Absence of auxiliary layer

We first illustrate the test system in the presence of cyber-attacks and the absence of an auxiliary layer (and hence, the auxiliary nodes) from the frequency and power controllers (III) and (IV), respectively.

Initially, in the absence of an attack, the microgrid is operating normally under controllers (6a) and (25a), at $314$ rad/s with DGs 1, 2 and 3, 4 delivering equal power at $6.7$ kW and $4.5$ kW, respectively, as shown in Figs. 4 and 5 for the initial 10 s. The frequency and power attacks in (43) and (44) are initialized at $t=10$ s and $t=30$ s, causing the frequency of all the DGs to deviate by about $19$ rad/s from the nominal value at 10 s and settle down to a common steady-state value of $295$ rad/s due to the distributed action of nodes in the control layer, which is further shifted to $298$ rad/s post introduction of power attack at $t=30$ s. Similarly, the active power-sharing is also adversely affected, as depicted by Fig. 5.

VI-A2 Presence of auxiliary layer

We now simulate the test microgrid in the presence of auxiliary layer in (III) and (IV), where the initial states $z(0)$ of the auxiliary nodes are randomly chosen and gain $\beta=2$ . As shown in Fig. 6, frequencies are restored in the neighborhood of $314$ rad/s in about $5$ s, post attacks (43) and (44), introduced at $t=10$ s and $t=30$ s, respectively. Similarly, Fig. 7 shows that power-sharing is also maintained for DGs 1, 2 and 3, 4 in the neighborhood of their nominal values, after a slight deviation at $t=10$ s and $t=30$ s, which lasts approximately about $1.5$ s.

VI-A3 Effect of load perturbations

In addition to the resiliency against frequency and power attacks, we also verify the robustness of proposed controllers (III) and (IV) against abrupt load deviations. For illustration, we consider here that the frequency and power attacks are initiated at $t=10$ s and $t=50$ s with different (initial) values for each communication link, given by, $d_{\omega}(t=10~{}{\rm s})=[4.5,2.5,-4,-2]^{T}$ and $d_{P}(t=50~{}{\rm s})=[-4,-2.5,3,1.5]^{T}$ , respectively. Further, the loads $\rm{L_{2},L_{4}}$ are increased by $0.5$ times their initial magnitude at $t=30$ s and then decreased by the same amount at $t=70$ s, respectively. Fig. 8 depicts that the proposed resilient control scheme restores the DG frequencies to their nominal value within a span of $10$ s. Similarly, Fig. 9 illustrates accurate power-sharing post load perturbation, with DGs 1, 2 now sharing $8$ kW and DGs 3, 4 sharing $5.4$ kW, respectively. The plots for $d_{\omega}$ and $d_{P}$ are shown in Figs. 10 and 11, respectively, where the attacks converge to different steady-state values. Note that the term $G_{\omega}\omega$ in (43) is of the order of $10^{-3}$ and is dominated by the first term $F_{\omega}d_{\omega}$ , the plot for $d_{\omega}$ does not show noticeable fluctuations with load perturbations, as compared to $d_{P}$ .

VI-B Attack Detection

To illustrate this, we consider the following scenario wherein the communication link between DG 1 and DG 4 is under attack $d_{\omega_{4}}\in\mathbb{R}$ as shown in Fig. 12(a), which is initialized at $t=10$ s with an initial magnitude of $-2$ rad/s as shown in Fig. 13, with all the other attack components being 0. Due to this, a corrupted frequency signal $\check{\omega}_{14}=\omega_{4}+d_{\omega_{4}}$ (please refer to (3)) is sent from node $4$ to node $1$ in the control layer $\Sigma$ . However, DGs $1$ and $4$ share an additional information through the auxiliary layer $\Pi$ according to (41), and is given by $\bar{z}_{14}=\beta z_{4},\ \bar{\omega}_{14}=z_{4}-\beta{\omega}_{4}$ , using which, the estimated frequency signal at node 1, due to an attack on node 4, can be calculated using (42) as $\hat{\omega}_{14}=\frac{1}{\beta}(\frac{\bar{z}_{14}}{\beta}-\bar{\omega}_{14})$ .

Fig. 14 shows the plot of actual $\check{\omega}_{14}$ and estimated frequency signal $\hat{\omega}_{14}$ with time. Clearly, $\check{\omega}_{14}\neq\hat{\omega}_{14}$ after $t=10$ s, and hence, an attack is detected on the communication link connecting nodes 1 and 4. This attack can be isolated by removing the edge $(1,4)\in\mathcal{E}$ provided the remaining network is connected, that is, the isolated network contains at least one spanning tree. As shown in Fig. 12(b), since the microgrid system remains connected even after isolation of the corrupted communication link, it operates normally likewise in subsection VI-A; please refer to Figs. 15 and 16 for frequency restoration and power-sharing in this situation. Here, the load perturbations are introduced with the same magnitude and at similar time instants as in the previous subsection.

VII Conclusion

Relying on an auxiliary layer-based design, we investigated an attack-resilient distributed control mechanism for achieving frequency regulation and active power-sharing in an islanded AC microgrid network. One of the main features of our approach is that it not only guarantees the resiliency against simultaneous frequency and power attacks but also, devises an attack detection mechanism as a byproduct, leveraging the interaction between the control and auxiliary layers. The frequency and power controllers were formulated as leader-follower and leaderless multi-agent systems, respectively, accompanied by suitable auxiliary-state dynamics. Under (standard) assumptions on frequency and power attacks, it was shown that the proposed approach assures the frequency restoration and active power-sharing in the small neighborhood of their steady-state values in the presence of any attack. It was proved that these bounds depend on the underlying network topology, the magnitude of the attack signal, and the pinning and control gains decided by the designer. Extensive simulation results were provided to illustrate and verify the theoretical developments in the paper, followed by a simulation demonstrating attack detection and isolation provided the resulting network is connected.

It would be interesting in future work to extend the analysis to a resilient finite-time distributed framework as the power systems are expected to respond in a certain time to avoid any serious damage.

References

[1] Q. Zhou, M. Shahidehpour, A. Paaso, S. Bahramirad, A. Alabdulwahab, and A. Abusorrah, “Distributed control and communication strategies in networked microgrids,” IEEE Communications Surveys & Tutorials, vol. 22, no. 4, pp. 2586–2633, 2020.
[2] C. Peng, H. Sun, M. Yang, and Y.-L. Wang, “A survey on security communication and control for smart grids under malicious cyber attacks,” IEEE Transactions on Systems, Man, and Cybernetics: Systems, vol. 49, no. 8, pp. 1554–1569, 2019.
[3] H. T. Reda, A. Anwar, and A. Mahmood, “Comprehensive survey and taxonomies of false data injection attacks in smart grids: attack models, targets, and impacts,” Renewable and Sustainable Energy Reviews, vol. 163, p. 112423, 2022.
[4] R. Lu, J. Wang, and Z. Wang, “Distributed observer-based finite-time control of ac microgrid under attack,” IEEE Transactions on Smart Grid, vol. 12, no. 1, pp. 157–168, 2020.
[5] Y. Wang, S. Mondal, C. Deng, K. Satpathi, Y. Xu, and S. Dasgupta, “Cyber-resilient cooperative control of bidirectional interlinking converters in networked ac/dc microgrids,” IEEE Transactions on Industrial Electronics, vol. 68, no. 10, pp. 9707–9718, 2020.
[6] M. S. Sadabadi, S. Sahoo, and F. Blaabjerg, “A fully resilient cyber-secure synchronization strategy for ac microgrids,” IEEE Transactions on Power Electronics, vol. 36, no. 12, pp. 13 372–13 378, 2021.
[7] J. Xiao, L. Wang, Z. Qin, and P. Bauer, “A resilience enhanced secondary control for ac micro-grids,” IEEE Transactions on Smart Grid, 2023.
[8] A. Intriago, F. Liberati, N. D. Hatziargyriou, and C. Konstantinou, “Residual-based detection of attacks in cyber-physical inverter-based microgrids,” IEEE Transactions on Power Systems, 2023.
[9] S. Madichetty and S. Mishra, “Cyber attack detection and correction mechanisms in a distributed dc microgrid,” IEEE Transactions on Power Electronics, vol. 37, no. 2, pp. 1476–1485, 2021.
[10] M. Liu, C. Zhao, J. Xia, R. Deng, P. Cheng, and J. Chen, “Pddl: Proactive distributed detection and localization against stealthy deception attacks in dc microgrids,” IEEE Transactions on Smart Grid, vol. 14, no. 1, pp. 714–731, 2022.
[11] Y. Wan and T. Dragičević, “Data-driven cyber-attack detection of intelligent attacks in islanded dc microgrids,” IEEE Transactions on Industrial Electronics, vol. 70, no. 4, pp. 4293–4299, 2022.
[12] A. Takiddin, S. Rath, M. Ismail, and S. Sahoo, “Data-driven detection of stealth cyber-attacks in dc microgrids,” IEEE Systems Journal, vol. 16, no. 4, pp. 6097–6106, 2022.
[13] K. Zhang, C. Keliris, T. Parisini, and M. M. Polycarpou, “Stealthy integrity attacks for a class of nonlinear cyber-physical systems,” IEEE Transactions on Automatic Control, vol. 67, no. 12, pp. 6723–6730, 2021.
[14] L.-Y. Lu, J.-H. Liu, S.-W. Lin, and C.-C. Chu, “Concurrent cyber deception attack detection of consensus control in isolated ac microgrids,” IEEE Transactions on Industry Applications, 2023.
[15] A. Mustafa and H. Modares, “Attack analysis and resilient control design for discrete-time distributed multi-agent systems,” IEEE Robotics and Automation Letters, vol. 5, no. 2, pp. 369–376, 2019.
[16] A. Gusrialdi, Z. Qu, and M. A. Simaan, “Competitive interaction design of cooperative systems against attacks,” IEEE Transactions on Automatic Control, vol. 63, no. 9, pp. 3159–3166, 2018.
[17] Y. Chen, D. Qi, H. Dong, C. Li, Z. Li, and J. Zhang, “A fdi attack-resilient distributed secondary control strategy for islanded microgrids,” IEEE Transactions on Smart Grid, vol. 12, no. 3, pp. 1929–1938, 2020.
[18] Q. Zhou, M. Shahidehpour, A. Alabdulwahab, A. Abusorrah, L. Che, and X. Liu, “Cross-layer distributed control strategy for cyber resilient microgrids,” IEEE Transactions on Smart Grid, vol. 12, no. 5, pp. 3705–3717, 2021.
[19] Y. Liu, Y. Li, Y. Wang, X. Zhang, H. B. Gooi, and H. Xin, “Robust and resilient distributed optimal frequency control for microgrids against cyber attacks,” IEEE Transactions on Industrial Informatics, vol. 18, no. 1, pp. 375–386, 2021.
[20] M. Jamali, M. S. Sadabadi, M. Davari, S. Sahoo, and F. Blaabjerg, “Resilient cooperative secondary control of islanded ac microgrids utilizing inverter-based resources against state-dependent false data injection attacks,” IEEE Transactions on Industrial Electronics, 2023.
[21] J. M. Guerrero, J. C. Vasquez, J. Matas, L. G. De Vicuña, and M. Castilla, “Hierarchical control of droop-controlled AC and DC microgrids—a general approach toward standardization,” IEEE Transactions on industrial electronics, vol. 58, no. 1, pp. 158–172, 2010.
[22] L. Wang and F. Xiao, “Finite-time consensus problems for networks of dynamic agents,” IEEE Transactions on Automatic Control, vol. 55, no. 4, pp. 950–955, 2010.
[23] V. Vaishnav, D. Sharma, and A. Jain, “Quadratic-droop-based distributed secondary control of microgrid with detail-balanced communication topology,” IEEE Systems Journal, 2023.
[24] H. Dong, C. Li, and Y. Zhang, “Resilient consensus of multi-agent systems against malicious data injections,” Journal of the Franklin Institute, vol. 357, no. 4, pp. 2217–2231, 2020.
[25] J. Guerrero, L. G. de Vicuna, J. Matas, M. Castilla, and J. Miret, “Output impedance design of parallel-connected ups inverters with wireless load-sharing control,” IEEE Transactions on Industrial Electronics, vol. 52, no. 4, pp. 1126–1135, 2005.
[26] R. A. Horn and C. R. Johnson, Topics in matrix analysis. Cambridge university press, 1991.
[27] P. Lancaster and H. K. C. R. Farahat, “Norms on direct sums and tensor products,” mathematics of computation, vol. 26, no. 118, pp. 401–414, 1972.
[28] R. A. Horn and C. R. Johnson, Matrix analysis. Cambridge university press, 2012.
[29] H. K. Khalil, “Nonlinear systems third edition,” Patience Hall, vol. 115, 2002.
[30] A. Gusrialdi and Z. Qu, “Cooperative systems in presence of cyber-attacks: a unified framework for resilient control and attack identification,” in 2022 American Control Conference (ACC). IEEE, 2022, pp. 330–335.
[31] P. Danzi, M. Angjelichinoski, C. Stefanovic, T. Dragicevic, and P. Popovski, “Software-defined microgrid control for resilience against denial-of-service attacks,” IEEE Transactions on Smart Grid, vol. 10, no. 5, pp. 5258–5268, 2019.
[32] S. Zhang, “An overview of network slicing for 5g,” IEEE Wireless Communications, vol. 26, no. 3, pp. 111–117, 2019.