Cyber-Physical Energy Systems Security Threat Modeling Risk Assessment Resources Metrics and Case Studies

Received January 25, 2021, accepted February 2, 2021, date of publication February 10, 2021, date of current version
February 24, 2021.

Digital Object Identifier 10.1109/ACCESS.2021.3058403
Cyber-Physical Energy Systems Security: Threat

Modeling, Risk Assessment, Resources,
Metrics, and Case Studies
IOANNIS ZOGRAFOPOULOS , (Graduate Student Member, IEEE),
JUAN OSPINA , (Member, IEEE), XIAORUI LIU , (Student Member, IEEE),
AND CHARALAMBOS KONSTANTINOU , (Senior Member, IEEE)
Center for Advanced Power Systems, FAMU-FSU College of Engineering, Florida State University, Tallahassee, FL 32310, USA
Corresponding author: Ioannis Zografopoulos (izografopoulos@fsu.edu)
This work was supported in part by the U.S. Department of Energy’s Office of Energy Efficiency and Renewable Energy (EERE) through
the Solar Energy Technology Office (SETO) under Award DE-EE0008768, and in part by the IEEE Foundation through IEEE IAS Myron
Zucker Faculty-Student Grant.
ABSTRACT Cyber-physical systems (CPS) are interconnected architectures that employ analog and digital
components as well as communication and computational resources for their operation and interaction
with the physical environment. CPS constitute the backbone of enterprise (e.g., smart cities), industrial
(e.g., smart manufacturing), and critical infrastructure (e.g., energy systems). Thus, their vital importance,
interoperability, and plurality of computing devices make them prominent targets for malicious attacks
aiming to disrupt their operations. Attacks targeting cyber-physical energy systems (CPES), given their
mission-critical nature within the power grid infrastructure, can lead to disastrous consequences. The security
of CPES can be enhanced by leveraging testbed capabilities in order to replicate and understand power
systems operating conditions, discover vulnerabilities, develop security countermeasures, and evaluate grid
operation under fault-induced or maliciously constructed scenarios. Adequately modeling and reproducing
the behavior of CPS could be a challenging task. In this paper, we provide a comprehensive overview of
the CPS security landscape with an emphasis on CPES. Specifically, we demonstrate a threat modeling
methodology to accurately represent the CPS elements, their interdependencies, as well as the possible
attack entry points and system vulnerabilities. Leveraging the threat model formulation, we present a CPS
framework designed to delineate the hardware, software, and modeling resources required to simulate
the CPS and construct high-fidelity models that can be used to evaluate the system’s performance under
adverse scenarios. The system performance is assessed using scenario-specific metrics, while risk assessment
enables the system vulnerability prioritization factoring the impact on the system operation. The overarching
framework for modeling, simulating, assessing, and mitigating attacks in a CPS is illustrated using four
representative attack scenarios targeting CPES. The key objective of this paper is to demonstrate a step-by-
step process that can be used to enact in-depth cybersecurity analyses, thus leading to more resilient and
secure CPS.
INDEX TERMS Cyber-physical systems, security, threat modeling, power grid, simulation, risk assessment,
testbeds.
NOMENCLATURE CORE common open research emulator

AGC automatic generation control CPES cyber-physical energy systems
BESS battery energy storage system CPS cyber-physical systems
CB circuit breaker DAA data availability attack
CHIL controller hardware-in-the-loop DER distributed energy resources
DG distributed generation
The associate editor coordinating the review of this manuscript and DIA data integrity attack
approving it for publication was Giacomo Verticale . DiD defense-in-depth
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
VOLUME 9, 2021 29775
I. Zografopoulos et al.: Cyber-Physical Energy Systems Security
DoS denial-of-service devices. According to the National Institute of Standards

EMT electromagnetic transient and Technology (NIST) [1], cyber-physical systems (CPS)
EPS electric power systems refer to architectures that incorporate digital, analog, and
ESS energy storage system physical components. The interaction of these components
EV electric vehicle is determined by the dynamics of the system and the rules
FACTS flexible AC transmission systems which orchestrate its operation. CPES are energy-focused
FDIA false data injection attack engineered systems that are transforming the way tradi-
HIL hardware-in-the-loop tional EPS operate by seamlessly integrating physical entities
HMI human-machine interface with human, digital, and networking components designed to
IC integrated circuit operate through integrated physics and computational logic.
ICS industrial control systems As such, CPES contribute significantly towards the EPS mod-
ICT information and communication technologies ernization allowing for better planning, more flexible control,
IDS/IPS intrusion detection and prevention systems cyber-secure operations, system-wide optimization, transac-
IED intelligent electronic devices tive energy systems (TES), improvements in power quality,
IoT internet-of-things system reliability enhancements, resiliency, interoperability,
IT information technology and cleaner energy generation.
MG microgrid The security of CPS presents significant challenges in
MitM man-in-the-middle controlling and maintaining secure access to critical system
MPPT maximum power point tracking resources and services (e.g., for CPES: generation reserves,
MTU master terminal unit frequency stability controls, power line protection, etc.),
NIC network interface cards as well as ensuring the confidentiality, accessibility, and
OS operating system integrity of the information exchanged (e.g., control signals
OT operational technology of supervisory control and data acquisition – SCADA sys-
PCC point of common coupling tems). CPS, being large-scale complex systems of systems,
PHIL power hardware-in-the-loop employ numerous computing components such as remote ter-
PLC programmable logic controllers minal units (RTUs), programmable logic controllers (PLCs),
PMU phasor measurement units and intelligent electronic devices (IEDs) that are often
PV photovoltaic designed without security in mind. Typically, the hardware,
QoS quality-of-service software, and communication interfaces of these devices
RES renewable energy source are developed utilizing commercial off-the-shelf compo-
RTS real-time simulator nents [2]. Thus, vulnerabilities within such components
RTU remote terminal units can be ported to the CPS environments creating potential
SCADA supervisory control and data acquisition entry points for malicious adversaries1 aiming to disrupt
SDN software defined network CPS operations. An indicative incident of malicious behav-
T&D transmission and distribution ior targeting CPS operation was reported in March 2019.
TDA time-delay attack Attackers targeted the United States (U.S.) grid infrastruc-
TES transactive energy systems ture and performed a denial-of-service (DoS) attack through
TESS thermal energy storage system the exploitation of a known CPES vulnerability, namely
TS transient stability a web interface firewall vulnerability [3], [4]. The attack
TTP tactics, techniques, and procedures resulted in the loss of communication between the utility’s
generation assets and the energy management system [5],
causing brief interruptions in the utility’s service. The number
I. INTRODUCTION of cyber-attacks where adversaries exploit known and exist-
A. BACKGROUND AND MOTIVATION ing vulnerabilities to compromise CPS is increasing. This
Over the past years, electric power systems (EPS) have fact is validated by security reports stating that ‘‘99% of
diverged from a unidirectional generation and transmission the vulnerabilities exploited in 2020 are known to security
model towards a more distributed architecture that supports professionals, while zero-day vulnerabilities only account
traditional generation sources as well as distributed energy for the 0.4% of vulnerabilities exposed during the past
resources (DERs) in the form of distributed generation (DG), decade’’ [6].
such as PV and wind, and distributed storage (DS) sources, The importance of CPS, and CPES in particular, for eco-
such as battery energy storage systems (BESS) and thermal nomic prosperity and public health at the national, state,
energy storage systems (TESS). The transformation of EPS to and local level can motivate attackers to compromise such
cyber-physical energy systems (CPES) is primarily enabled systems in order to obtain financial or political gains.
due to the introduction of information and communica-
tion technologies (ICT), automated control systems, remote 1 Throughout the paper, we use the terms adversary, threat actor, and
sensing, and embedded industrial internet-of-things (IIoT) attacker interchangeably.
29776 VOLUME 9, 2021

Hence, the evaluation of the CPES robustness and resilience assessing CPS security in the context of CPES. To this end,
against attacks in realistic scenarios is of paramount impor- the paper describes all the required components for evaluating
tance. At the same time, the quantification of cybersecurity the behavior and performance of CPES under diverse and
risks is becoming more complex and challenging as EPS – adverse operational scenarios. The framework exhibits the
also referred to as the ‘‘largest interconnected machine on modeling techniques used to represent the cyber and phys-
earth’’ [7] – integrate numerous cyber-components at all ical domains of the system, considers the resources used to
levels and scales. In the past, the simulation of specific abnor- model the CPES, and presents essential evaluation metrics
mal scenarios (e.g., faults, overvoltage conditions, frequency for each corresponding case study. The contributions of this
fluctuations, etc.) was sufficient to provide insights into EPS work, focusing on CPES security, can be summarized as
operations. However, current advances towards intelligent follows:
and interconnected CPES require more accurate models and • A literature review is provided that presents the
representations capable of capturing the dynamic behavior research efforts in the area of CPS and CPES
of these interoperable systems. The enhancement of CPES security, describes cyber-physical testbeds devel-
security and reliability requires constant probing for potential oped by prominent research centers and laborato-
weaknesses [8]. Security studies need to reflect the nature of ries around the world, and illustrates current threat
the CPES infrastructure in actual testing environments that and risk modeling approaches widely used in the
support the interfacing of actual hardware devices designed to industry.
operate in the ‘real’ system. In this context, hardware-in-the- • A threat modeling methodology is proposed, comprised
loop (HIL) testbeds are effective in providing testing capa- of two major parts, the adversary model and the attack
bilities for evaluating the synergistic relationship between model, allowing for an inclusive evaluation of malicious
physical and virtual components in controlled environments. attack strategies.
Security-oriented HIL testbeds are invaluable in performing • Leveraging our threat modeling approach, a risk assess-
cybersecurity and risk analyses, identifying system vulnera- ment process is provided that takes into account risks
bilities in various layers (e.g., hardware, firmware, software, related to the effectiveness of an attack, the targeted sys-
protocol, process), implementing intrusion detection and pre- tem component, and the criticality of the cyber-physical
vention algorithms, and assessing the efficiency of mitigation process being compromised.
techniques without inducing excessive economic burdens or • A framework is described that elucidates the crucial
safety hazards [2], [9]. components and resources needed to accurately charac-
The primary motivation of this paper is to develop a terize CPS, making it essential for evaluating numerous
framework, which bridges theoretical and simulation-based studies (e.g., cyber, control, etc.). It is important to note
security case studies and evaluates CPS system behavior that the proposed CPS framework can be used to charac-
leveraging testbed environments, leading to more secure terize CPS in other sectors such as healthcare and trans-
CPES architectures. In order for testbeds to reliably capture portation, but in this work, it is evaluated specifically
the characteristics of the cyber-physical environment, testing for CPES.
and experimental case studies need to be described and mod- • Four illustrative CPES attack case studies are presented,
eled considering both the cyber and physical domains. The demonstrating the practicality of the CPS framework.
case studies require detailed descriptions of the resources and For each case study, we provide the corresponding back-
metrics that will be utilized for evaluating the CPES perfor- ground and mathematical formulation, threat model,
mance, reliability, and resilience. In addition, the testing setup attack setup, and risk assessment. We also describe how
must also capture the threat modeling characteristics of the each stage of the CPS analysis framework is applied
adversary and the attack methodology. In terms of a potential to thoroughly model the specific characteristics of each
adversary, the threat modeling characteristics are adversarial case study.
knowledge, resources, access to the system, and specificity. A schematic overview of this paper is illustrated in Fig. 1.
As for the attack methodology, the threat modeling charac- Section II presents the current state of CPES testbed research,
teristics include the attack frequency, reproducibility, discov- a literature review of CPES security studies, and prelimi-
erability, target level, attacked asset, attack techniques, and nary information for threat analysis and risk assessment of
premise. Doing so, in a holistic and step-by-step approach, CPS. Section III delineates our comprehensive threat mod-
allows researchers and stakeholders to thoroughly exam- eling and risk assessment methodology. Section IV pro-
ine and uncover security risks existing in the CPES under vides the description of the proposed CPS framework with
evaluation. details on the modeling, resources, and performance metrics.
In Section V, we discuss the background information and
mathematical formulation for attack cases targeting CPES
B. RESEARCH CONTRIBUTION AND OVERVIEW and present such simulated test case scenarios accompanied
The underlying goal of this manuscript is to provide by their experimental results implemented using the devel-
a complete and detailed presentation of CPS security oped CPS framework. Finally, Section VI concludes this
research studies by demonstrating a modular framework for work.
VOLUME 9, 2021 29777

FIGURE 1. Roadmap of the paper.
II. CYBER-PHYSICAL ENERGY SYSTEMS (CPES): events on power system operation. The design of power
TESTBEDS, STUDIES, AND SECURITY ANALYSIS system monitoring, control, and estimation algorithms, which
This section provides an overview of different CPES testbeds are inherently secure, regardless of relying on CPES intercon-
developed by various research centers and presents their nected nature, relies heavily on the existence of representative
research objectives alongside the equipment used to realize frameworks where current and future security features and
them. We define different classes of CPES security studies methodologies can be developed and evaluated.
from literature and discuss prominent examples from such CPES testbeds can provide an ideal environment where
categories. Furthermore, we describe threat modeling and risk thorough system evaluations can be performed without any
assessment methodologies and discuss how they can sup- impact on the actual power system. The use of testbeds
port security studies by defining, preventing, and mitigating helps de-risk certain procedures before migration to the actual
threats. system, and avoid any potential adverse impact they could
inflict. Such procedures include the testing and impact eval-
A. CPES TESTBEDS uation of new EPS equipment (e.g., integration of PV parks,
Throughout the years, EPS were designed and simulated fol- electric vehicles – EV charging stations, etc.), new control
lowing unidirectional structures in which power is generated strategies (e.g., power dispatch prioritization between DER,
at large bulk power generation facilities and then delivered RES, or other power generation resources), and mitigation
through different stages of transmission and radial distribu- methodologies for unexpected events (e.g., faults, equipment
tion systems to consumers. Minimum efforts were exerted to failures, cyber-attacks, etc.). The main structural components
facilitate the integration of renewable energy sources (RES) of such cyber-physical testbeds are depicted in Fig. 2. Below,
and DERs [10]. However, the increasing penetration of RES we provide a list of the possible security-related tasks that can
and DERs along with the grid modernization efforts through be performed on CPES testbeds:
ICT, increase the complexity of EPS [11]. On the one hand, • Train users and stakeholders in a simulated/emulated
RES and DERs can be used to meet consumer demands CPES environment.
providing reliable, economic, and environmentally friendlier • Validate interoperable systems’ performance holisti-
energy. On the other hand, attackers can exploit the fact that cally, i.e., from the lowest level of operation (e.g., sensor,
these resources are not centrally controlled (i.e., controlled actuators, process, etc.) to the highest levels including
directly by utilities) and stealthily plant their attacks on communication between assets, distributed control, and
vulnerable system assets [12], [13]. The complex nature of monitoring applications.
modern EPS introduces a variety of potential entry points for • Develop and validate cyber-physical metrics and exam-
attacks due to the fact that these systems depend on ICT for ine system security.
the communication between system assets [14]. Although the • Test novel security mechanisms such as intrusion detec-
exigency for secure and resilient EPS is evident, our limited tion and prevention systems (IDS/IPS), authentication
experience with dealing and coordinating such sophisticated protocols, and encryption algorithms.
architectures exacerbates the situation. We lack mechanisms • Evaluate the impact of attacks on the cyber and physical
to detect and mitigate the impact of unexpected adverse domains of the EPS.
29778 VOLUME 9, 2021
TABLE 1. Cyber-physical testbed architectures, accuracy, repeatability, cost characteristics, and example testbeds with their simulation resources.
CPES hardware-assisted testbeds integrate physical equip-

ment such as generators, relays, switchgear, energy storage
systems – ESS, PV panels, wind turbines, etc. By repli-
cating the behavior of the actual system with a consider-
able amount of physical equipment, these testbeds provide
stakeholders the ability to: i) make decisions not only based
on theoretical analyses but practical studies leveraging the
use of hardware resources, ii) evaluate the CPS behavior
under abnormal operational scenarios without inhibiting the
operation of the real system, and iii) preemptively assess
cyber-attack or fault mitigation and control strategies before
the corresponding hardware is deployed to the field, and
thus, de-risk this cost-prohibitive and unpredictable pro-
FIGURE 2. Cyber-physical testbed components for EPS research.
cess. Hardware-assisted testbeds, however, suffer from three
major disadvantages: i) they are not cost-effective since they
• Examine the effectiveness of mitigation strategies require the testbed components to match the actual equipment
against adverse cyber-physical events. deployed in the field, ii) once the equipment and testbed con-
The importance of cybersecurity research for CPS and crit- figurations are setup in-place, any modification or expansion
ical CPES infrastructures has led many universities and U.S. of the system architecture can be either time-consuming or
national laboratories to develop in-house testbeds, not only practically and economically infeasible, and iii) scalability
for research but also for education and training purposes [41]. issues of representing large-scale EPS due to the requirement
A variety of testbeds have been designed and implemented of procuring more assets (e.g., generators, inverters, etc.).
based on the application field and the research objectives. A typical example of a hardware-assisted research
In Table 1, we provide a summary of some of the existing laboratory that leverages actual operational equipment to
real-time simulation CPS testbeds along with their inherent perform CPES security research is the Idaho National Lab-
resources (i.e., simulation capabilities). We also categorize oratory (INL) of the U.S. Department of Energy (DOE)
the cyber-physical testbeds based on their architecture, cost, [15]. INL’s Power and Energy Real-Time Laboratory [16],
and accuracy characteristics. Additionally, we present an [17], alongside their nuclear laboratory [18], [19] and micro-
in-depth overview of the differences between hardware and grid (MG) testbed [20], [21], allow the simulation of real-
software-assisted testbeds. istic scenarios supported by actual hardware equipment and
Hardware-assisted testbeds are designed to explicitly data generation routines. The real-time simulation capabil-
study CPS while mostly incorporating several actual phys- ities of INL’s testbeds allow researchers to create sophisti-
ical components encountered in the field. For instance, cated scenarios involving power hardware devices that are
VOLUME 9, 2021 29779

interfaced with real-time simulation environments via HIL The rapid penetration of ICT technologies in CPS is
methodologies such as power hardware-in-the-loop (PHIL) driving the design and development of large-scale software-
and controller hardware-in-the-loop (CHIL) [17]. HIL allows defined network (SDN) testbeds [45]. In such SDN-type
controllers (CHIL) and parts of EPS (PHIL) to be extensively testbeds, researchers can evaluate novel network technolo-
tested before their final integration to the main grid [42]. The gies, communication protocols, custom data routing algo-
National Renewable Energy Laboratory (NREL) of DOE also rithms, etc. An example of such an environment is the
includes hardware-assisted testbeds [22]. NREL’s Flatirons SDN4SmartGrids CPS testbed at TU Dortmund, where both
campus specializes in designing, analyzing, and providing SDNs and power system RTS are employed for exper-
accurate simulation models for wind turbines, hydropower, imentation with ICT-based smart grid applications [27].
and hydrokinetic generation plants [23]. Their unique facili- In particular, the TU Dortmund’s testbed is comprised of
ties drive the improvement of their high-fidelity simulation a RTS (Opal-RT) responsible for simulating the power
models, which are cross-referenced to real assets, provid- system components. The infrastructure emulating the
ing invaluable tools for power engineers performing system network topology and communication between the sim-
analyses incorporating off-shore, or distributed hydro and ulated grid assets (e.g., EVs, ESS, etc.), management
wind generation [24]. The actual power system assets of systems, and telemetry units (e.g, phasor measurement
wind turbines and hydro-plants, as well as their simulation units – PMUs, advanced metering infrastructure – AMI, etc.)
models, can be leveraged to investigate the potential impact of is implemented using the SDN and the OPNET network
component failures or cyber-attack incidents with minimum simulator [28].
cost, and most importantly, without compromising the actual In order to bridge the gap between the hardware
EPS operation. and software-assisted CPS testbed methodologies, hybrid
Hardware-assisted CPES testbeds do not exclusively uti- testbeds are considered as an effective alternative. As their
lize physical equipment. In most cases, the conducted name implies, hybrid approaches trade-off the utilization
research is supported by simulation software enabling the of the physical components, that can be found at the
analysis of more complex systems. Since an actual dupli- transmission and distribution (T&D) level of CPES, with the
cate of an operational CPS in the lab is typically infea- utilization of simulators and software suites designed to accu-
sible, in the past years, a high number of software-based rately represent the behavior of real energy systems. Hybrid
CPS testbeds have been developed following, the notion of testbeds enable diverse security investigations that can focus
digital-twin systems [43], [44]. The main difference between on the physical-system (e.g., programmable controllers,
software-assisted testbeds and their hardware-assisted coun- IEDs, grid assets, etc.), the cyber-system (i.e., SCADA com-
terparts is that they do not possess any actual field munications, telemetry and remote control of assets, monitor-
equipment, thus limiting their testing scenarios. Moreover, ing and measurement components, etc.), or any combination
software-assisted testbeds can be further segmented into of the two. The main advantage of such testbeds is that they
sub-categories based on the simulation platform utilized for provide re-configurable platforms that can scale up, using
the system analysis. Some of them utilize widely available simulation, to realistic systems’ sizes, while also retaining
software simulators, e.g., Matlab/Simulink, PowerWorld, the ability to investigate, with high granularity, the individual
PSSE, etc., while other rely on real-time simulators (RTS) security and control properties present in physical devices.
such as Opal-RT, RTDS, Typhoon, and Speedgoat. The Consequently, hybrid CPS testbeds can evaluate holistically
main advantage of software-based CPS testbeds, com- the impact of cyber-attacks on CPES, without any of the limi-
pared to hardware-based testbeds, is the increased flex- tations encountered in hardware-assisted or software-assisted
ibility in designing, modifying, and scaling the systems testbeds.
under test. Also, their cost can be significantly lower for A prime example of a hybrid CPES testbed frame-
simulating large-scale CPES. However, the validity of the work is HELICS [35], [36]. The HELICS infrastructure
software-based simulated results relies heavily on the fidelity enables the integration of different RTS operating at different
of the models (for emulation, virtualization, etc.) used to time-steps as well as the interconnection of T&D system
represent the corresponding real systems under investigation. components. By timely simulating (depending on the tem-
Examples of testbed environments with extensive CPS poral constraints) complex T&D architectures, cybersecurity
simulation capabilities include the ones at Texas A&M and assessments, including real-time impact analysis and risk
TU Dortmund. At the Texas A&M CPS testbed, despite the mitigation strategies, can be conducted providing meaning-
lack of actual EPS equipment, CPES technologies such as ful insights regarding the behavior of CPES [37]–[39]. The
smart grid controllers and RES can be virtualized and evalu- Pacific Northwest National Laboratory (PNNL) also features
ated using software-based implementations. The testbed also a hybrid testbed leveraging the aforementioned advantages.
includes RTS systems (RTDS) and supports the modeling of The testbed facilitates a variety of cybersecurity studies [33],
communications of CPES components via network simula- and provides an effective framework for system vulnerabil-
tors (OPNET). Furthermore, it allows researchers to evalu- ity assessments, interactive simulations of CPES environ-
ate how communication-enabled devices expand the threat ments, threat scenario analyses, and risk mitigation strategy
surface [25]. evaluations.
29780 VOLUME 9, 2021

The facilities of the Center for Advanced Power Sys- Emphasis is given on the cybersecurity and reliability chal-
tems (CAPS) of Florida State University (FSU) also include lenges arising in these architectures. Essential approaches
a hybrid testbed setup. The testbed supports the use of RTS, (e.g., testbed-assisted security studies) are discussed to
based on the RTDS and Opal-RT platforms, power system enhance the security of future power systems. In addi-
simulation software such as OpenDSS, PSCAD/EMTDC, tion, [78] provides a complete overview of the cyber-threats
Matlab/Simulink, RT-Lab, RSCAD/RTDSphysical, and encountered on the infrastructure, network protocols, and
EPS components including generators, inverters, and flex- application levels of power systems. Furthermore, attacks
ible AC transmission systems (FACTS) [29]. The center’s targeting the data availability, integrity, and confidentiality of
infrastructure can be segregated into two main subsystems microgrids are discussed in [79].
able to perform both real-time and HIL simulations. The In this section, we outline the main topics of existing
first subsystem is composed of 15 RTDS-enabled racks, literature in the area of CPES security. More specifi-
each consisting of around 26-30 parallel processors. The cally, the literature work is classified using the following
subsystem can support real-time simulations comprised of categories: i) studies investigating the exploitation of
more than 1, 000 electrical nodes (e.g., measurement points) CPES vulnerabilities, ii) studies evaluating the impact of
and 5, 000 control units at time-steps in the range of 50µs. cyber-attacks on CPES, iii) studies proposing and assessing
It should be noted that for time-critical implementations, such algorithms (e.g., anomaly detection, IDS/IPS, etc.) for the
as power electronics converters, the time-step of real-time detection of cyber-attacks, and iv) studies focusing on mit-
simulation can be further reduced in the vicinity of 1µs. igation and defense mechanisms. In Table 2 we provide an
Fiber-optic networks facilitate the interconnection between overview of recent CPES security studies classified under the
the RTS and the physical EPS equipment. Namely, the phys- four aforementioned categories.
ical equipment of the testbed includes a 4.16 kV dis-
tribution system, a 7.5 MVA on-site service transformer, 1) ATTACKS EXPLOITING CPES VULNERABILITIES
a 5 MW variable-voltage variable-frequency converter, CPES are advancing towards decentralized interconnected
a 5 MW dynamometer, and a 1.5 MVA experimental bus at systems in order to support increasing power demand while
480 Vac [30]. The second subsystem includes three Opal- minimizing transmission losses, leverage MG deployments
RT-enabled racks, supported by multiple processor units and their functionalities (e.g., grid-connected or autonomous
along with Xilinx field-programmable gate array (FPGA) operations), and incorporate DERs. In addition, to enhance
computation units. The FPGA hardware accelerators perform CPES control, reliability, and security, digital ICT equipment
the simulation of high-frequency power electronic converters such as advanced measuring and monitoring units are being
with stringent timing constraints (i.e., in the ns range), while employed in geographically dispersed locations of decentral-
the rest of the EPS is simulated using µs time-steps. Both sub- ized CPES. For example, PMUs provide time-synchronized
systems have support for multiple industrial protocols utilized (using GPS) granular measurements for EPS related states
for the communications between the physical or simulated including voltage, current, and power magnitudes and phase
EPS assets. Advanced control schemes and experimentation angles. However, it has been demonstrated that adversaries
with communication network components are also supported can leverage open-source public resources to perform GPS
via HIL simulations [31], [46]. Additionally, the impact of spoofing attacks against PMUs [47]. By introducing small
unexpected failures or cyber-attacks targeted at these com- undetectable timing delays (in the µs range) in the measure-
ponents can be examined in a controlled environment where ment signals (within the IEEE standard limits for synchropha-
minimum risk exists [32]. sors C37.118 [80]), the phase differences between actual
and measured angles can be significantly altered exceeding
B. CPES SECURITY STUDIES allowed limits, tripping circuit breakers (CBs), sectionalizing
During the past decade, significant effort has been exerted parts of the EPS, and causing power outages (e.g., brownouts,
into CPES security studies with the objective of enhancing blackouts) [81].
CPES resiliency and alleviating cybersecurity vulnerabilities. Moreover, in [48], researchers introduce a coordinated load
For instance, a comprehensive work reviewing cybersecu- redistribution attack affecting power dispatch mechanisms.
rity vulnerabilities and solutions for smart grid deployments By attacking generators or transmission lines while falsifying
is presented in [75]. Security solution evaluation, system load demand and line power flows, system operators are
threat classification, and future cybersecurity research direc- misled into increasing load curtailment. Furthermore, in [49],
tions are also considered. The authors in [76], investigate the authors investigate two types of DoS attacks along with
cyber-attacks on IoT-enabled grid deployments. They dis- their impact on EPS. The first attack is assumed to be a
cuss how advancements in IoT technologies can drive the stealthy false data injection attack (FDIA) performed to mask
power grid modernization process, but at the same time the attack impact from detection algorithms. The second,
increase the system’s threat surface given its interconnected assumed as a non-stealthy attack, aims to maximize the
topology encompassing millions of IoT nodes. Researchers damage on power system operation by targeting the most
in [77] examine the security of modern power systems vulnerable transmission line, impeding power dispatch, and
from the viewpoint of interconnection with microgrids. causing load shedding. In [50], the authors propose hybrid
VOLUME 9, 2021 29781

TABLE 2. CPES security study categories and research examples.
data integrity and data availability attacks. They demon- in [12], [13] show that by coordinating the power usage
strate how control center measurements can be manipulated of multiple devices, power reserve limits of EPS can be
leading to undetectable FDIAs. In more detail, by modify- exceeded causing tripping of lines and shedding of loads.
ing some measurements (i.e., integrity attack) while making A botnet of IoT (internet-of-things)-connected high-wattage
some others unavailable to the state estimation algorithm loads, such as washing machines, air-conditioning units, dry-
(i.e., availability attack), FDIAs can bypass bad data detection ers, etc., are coordinated over the network, causing unex-
algorithms. pected power usage profiles and pushing the grid to instability
Ubiquitous power electronics bring new challenges to limits. Such attacks demonstrate that there is no require-
CPES operation [82]. Future CPES are expected to be ment of strong adversarial knowledge nor considerable attack
inverter-dominated systems. As such, vulnerabilities in such resources [51].
components can lead to abnormal system operation. In [52],
the authors investigate how stealthy non-invasive attacks on 2) EVALUATION OF ATTACK IMPACTS ON CPES
grid-tied inverters can compromise their nominal operation Impact evaluation and analysis studies are considered essen-
and impact grid operation. Specifically, by spoofing the tial for prioritizing and safeguarding critical components in
inverter’s hall sensor they demonstrate fluctuations in the out- CPES. Such analyses explore the consequences of malicious
put voltage, active and reactive power while also introducing attacks and can serve to proactively prepare systems for their
low-frequency harmonics to the grid. Similarly, by exploiting adverse implications. Impact evaluations can expose critical
a vulnerability in the authentication mechanism of General system components, assist in prioritizing and securing them,
Electric Multilin protection and control devices, the authors and aid in the development of contingency plans in case
in [83] show that remote or local attackers can obtain weakly these vulnerable components get compromised. For instance,
encrypted user passwords, which could then be reversed the authors in [53] propose assessment metrics designed to
allowing unauthorized access. Furthermore, the authors evaluate the resiliency of CPES against adversarial attacks.
29782 VOLUME 9, 2021

Different techniques from game theory, graph theory, and been proposed for cyber-attack detection in CPES [64].
probabilistic modeling have been utilized to assess the capa- An example of such anomaly detection scheme is presented
bility of CPES when supporting critical (or unsheddable) in [65], where authors identify suspicious sensor activity
loads after they have been compromised or the system has using recurrent neural networks (RNNs). Other researchers
suffered unexpected disturbances. Other works focus on ana- have also demonstrated how data integrity attacks (DIA)
lyzing the impact of cyber-attacks in transactive energy sys- can be identified when sensor and process patterns deviate
tems – TES [54]. Here, the authors investigate the system from a residual-based fingerprinted data [66]. Furthermore,
operation under two types of attacks that are designed to given the extensive use of Fieldbus communication devices
maliciously affect either the bid prices or the bid quantities. in CPES, methodologies have been designed to detect anoma-
In view of the fact that IEDs, AMI, and smart inverters lous network traffic in a variety of Fieldbus protocols [67]. All
are penetrating EPS at a rapid pace, the authors in [55] of the reviewed detection mechanisms have the objective of
and [84] demonstrate the adverse grid consequences if such notifying system operators once incongruous sensor or mon-
devices are compromised. Specifically, the simulated impact itor behavior is detected in the CPES. As a result, malicious
of malicious smart inverter firmware modifications in MGs incidents can be effectively handled, minimizing their impact
is demonstrated in [55]. Attacks targeting SCADA-controlled on CPES operations.
switching devices or monitoring devices impeding situational
awareness (in an integrated T&D system model) are evaluated 4) ATTACK MITIGATIONS AND DEFENSES IN CPES
in [84]. The deployment of defense and mitigation mechanisms is
Furthermore, cybersecurity assessment methodologies critical to enhance the overall CPES security and minimize
investigating the impact of RES integration to the grid are the adverse impact of cyber-attack scenarios. For example,
also investigated in the literature. For instance, the authors mitigation strategies can protect CPES against FDIAs which
in [56] leverage open-source intelligence and contingency could potentially result in generator equipment damage [71].
analysis methods to discover the most critical system paths. Specifically, BESS could be leveraged to assist the genera-
Such transition paths could be utilized by an adversary to tors and reduce the load curtailment inflicted by malicious
maximize the impact of cyber-attacks, leading to disastrous attacks. A hybrid control-based approach to safeguard sys-
consequences for the EPS. A different approach, which con- tems against cyber-attacks is presented in [72]. The hybrid
siders intrusion and disruption process modeling, is proposed controller switches to the most secure controller, from a
in [57], where a stochastic game theory-based CPES security subset of available controllers, given that some of these
evaluation model is developed. The authors in [58] propose a controllers might have been compromised by an adversary.
mathematical framework to estimate the probability and eval- In [68], a semi-supervised learning mechanism is utilized to
uate the impact of malicious attacks on substation automation study malware patterns and defend the system from unknown
systems. In [59], the reliability and security of CPES are malware targeting the CPES infrastructure.
analyzed through a communication failure assessment pro- Apart from software-based mitigation techniques and
cess. Overall, assessment methodologies of attack impacts defenses, hardware-oriented mechanisms have also been
on CPES are designed with the purpose of aiding CPES proposed. In [70], the authors propose the use of hard-
evaluation studies. Thus, they should be leveraged as part of ware security primitives leveraging the intrinsic variation
a defense-in-depth (DiD) portfolio when assessing potential of BESS lithium cells to enhance communication protocol
damages and devising CPES defense strategies. security. The practicality of the approach is validated in a
simulated testbed environment [74]. Furthermore, in [73],
3) ATTACK DETECTION ALGORITHMS IN CPES an instrumentation-based defense technique is presented
The severity of the effects of cyber-attacks in CPES under- employing a sub-optimal plan to secure CPES in real-time.
lines the need for accurate and effective attack detection Even though the discussed defense and mitigation mecha-
mechanisms that can improve the situational awareness of nisms may not be applicable for all cyber-attack scenarios,
system operators. Hence, remediation actions can be issued research and development in this direction contribute towards
to avoid system and equipment failures, as well as ensure understanding attackers’ tactics and defending against them,
human safety. A plethora of detection schemes have been pro- enhancing the security of CPES.
posed especially for FDIAs in CPES [60]–[63]. For instance,
in [63] researchers develop a distributed host-based collabo- C. THREAT ANALYSIS AND RISK ASSESSMENT
rative mechanism for detecting false data measurements in Precise modeling is essential in order to investigate com-
PMUs. Each PMU is assigned a host monitor to probe its plex CPES architectures, discover any potential vulnerabil-
status (i.e., normal operation or anomalous) by comparing ities, and extensively test and evaluate security features. The
it with predefined nominal values. Then, a majority voting intricacies of CPS typically consist of multiple intercon-
algorithm is executed to decide if the acquired measurements nected layers bridging assets of varying importance for the
are valid by comparing the status of the under-investigation system operation, and leveraging ICT and communication
PMU with the corresponding neighboring PMUs. Unsuper- protocols. Different methods are being used to review CPS
vised learning-based anomaly detection methods have also architectures and assess their cybersecurity. Among them,
VOLUME 9, 2021 29783

the DiD and the Purdue models are the most popular ones. to be addressed both at the component level as well as within
The DiD strategy was initially employed in military applica- the component interrelations (visualized in the data flow dia-
tions [85]. It ensures resiliency, redundancy, and the existence grams) [91]. DREAD can be leveraged to evaluate and rank
of multiple defenses if a vulnerability is exploited, a critical the severity of threats. A DREAD analysis is comprised of the
security flaw is identified, or a failure or unintentional fault following six steps: asset identification, system architecture
occurs. Enforcing the DiD multi-layered topology has two formation, application decomposition, threat identification,
main advantages from a security perspective. First, it delays threat documentation, and threat impact rating. DREAD and
the attack progress in the system since each layer provides STRIDE methodologies can also be used jointly for compre-
an isolated execution environment. Second, it allows system hensive cybersecurity assessments [92].
operators to deal with the attack independently on multi- Apart from STRIDE and DREAD, other methodologies for
ple layers, rather than having to rely on a single point-of- security assessments have been proposed and utilized in the
defense. Similarly, the Purdue model for industrial control cybersecurity arena. For instance, OCTAVE4 Allegro is an
system (ICS) network segmentation [86], part of the Pur- alternative approach used by organizations when performing
due Enterprise Reference Architecture (PERA), incorpo- mainly information technology (IT) security evaluations and
rates the DiD concept by demonstrating the interconnections strategic planning for cyber-threats [93]. However, recent
and dependencies between layers and components, allow- works validate the applicability of OCTAVE Allegro for CPS
ing for the design of secure CPS [87]. In the following security assessments, both for the enumeration of potential
parts (II-C1 and II-C2), we provide the essential information risks as well as the design of countermeasures to maintain
and related work regarding threat modeling and risk assess- nominal system operation [84], [94]. The main steps followed
ment methodologies with emphasis on industrial CPS and in OCTAVE security assessments include: the development of
critical infrastructures. risk evaluation criteria according to operational constraints,
critical asset identification, critical asset vulnerabilities and
1) THREAT MODELING corresponding threats discovery, and threat impact assess-
The term ‘threat modeling’ refers to the procedure by ment. STRIDE, DREAD, and OCTAVE are well-established
which potential vulnerabilities are discovered before they tools when performing threat modeling analyses and identi-
can become system threats. This process is crucial for the fying vulnerabilities in the pre-attack context.
design of security defenses and mitigation strategies. It is The investigation of adversary behavior post-compromise
evident that performing threat modeling for CPES is essential is also important. At this point, the adversary has already
since their compromise can have disastrous consequences overcome the first line of defense and has access to sys-
to the grid operation and the economic and social well- tem resources. Notably, there is extensive research on ini-
being. However, CPES consist of multiple layers and assets, tial exploitation and use of perimeter defenses [95], [96].
hence, it can be challenging, due to extensive time, mod- However, there is a knowledge gap of the adversary process
eling efforts, resources, and cost, to exhaustively examine after initial access has been gained. To address the afore-
all the possible scenarios that could arise as system vulner- mentioned pitfall and support threat modeling, risk analy-
abilities. To overcome such issues, without compromising sis, and mitigation methodologies, pre-and post-compromise
the system’s reliability, multiple threat modeling approaches events, MITRE developed the ATT&CK for Enterprise
have been proposed aiming to prioritize vulnerabilities and framework [97].
assist the implementation of potent security mechanisms. MITRE ATT&CK is an open-source knowledge-base that
These methodologies provide a holistic view of the system includes common adversarial attack patterns (e.g., attacks,
by highlighting the significant assets, commonly referred to techniques, and tactics). The ATT&CK database is constantly
as crown-jewels [88], and assessing threats based on their being updated with recent attack incidents to enhance enter-
potential impact and ease of deployment on the system. prise cybersecurity by exposing system vulnerabilities and
STRIDE2 and DREAD3 are well-established threat mod- warrant safer operational environments for businesses and
eling frameworks for the security assessment of products and organizations. The framework describes the tactics, tech-
services throughout their life-cycle [89], [90]. For instance, niques, and procedures (TTPs) that an adversary could follow
STRIDE uses data flow diagrams for the threat modeling in order to make decisions, expand access, and stealthily com-
process. The data flow diagrams map system threats to promise an organization while residing inside the enterprise
the corresponding vulnerable system components (STRIDE network [98], [99]. In January 2020, MITRE corporation,
per-element approach). Given the interdependent nature of realizing that ICS is an essential part of critical CPS infras-
CPES, an attacker can compromise the system operation tructures and with the objective of addressing cybersecurity
by exploiting different component vulnerabilities. Therefore, issues arising by the diverse and interconnected nature of
to guarantee the overall system security, vulnerabilities need CPS, launched the ATT&CK for ICS framework [100].
2 STRIDE is an acronym for Spoofing, Tampering, Repudiation, Informa-
tion disclosure, Denial-of-service, and Elevation of privilege.
3 DREAD is also an acronym that stands for Damage, Reproducibility, 4 OCTAVE acronym is for Operationally Critical Threat, Asset, and Vul-
Exploitability, Affected Users, and Discoverability. nerability Evaluation.
29784 VOLUME 9, 2021

The ATT&CK for ICS framework is also a free TABLE 3. ICS functional levels, equipment categories, and their
corresponding components [101].
community-supported threat knowledge-base that includes
information about TTPs that adversaries utilize when tar-
geting ICS (within CPS). The framework assists in under-
standing the adversarial attack chain and enhance the security
standpoint of ICS and related CPS assets. ATT&CK for ICS
is based on MITRE’s ATT&CK for Enterprise framework,
i.e., it ports many of the gathered threat intelligence from
enterprise networks to ICS since industrial networks often
have similarities with enterprise networks. The heterogeneity
of ICS, however, with a plethora of operating systems (OS),
network devices, and communications protocols co-existing
with a variety of field devices (e.g., PLCs, IEDs, PMUs,
RTUs, etc.) led to significant revisions from the ATT&CK
for Enterprise to the ATT&CK for ICS. communication integrity attacks) and the physical domain
The ATT&CK for ICS framework is designed to sup- (e.g., sensor and actuator compromise).
port a multi-layer reference approach for adversarial behav- Typically, risk assessment methodologies rely on prob-
ior evaluations. The framework is segregated into four core abilistic analyses that leverage Markov-chains [102],
components, making it applicable to a wide spectrum of Petri-nets [103], Bayesian belief networks [104], or game
industrial CPS. The first component category includes theory to estimate the impact of adverse events on system
i) assets which consist of control servers, engineering work- operation [105], [106]. In [106], for example, researchers
stations, field controllers, human-machine interface (HMI), model both the attackers and the system’s defenses as agents
among others. All these assets might not be apparent in every with different action sets and objectives. Due to the contra-
system. This is factored in by the ATT&CK methodology dictory roles of such agents, the corresponding action payoff
which investigates attacks targeting the respective assets inde- depends on the ability to compromise the system’s assets or
pendently as well as their cooperation with other industrial the ability to detect the malicious attack from the perspective
assets. The second core part of ATT&CK for ICS is the of attackers or defenders, respectively. Other works have
abstraction focusing on the ii) functional levels of the Purdue proposed worst-case scenario risk assessment analyses that
architecture. Such levels describe the depth of infiltration that employ exhaustive Monte Carlo simulations and focus on
the adversary has achieved. The level ranges from Level 0, diverse operation areas of EPS (e.g., automatic generation
which corresponds to the physical devices (e.g., sensors and control –AGC, T&D system operations, etc.). Then, the
actuators) that orchestrate the industrial process, all the way interdependence of such EPS areas with specific risk mit-
to Level 2, which includes the supervisory control systems, igation mechanisms is analyzed [107], [108]. For instance,
the engineering workstations, and HMIs. These functional the authors in [108], review the impact on buses and transmis-
levels are depicted in Table 3. The last two parts of the sion lines under abnormal operations caused by cyber-attacks.
framework revolve around the adversarial iii) tactics and They also investigate how adverse scenarios can be mitigated
iv) techniques. The term ‘tactics’ refers to the reason why an if robust protection system strategies, i.e. coordinated bus
adversary performs an action, i.e., adversary objective such as and transmission line trippings, are correspondingly put in-
disrupting an industrial process control routine. Techniques place. Although probabilistic risk analyses and worst-case
describe the activities that the adversary uses to achieve the scenario assessments can provide useful results under spe-
attack goal, i.e., represent ‘‘how’’ an attacker accomplishes cific constraints (i.e., if only part of a system is examined),
his/her objectives by taking an action, e.g., through modifying applying such methods to dynamically changing large-scale
the PLC control logic. T&D integrated models can be a challenging task. The mul-
titude of T&D assets expands the search space of exhaustive
methods such as Monte Carlo-based risk analyses [109]. For
2) RISK ASSESSMENT each asset and every investigated potential attack, the risk
The term ‘‘risk assessment’’ refers to the process of identi- analysis process needs to be re-examined and re-computed.
fying potential risks and their corresponding impact to the The risk calculation overhead is also exacerbated due to the
system operation as well as determining strategies to mitigate, interconnected CPS architecture.
defer or, accept these risks based on their criticality [93]. The aforementioned methods, apart from being compu-
Cyber-threat risk assessment is a critical operation that CPES tationally intensive, can also potentially suffer from poor
and their ICS need to perform regularly. The introduction accuracy. The security risk assessment accuracy of these
of new technologies into CPES (i.e., DERs, EVs, control methods relies on the precise modeling of the CPES
devices, etc.) along with the interoperable nature of the sup- physical components (e.g., generators, transmission lines,
ported ICT infrastructure increases the risks arising from substations, etc.), their topology, as well as their interconnec-
both the cyber (e.g., measurement, control commands, or tions with the cyber components (e.g., ICT nodes supporting
VOLUME 9, 2021 29785

EPS functions) [110]–[112]. Failure to properly model CPES compromised component, if not sanitized properly, can pose
can mask interconnection dependencies between components a danger to the entire CPS.
and their layers (cyber or physical), and thus, perturb the The complex nature of CPS, and consequently CPES,
risk score calculation process. The presented risk assessment urges the identification of attack vectors on both the cyber
approaches in this section are credible if security assessment and the physical domains of the system. Adversaries are
is performed partially, i.e., they fail to capture comprehen- constantly improving, adapting, and modifying their attack
sively system risks as their focus is on specific parts of a patterns to evade security mechanisms. As a consequence,
CPES ignoring the impact propagation to the rest of the security researchers cannot passively await until an asset
infrastructure. In this work, the threat and system repre- in the system is compromised to initiate remediation. To
sentation is performed meticulously during the threat mod- support the identification, anticipation, and mitigation of
eling process (Section III) and the CPS framework stages cyber-attacks in CPS, we develop a holistic threat model that
(Section IV), respectively. As a result, our approach deter- incorporates the core components of MITRE’s ATT&CK for
mines in advance a detailed system model, overcoming the ICS methodology while providing an additional dimension
drawbacks encountered when performing segmented risk for security investigations. Specifically, the presented threat
evaluations. modeling approach extends MITRE’s methods since:
In our analysis, system-specific characteristics are formal- • We incorporate an adversary model to allow for more
ized and Risk scores are calculated by combining the attack granular and explicit threat modeling analyses.
Threat Probability along with the CPES objective priorities • We rigorously define all aspects of potential cyber-attacks
(Section III-C). The proposed methodology expedites the risk so that they can be implemented in CPS testbeds for
assessment analysis of CPS (since the threat modeling, CPS security evaluations (e.g., evaluate defense mechanisms,
framework analysis, and performance metrics determination mitigation strategy, detection schemes, etc.).
have been performed previously), and thus, mitigation poli- • We perform risk assessments considering the actual
cies can be evaluated iteratively until the corresponding Risk impact of cyber-attacks on the CPS and leveraging both
goals are met. For example, if an EPS asset is compromised, the threat modeling and CPS framework resource map-
there might be multiple defense mechanisms that could be ping. Hence, every possible attacked CPS component
enforced to mitigate the attack. However, the implementation is accounted towards the Risk score calculation, aiding
of some of these mechanisms might result in significant threat prioritization, and CPS security posture aware-
impacts (e.g., uneconomic operation, partial grid disconnec- ness.
tions, etc.) or affect other parts of the system due to its interde- In the developed threat modeling methodology, we evalu-
pendent nature. The ability to evaluate, in real-time, the effec- ate threats and prioritize them based on the degradation that
tiveness of risk mitigation mechanisms provides significant they can potentially inflict on the CPS. Our threat model
benefits for CPS, aiming to balance security objectives and consists of two major components, the adversary model and
system performance. the attack model, as illustrated in Fig. 3. To understand the
security implications of threats targeting CPS, the adversary
III. THREAT MODELING FOR CYBER-PHYSICAL SYSTEMS model needs to capture specific information involving the
The fundamental property of any adverse failure is an artifact adversary’s capabilities, intentions, and objectives. In addi-
of the semantics and capabilities of building CPS from a tion, it is essential to model attacks based on their spe-
diverse, possibly infinite, set of ways. It is crucial to miti- cific methodology, targeted system component, and system
gate any adverse event in CPS, regardless of whether it is impact, as well as define rules that enable multi-layer and
accidental or intentional. However, some distinctions need severity attack analyses. The adversary and attack models
to be made between these two types. For example, there is compose the threat score index factored in the threat risk
a high probability that a natural adverse event (e.g., short calculation process presented in Section III-C. For instance,
circuit fault) can be detected by the process, considering a the threat score of an attack performed by a stealthy and
built-in fault detection scheme in the system. In contrast, motivated adversary will be higher than the threat score of
an intentional fault (possibly caused by an attacker) could the same attack performed by an adversary with limited
alter the results of the system in a congruous way, hence caus- resources and oblivious knowledge about the system. Our
ing the event to go undetected. Traditionally, fault monitoring versatile threat modeling approach can support various types
and detection approaches do not consider the implications of malicious events and enable end-users to adjust the desired
that arise due to adversaries and their attack goals. Their level of threat model granularity.
aim is solely to recover from transient faults overlooking
the actions which trigger this abnormal behavior. Without A. ADVERSARY MODEL
considering a threat model that includes malicious and moti- The capabilities of an attacker and the characteristics of
vated adversaries, as well as sophisticated attacks, defense the adversary model can be captured by factors such as
detection schemes can be potentially evaded by attackers resources, skills, knowledge of the system, access privileges,
entirely, despite the redundancy already built into control pro- and opportunities (i.e., the means to carry out the attack and
cesses. A fault can become an exploited vulnerability and the the number of failed attempts allowed) required to perform
29786 VOLUME 9, 2021

the objectives and goals of the adversary who executes the

attack on the CPS. Adversarial objectives are broadly lumped
under targeted and non-targeted. In the case of targeted
objectives, an adversary’s intention is to execute an attack
which can result in a specific target output (e.g., the mis-
calculation of EPS system states, due to topology modifica-
tions of wind integrated resources [118], or FDIAs [119]).
On the other hand, non-targeted attacks can generically max-
imize malformed outputs of CPS algorithms (with respect
to the ground truth) affecting the operational reliability of
the system. Finally, our adversary model also captures the
FIGURE 3. Adversary model and attack model components comprising
the comprehensive threat model architecture.
adversary resources, differentiating between attackers with
limited resources and attackers with a variety of intellectual
and physical assets at their disposal.
the attack. When it comes to system knowledge, distinction Adversary Model Formulation: Our attacker model is
has to be made between white-box attacks, where an adver- decomposed into four dimensions: adversarial knowledge,
sary has complete information, and black-box or gray-box resources, access, and specificity:
attacks, where an adversary has limited information about the 1) Adversary Knowledge
system [113]. In the gray-box threat model, the adversarial a) Strong-knowledge adversary: White-box attacks
knowledge is limited to the target model, while in black-box assume an adversary with full knowledge of the
attacks adversaries do not know the target model and can system model, parameters, and state vectors.
only query to generate adversarial samples [114]. We port b) Limited-knowledge adversary: Gray-box attacks
such classification in the context of CPES, in which attackers assume an adversary with some knowledge of the
may have full, partial, or zero knowledge of the system system’s internals with a partial understanding of
model and real-time power grid measurements. Existing work the network and system model.
often assumes that adversaries have perfect knowledge of the c) Oblivious-knowledge adversary: Black-box
system model, i.e., the information needed to create the mea- attacks assume an adversary with zero knowledge
surement matrix (Jacobian) of the power system that depends about the details of the system and can only
on the network topology, the parameters of power lines, and estimate the system outputs using confidence
the location of RTUs and PMUs [115]. However, in realistic scores. In such scenarios, the attacker does not
attack scenarios, adversaries have limited knowledge of the have knowledge in regard to the system model.
system due to the dispersed, interconnected, and complex
2) Adversary Access
nature of the power grid, the restricted access to CPES control
and monitoring functions, and errors in the data collection a) Possession: This type of attack requires the adver-
process [51], [116], [117]. sary to have physical access to the attacked com-
Our adversary model takes into consideration the presented ponent (e.g., IED, solar inverter, transformer, etc.)
distinctions and defines a hierarchy of the available informa- operating either in the digital or analog domain.
tion to the attackers in order to characterize their knowledge The access could involve chassis intrusions (e.g.,
capabilities. At the lowest level of the system, knowledge microprobing, memory flashing, circuit bend-
hierarchy is an adversary that has no information about the ing, etc.), or interface access to the device
system model. At the highest level is an adversary that knows (e.g., side-channel analysis, power analysis, pro-
the model characteristics, the algorithmic details, and all tocol decode, etc.).
the grid measurements. In order for the adversary, however, b) Non-possession: In this type of attacks, the adver-
to acquire system measurements or perform reconnaissance sary cannot physically manipulate the asset under
and monitoring, he/she should have – to some extent – access attack. Attacks can be performed leveraging prox-
to the system. As such, our model delineates this access imity access (e.g., GPS spoofing, side-channel
as the accessibility level an adversary needs to have in the analysis), or by exploiting network interfaces
target CPS. (e.g., replay attacks, rollback attacks, etc.).
In the MITRE ATT&CK for ICS framework, the term 3) Adversarial Specificity
‘attacker tactics’ covers the attackers’ access level with a) Targeted attacks occur in multi-class identifica-
their corresponding intentions and objectives. In our mod- tion, control, and monitoring -based scenarios and
eling approach, however, the term is captured in two sub- misclassify CPS algorithms and operations to a
categories, access and specificity, to allow for a more specific malicious result category xj ∈ X from
elaborate adversary classification. The access category all possible results X . The adversary goal is to
defines the degree to which an attacker can interact with a maximize the probability of the targeted class,
system asset, while the adversarial specificity encapsulates i.e., maximize P(xj ).
VOLUME 9, 2021 29787

b) Non-targeted attacks are similar to targeted

attacks in terms of misclassification objective,
however, the selection of category xj is relaxed to
any arbitrary output category except the correct
one xi .
4) Adversarial Resources
a) Class-I attackers that, despite their adversarial
motivation, do not have the financial resources,
equipment support, or access privileges, to suc-
cessfully realize any attack without being
detected.
b) Class-II attackers that can be funded individ-
uals, organizations, or nation-state actors with
large budgets and substantial access privileges, FIGURE 4. CPS functional attack levels and assets overview.
skills, and tools capable of realizing sophisticated
attacks.
trailing the attack path origin and its expected impact. The for-
B. ATTACK MODEL mulated attack model with the additional aspects of attack fre-
The second part of the proposed threat modeling method quency, attack reproducibility and discoverability, and attack
focuses on the specific characteristics of malicious attacks premise allows to fine-tune each attack case study’s model,
(e.g., frequency, reproducibility), the targeted CPS compo- and overall compose a well-defined CPS threat modeling
nents, and the process aiming to achieve the system com- approach.
promise. The attack model improves MITRE’s taxonomy, Attack Model Formulation: Our attack model is decom-
which includes concepts such as the attack levels, assets, and posed into six dimensions: attack frequency, attack repro-
techniques, by incorporating supplemental dimensions neces- ducibility and discoverability, attack level, attacked asset,
sary for holistic security investigations. For instance, partic- attack techniques, and attack premise.
ular attention is drawn on aspects like the attack frequency, 1) Attack Frequency
reproducibility/discoverability, along with the premise of the a) Iterative attacks: attacks that need multiple itera-
compromise. The aforementioned features enable the com- tions to achieve the desired malicious output.
prehensive characterization of the attacks elucidating all their b) Non-Iterative attacks: attacks that only need to
underlying elements, and as a result, they assist in performing be realized once to achieve the desired malicious
threat and system impact evaluations for CPS environments. output.
The presented attack model accounts for the CPS structure 2) Attack Reproducibility and Discoverability
and interconnections. Given that the same adversarial objec- a) One-time attacks: attacks that can only be realized
tive can be achieved following different attack paths, prop- once since they are detected after the first attempt.
agation scenarios with diverse attack entry points should be b) Multiple-times attacks: attacks that can be repro-
investigated. These attack paths can be initiated from process duced multiple-times before they are identified
control devices such as sensors or actuators and propagate to and detected.
supervisory and control equipment like HMIs. In particular, 3) Attack Functional Level
the attack model considers the attack frequency, i.e., the a) Level 0: attacks that target CPS processes
number of compromises required to achieve a particular and their corresponding operational equipment
adversarial objective, and the attack reproducibility and dis- (e.g., sensors, actuators, etc.).
coverability. The aspects of reproducibility and discoverabil- b) Level 1: attacks that target the industrial control
ity are crucial for CPS risk evaluations. This is attributed to network (e.g., PLCs, system controllers, RTUs,
the fact that even catastrophic attacks might not pose any etc.) and aim to stealthily manipulate functions
actual danger for the CPS if materializing them is nearly that control CPS processes.
impossible, or they can be easily discovered during their c) Level 2: attacks that target the SCADA, and mon-
initial stages. The attack functional level, attacked asset, itoring devices (e.g., HMIs, engineering worksta-
and attack techniques notions correspond to the definitions tions, data historians, etc.) on the network level
introduced in MITRE [100]. The only difference is that (i.e., LAN) overseeing CPS processes.
the selected attack techniques in our methodology represent 4) Attacked Asset
some of the most common use cases encountered specifically a) Field controllers: Such assets are low-level
in CPES. An overview of the CPS functional levels along embedded devices (e.g., RTUs, PLCs, IEDs) that
with the corresponding attacked assets are illustrated in Fig. 4. enable the control of CPS processes. They typ-
Also, we consider the attack premise which indicates whether ically possess limited computation capabilities
the attack is targeting the physical or cyber domain of a CPS, and they are in charge of coordinating industrial
29788 VOLUME 9, 2021

processes (e.g., generator governors, manufactur- modifying the code running on the system’s con-
ing process controllers, etc.). trol devices (e.g., PLC, RTU, IED). These system
b) Control servers: These devices cover the func- devices are orchestrating physical processes via
tionality of both programmable controllers (e.g., actuators and other field equipment.
PLCs) as well as communication servers (e.g., b) Wireless compromise: In these attack scenar-
SCADA master terminal units (MTU), distributed ios, adversaries can gain unauthorized remote
control servers, etc.). Thus, apart from interfac- access to the CPS network by exploiting: the vul-
ing with low-level CPS devices (e.g., sensors, nerabilities of devices with wireless connectiv-
actuators), they can also support software-based ity, insecure wireless communication protocols,
services in industrial environments. and/or network connections leaking sensitive
c) Safety instrumented systems (SIS): These sys- information.
tems (e.g., protective relays, recloser controllers) c) Engineering workstation compromise: In such
are designed to perform automated remedia- attack setups adversaries, after granted access to
tion actions if an abnormal system behavior is a CPS engineering workstation, can cause sys-
detected (e.g., short-circuit, fault, etc.). The goal tem malfunctions via compromising CPS con-
of protection systems is to keep the industrial CPS figurations controlled by engineering worksta-
plant online, while avoiding hazard conditions. tions, e.g., security systems, process controls,
d) Engineering workstations: These units are usu- ICT infrastructure, etc.
ally powerful and reliable computing configu- d) Denial-of-service (DoS): Malicious adversaries
rations used for the monitoring and control of performing DoS attacks can compromise a CPS
CPS, processes, and equipment. They are often asset by inhibiting its nominal functionality ren-
accompanied by hardware components and soft- dering it unresponsive. For instance, overflow-
ware packages that enable CPS supervision. ing a device with artificial data, blocking its
e) Data historians: Such elements are databases inbound or outbound communications, or even
used to keep records and store process data. This suspending/disrupting its operation can impact
information is stored in a time-series format that time-critical CPS.
enables the examination, display, and statistical e) Man-in-the-middle (MitM): During MitM attacks
analysis of process control information. adversaries can maliciously intercept, modify,
f) Human-machine interfaces (HMIs): A graphi- delay, block, and/or inject data streams exchanged
cal user interface that enables users to moni- between CPS asset communications. Depending
tor system operations, diagnose malfunctioning on the adversary access level on the CPS net-
system behavior, and initiate control and miti- works, numerous attacks (e.g., modify or inject
gation actions. HMIs can vary between vendors control commands, delay alarm messages, etc.)
supporting different capabilities, graphical rep- can be planted affecting CPS operations.
resentations, and control interfaces (e.g., web- f) Spoof reporting messages: Adversaries perform-
based, LAN-based, etc.). Additionally, different ing this type of attack can broadcast mali-
user groups can have access to different HMIs cious modified system messages. The attack goal
according to the systems they are monitoring and is to either impact CPS operations by limit-
their clearance level for managing the CPS. ing the situational awareness (e.g., suppressing
g) Input/output (I/O) servers: Such servers consti- critical alarm messages), or misreport informa-
tute the connecting link between system appli- tion (e.g., sensor measurements), thus, driving
cations and the field devices which coordinate systems to unstable and potentially irreversible
the ICS equipment under the control subsystems states.
directions. I/O and data acquisition servers (DAS) g) Module firmware: In module firmware attack
operate as buffers since they can convert low-level cases, adversaries can upload maliciously mod-
control system data to packets, and forward them ified code to embedded devices of CPS (e.g.,
to the supervision locations (e.g., HMIs, engi- PLCs, smart inverters, etc.). These actions can
neering workstations). Additionally, they serve affect devices operation via modification of their
as intermediate translation units as they collect control objectives, and/or insertion of backdoor
information from field devices (utilizing diverse features (e.g., remote access, exploit system logs,
communication technologies) and translate them etc.) allowing them to stealthily manipulate CPS
to the predefined formats expected by system assets.
applications. h) Rootkits: In this type of attack, adversaries
5) Attack Techniques employ rootkits, typically planted in the OS of
a) Modify control logic: In such attacks, adversaries devices, to disguise malicious software, services,
can cause the CPS to operate abnormally by files, network connections ports, etc. Rootkits
VOLUME 9, 2021 29789

provide attackers with user or even root-level C. RISK ASSESSMENT METHODOLOGY

privileges while hiding their presence from CPS Risk assessment is a fundamental process in every cybersecu-
defense mechanisms. rity analysis study. Its importance is further accentuated in the
6) Attack Premise context of mission-critical CPS where operational disruptions
a) Attacks targeting the cyber domain can have disastrous impacts. Existing efforts often port IT risk
i) Communications and protocols: refers to assessment methodologies into operational technology (OT)
attacks targeting the in-transit CPS data, security evaluations, and consequently, fail to holistically
i.e., exchanged communications data includ- capture CPS constraints and objective [123]. Some key dif-
ing remote access credentials, measurements, ferences between IT and OT security revolve around the risks
system reports and warnings, etc., with the associated with loss of operation, asset availability, commu-
objective to get unauthorized access (data nication latency, architectural differences, and contingency
espionage) or insert malicious modifications management strategies [124]–[126].
(data alteration). Qualitative assessments for cybersecurity risks require
ii) Asset control commands: includes attacks tar- substantial system knowledge of the CPS structure and
geting the CPS data integrity, i.e., mask coun- experience from the organizations and groups conducting
terfeit system data as genuine and unmodified, the analysis [123], [127]. On the other hand, quantitative
and trustworthiness (e.g., impersonate autho- studies calculate exact risk scores aiding the prioritiza-
rized user groups and issue, access, or modify tion and mitigation procedures [104], [128]. Other works
control commands). employ simulation-assisted investigations in order to evaluate
iii) Data storage: accounts for attacks target- the corresponding impact of cyber-attacks [129]. Moreover,
ing the accuracy and non-repudiation of CPS researchers have also considered dynamically adapting risk
data (e.g., logs and historical records of assessment models factoring the system and attack impact
all the performed tasks such as asset set- evolution for the risk score calculations [130]. Recent works
point modifications, user sign-ins and action have proposed combinations of different risk methods har-
histories, inbound/outbound connections and nessing the advantages of more than one strategy and provid-
traffic, etc.). ing more realistic evaluations [131]–[133]. These combined
b) Attacks targeting the physical domain approaches are motivated by the fact that in CPS we can have
i) Invasive: attacks that require physical access the same impact on system operation using different attack
to the CPS asset (e.g., PLC hardware includ- paths. Thus, although the system impact remains the same,
ing micro-controller, memory, integrated cir- the risk scores of these attacks would substantially differ.
cuit – IC, etc.) in order to manipulate it For example, such scenarios, i.e., following different attack
(e.g., desoldering, depackaging) [120]. These procedures to achieve the same adversarial objective, would
attacks are time-consuming and require spe- be difficult to capture using a qualitative-only risk assessment
cialized equipment, however, they are difficult method.
to detect. In this paper, we utilize a hybrid risk assessment method
ii) Non-Invasive: attacks that do not require any bridging the advantages of both quantitative and qualitative
physical tampering of the ICs residing on methods. The hybrid approach adapts to dynamic system
the CPS assets, and performing them mul- operation and adjusts risk scores based on the current sys-
tiple times can be achieved with minimum tem state. Specifically, we assess qualitatively the impact
effort. No traces are left after the attack is of attacks. To calculate the corresponding attack damage,
performed rendering them the most difficult however, we quantitatively prioritize CPS objectives. The
type of attacks to detect. Common examples threat probability is also assessed quantitatively to weigh the
of non-invasive attacks include power analysis attack damage and model the risk. It is important to note that
attacks, timing attacks, electromagnetic emis- both the objective priority as well as the threat probabilities
sion attacks, brute force attacks through phys- can change during the real-time system operation.
ical means, hall sensor spoofing, etc. [52]. Such scenarios can be accommodated by our risk model.
iii) Semi-Invasive: attacks that are a trade-off For instance, the loss of power at a residential area has the
between invasive and non-invasive attacks, same outage impact, regardless if this is due to a natural disas-
given that they are not as difficult to per- ter (e.g., hurricane, thunderstorm), a malicious attack, or EPS
form as invasive attacks and can be eas- electrical faults (e.g., short-circuits). However, the threat
ily performed multiple times similar to probabilities and CPS objective priorities for the three afore-
non-invasive ones [121]. Common examples mentioned scenarios differ significantly. ‘‘People health and
of semi-invasive attacks include fault injec- personnel safety’’ objective during a natural disaster has
tion, laser scanning, ultra-violet radiation, much higher priority compared to a power outage due to
or control process tampering [122]. an EPS fault. The latter event, being not a life-threatening
29790 VOLUME 9, 2021

situation, would have a higher ‘‘uninterrupted operation and TABLE 4. Example of attack damage calculation.
service provision’’ priority.
Furthermore, the presented threat modeling methodology
of Section III-A and III-B, which enables precise adversary
and attack descriptions, serves as the backbone of our risk
assessment method. Specifically, the definitive granularity
of threat characterizations, not only exposes the vulnerable
system assets but also can infer which CPS objective will be
affected the most. The CPS objective is critical for the attack
impact evaluations, while vulnerable assets demonstrate the
feasibility of an attack. Thus, CPS attack risk scores can be
calculated and their prioritization can be performed based on
the affected CPS objective. The threat Risk is defined as:
Risk = Threat Probability × Damage (1) IV. CYBER-PHYSICAL SYSTEM FRAMEWORK:

MODELING, RESOURCES, AND METRICS
The Threat Probability portion of the risk formula accounts FOR CPES STUDIES
for the threat details, i.e., the adversary and attack models The framework depicted in Fig. 5 shows the different domains
discussed previously, in addition to how likely it is for the in which the proposed CPS framework is divided. The main
investigated threat to materialize in the specific system con- objective of the framework is to provide a clear understand-
text. The second component of Eq. (1) includes the Damage, ing of all the underlying concepts and components being
which assesses the corresponding impact inflicted on the considered in CPS investigations. Specifically, the presented
system. The Damage is defined as follows: conceptual framework is intended to assist researchers in
n
identifying the models, resources, and metrics required to
Damage =
X
Objective Priority × Attack Impact (2) perform reliable CPES studies. Based on the study objectives,
k=1
the framework can be treated as a ‘how-to guide’ towards the
implementation of use cases and the development of CPES
where the Objective Priority and the Attack Impact are used testbeds. This section, first, describes the cyber-system and
to address the consequences of the attack in the context physical-system layers that need to be considered for the
of the specific CPS objectives. The Attack Impact is eval- CPES representation. Then, we describe the different factors
uated qualitatively using a number from 1 to 3, reflecting that need to be taken into account when performing CPES
Low, Medium, or High impact, respectively. In addition, for studies, i.e., the modeling techniques, resources, and metrics.
every CPS, the objectives are ranked in order of importance. Physical-System Layer: NIST’s definition for CPS estab-
We utilize four (n = 4) main objective categories: i) people lishes that the physical-system layer of a CPS is com-
health and personnel safety, ii) uninterrupted operation and posed of hardware and software components embedded
service provision, iii) organization financial profit, and into the system environment. These components have the
iv) equipment damage and legal punishment. Numbers capability of interacting with other physical-layer units
from 1 to 4 are used for the objective priorities; 1 indicates through physical means, i.e., via sensors and actuators,
the least significant goal while 4 stands for the most critical or through the cyber-system layer using standard commu-
objective. nication protocols. Some sectors where CPS can be exten-
In Table 4, we demonstrate a damage calculation example sively found are smart manufacturing [134], healthcare [135],
where we provide a subjective priority ranking as well as robotics [136], transportation [137], and EPS [138]. In this
the attack impact values. Using Eq. (2),Pthe total poten- paper, the developed framework focuses on the EPS sec-
tial damage score can be calculated as (4 + 9 + 6 + tor, i.e., the models, resources, and metrics used in the
2) = 21. Given a specific Threat Probability value, we can physical-system layer are based on elements encountered
then assess the total Risk for the examined attack scenario. in the generation, transmission, and distribution systems
Overall, the presented application-aware risk assessment that comprise CPES. Example components within the
procedure is taking into consideration all the underlying physical-system layer of CPES are PV panels, Li-ion BESS,
components of sophisticated and multi-layer threats targeting wind energy systems, power converters, generators, voltage
complex CPS. In addition, it provides a universal method to regulators, transformers, and T&D lines.
assess attack risk, regardless of the particular CPS architec- Cyber-System Layer: The cyber-system layer of a CPS
ture or the corresponding operational objectives. Based on the is composed of the ICT structures deployed in the system.
assessment results, administrative authorities can prioritize It encompasses communication and networking components
which assets need immediate attention and which threats pose such as hubs, modems, routers, switches, cables, connec-
the highest risk (if vulnerabilities of the in-scope CPS assets tors, databases, and wired and/or wireless network inter-
are exploited). face cards (NIC) [139], [140]. These components allow the
VOLUME 9, 2021 29791

FIGURE 5. Cyber-physical system (CPS) framework: the cyber-system and physical-system layers are presented with their
respective factors, i.e., modeling, resources, and evaluation metrics, needed for conducting cyber-physical studies. Different use
cases requirements can be adjusted to perform CPS related investigations.
interconnection of multiple computing devices using com- in this layer must be categorized based on their respective
mon communication protocols over digital links with the temporal and spatial requirements along with their intrinsic
purpose of sharing, storing, and processing resources and data physical characteristics. In EPS, some of these characteristics
located across networking nodes. In this paper, our developed and requirements are related to rated voltage, current, and
framework focuses on elements that make up communication power values, location of the generation and load resources,
networks in CPES, i.e., the models, resources, and metrics and physical characteristics of the lines (i.e., resistance, reac-
used in the cyber-system layer are related to components tance, capacitance, and length). These features are utilized
such as smart-meters, PMUs, EPS-related communication in developing models that represent the physical devices in
protocols (e.g., DNP3, IEC61850, IEEE 37.118, etc.), and the system. The objective is to capture and simulate sys-
other networking devices that support communication in EPS tem behavior so that a digital twin of the real system can
operations. be implemented. This ‘virtualization’ capability provides a
significant advantage by allowing the analysis and study of
A. MODELING different types of scenarios that can arise during the operation
Models able to represent systems by describing and explain- of the CPS. We can analyze and track physical processes,
ing phenomena that cannot be experienced directly [141]. replicate potential harmful operating conditions or scenarios,
Such models are built from mathematical equations and/or and accelerate the testing of software and hardware compo-
data that are used to explain and predict the behavior nents. More specifically, for EPS modeling, the current state-
and response of complex systems. Specifically for CPES, of-the-art simulation technology is based on electromagnetic
researchers focus on creating models capable of replicat- transient (EMT) and transient stability (TS) simulation tech-
ing the behavior of the components that comprise the niques [142]–[144].
cyber-system and physical-system layers of EPS, e.g., models a) Electromagnetic transient (EMT): EMT simulation is
for components such as PV systems, wind energy systems, a technique used to precisely reproduce the system
ESS, transformers, transmission lines, distribution lines, response to fast dynamic events and system perturba-
smart meters, PMUs, routers, switches, etc. In this part, tions, that occur in the range of tens of microseconds
we describe the different modeling techniques used to model or lower, caused by fast switching electromagnetic
both the cyber and physical layers of CPES. fields or loading events. Due to requirements, such
as the unsymmetrical and instantaneous modeling of
1) PHYSICAL-SYSTEM LAYER the signals and values that characterize the behavior
The design and modeling of the physical-system involve areas of the system, nonlinear ordinary differential equa-
such as hardware design, hardware/component sizing, con- tions (ODE) are used to represent the system behav-
nection routing, and overall system testing. All components ior in the EMT simulation environment. This detailed
29792 VOLUME 9, 2021

modeling provides improved accuracy, compared to components, delays, etc.), and iii) Quality-of-Service (QoS),
TS-type simulations, when capturing the system behav- among others [140]. In a real-world CPS (e.g., cellular net-
ior and response to fast transient events. However, works, military zones, or SCADA systems), multiple and
it requires high computational resources for the sim- diverse networking and computing components comprise the
ulation of systems with a large number of compo- cyber layer. This hinders the implementation of tests and
nents. Typical applications where EMT studies are used studies designed to evaluate the operation and performance of
include the simulation of power electronic devices, the actual network or to simply conduct any other CPS-related
unbalanced distribution systems, and the impact evalu- investigation.
ation of DER integration into modern power networks. As discussed in Section II, carrying out evaluation type of
b) Transient Stability (TS) Simulation: TS simulation is studies in real systems can be dangerous for human safety,
a technique used to capture the slow dynamic events, excessively costly, and may cause interruption or degradation
i.e., events in the range of tens of milliseconds and of the network performance and the QoS (as perceived by
higher, that occur in power systems. These events are the users). To address these issues, models can be used to
related to the voltage stability, rotor angle stability, simulate or emulate the behavior and performance of the
and frequency stability phenomena. In TS, the EPS is cyber-system layer under different scenarios. In essence,
represented by nonlinear differential algebraic equa- simulation allows replicating the behavior of cyber-system
tions (DAE). These equations are used to solve the layer components, while emulation duplicates the behavior of
system states assuming that the fundamental power fre- these components and allows them to be used alongside real
quency (e.g., 50 or 60 Hz) is maintained throughout the devices. The simulation and emulation of the cyber-system
system. Commonly, TS-type simulations are used for layer are fundamental tools for understanding and studying
studies related to the analysis, planning, operation, and topics related to complex network deployment, networking
control of EPS elements with large time-steps, i.e., in architectures, communication protocol features, and deploy-
the milliseconds range. Given that large time-steps ment of new services.
and positive-sequence phasor-domain simulations are The simulation/emulation modeling process is often
used in TS-type simulations, they allow users to simu- instantiated by identifying all the network components, com-
late large-scale T&D networks while requiring signifi- monly referred to as communication network entities. These
cantly less computational resources when compared to entities, i.e., nodes and links configurations, constitute the
EMT-type simulations [142]. network topology. Fig. 6 depicts a conceptual illustration of
c) Hybrid-Simulation (TS+EMT): Hybrid-simulation how the modeling process is performed in a communication
models make use of both EMT and TS simulation network simulation. As seen in Fig. 6, in a network simula-
tools to leverage the benefits of two or more simulation tor/emulator architecture, a node is a key entity that represents
environments, hence allowing even more comprehen- any computing device connected to the overarching network.
sive and accurate simulation studies. Some examples This abstraction encapsulates all the possible representations
of these types of simulations are found in recent lit- of computing devices that may exist in a network setup. Some
erature [145]–[147]. Integrated T&D co-simulations of these computing devices can refer to routers, switches,
are a major field of study enabling the use of and hubs which embody the backbone of the network, while
hybrid-simulation environments. Such environments computers, RTUs, PLCs, meters, and servers constitute the
can provide ways of simulating in detail, for example, endpoints of the network. A node is primarily characterized
power electronic converters interfaced with large-scale by its packet transmission entity attribute. In this packet
power networks. T&D co-simulation also provides
an effective way of studying the diverse impacts that
anomalous events (e.g., unintentional faults or inten-
tional malicious attacks) may have locally and globally
in the overall physical-system layer of the CPES.
2) CYBER-SYSTEM LAYER
The design and modeling of the cyber-system layer involve
communication network modeling, communication protocol
implementation, design of information systems, and data stor-
age processing. To model this layer, researchers must have a
deep understanding of the communication infrastructure that
needs to be replicated using the respective cyber-system layer
models. Some of the characteristics that need to be taken
into consideration for modeling the communication infras-
tructure are: i) the topology of the communication network, FIGURE 6. Conceptual diagram of the modeling and simulation process
ii) physical characteristics (cable lengths, physical of communication networks.
VOLUME 9, 2021 29793

transmission attribute, endpoints delineate the source or des- a) Simulation: A simulation provides a set of models
tination of the data packets while all backbone elements or representations used to reproduce the behavior or
perform the forwarding tasks related to these packets. Other operation of different processes of a particular system
parameters, known as state variables, differentiate the behav- over time. Particularly for EPS, EMT- and TS-type
ior for each one of the modeled nodes. Some of these param- simulations are the most prominent tools used to
eters are memory consumption, physical location, battery investigate the behavior of different system compo-
power, and CPU utilization. Additionally, other simulation nents. These simulation classes can be further clas-
entities, such as NIC, help to identify nodes in the network. sified into two main categories: offline and real-time
These interfaces also have individual state variables that simulations [149].
represent their state (i.e., idle or busy, and installed or not i) Offline simulation: Offline simulation tools pro-
installed) while being in charge of transmitting, receiving, vide a simple and cost-effective way of con-
and processing the packets exchanged with other network ducting simulations on any generic computing
nodes. device. These tools can execute models at slower
Similar to the nodes, interfaces include other entities, or faster-than-real-time speeds depending on the
such as queues and links, which represent realistic packet complexity of the model as well as the avail-
processing scenarios. Queues are modeled as buffers in the ability of computing resources. Figs. 7a and 7b
outgoing and incoming packet processes. Links are mod- show how the computation time of the system
eled as the connections between the two nodes communi- models, for both slower and faster-than-real-time
cating via the corresponding interfaces (i.e., communication offline simulations, is not synchronized with the
medium). More specifically, links are modeled by defin- simulation clock, i.e., the real-time clock. Offline
ing communication parameters such as the available band- simulations allow the simulation of complex sys-
width, propagation delays, jitter, and pre-defined packet loss tems without considering real-time constraints,
rates. Furthermore, packets are modeled as entities that con- which for instance, enable researchers to simulate
tain the data exchanged between nodes in the network. For large periods of time, e.g., months or years, in a
each node in the network, entities that represent the proto- few minutes or seconds. Some tools and soft-
col stack must also be defined, while the packet sizes are ware which are available for this type of sim-
determined by the corresponding communication protocol ulations include: MATLAB/Simscape Electrical
(e.g., TCP, UDP, etc.). (EMT & TS), OpenDSS (TS), Gridlab-D (TS),
A protocol entity is responsible for managing the outgo-
ing and incoming packets by adding and removing packet
headers. Protocol modeling is also a key process. It covers
the specific steps required to accurately emulate the behavior
of the protocol stack. In this process, models are developed
to capture elements and properties from the network access
layer, internet layer, transport layer, and application layer.
Finally, models for performance evaluations, which do not
represent real elements in the network, are also defined as
additional entities that facilitate the implementation and eval-
uation of the network. Some representative examples of such
entities are logging and helper utilities which can aid the
network evaluation process [148].
B. RESOURCES
The ‘resources’ represents the different hardware and soft-
ware systems that form, and can be used to model and sim-
ulate, the cyber- and physical-system layers of the CPES
being studied. In this part, we make a distinction between
the hardware and simulation/emulation resources that need
to be considered for modeling the cyber- and physical-system
layers using tools and techniques such as offline simulation,
emulation, real-time simulation, and HIL.
1) PHYSICAL-SYSTEM LAYER
The simulation and hardware resources for the modeling
FIGURE 7. Differences in the computation timing of offline simulation
and implementation of the CPES physical-system layer are and real-time simulation: (a) slower-than real-time, (b) faster-than
presented below. real-time, and (c) real-time simulation.
29794 VOLUME 9, 2021

eMegaSim (EMT), ePhasorSim (TS), and ETAP 2) CYBER-SYSTEM LAYER

eMTP (EMT). The simulation/emulation and hardware resources related to
ii) Real-time simulation: Real-time simulation tools the modeling and development of the cyber-system layer for
provide the capability of generating results that the communication network are presented below.
are synchronized with a real-time clock. This a) Simulation/Emulation: As mentioned before, the main
allows physical devices to be interfaced with difference between simulation and emulation is that in
the simulated system via realistic data exchanges a simulation, the models used are designed to replicate
synchronized using a real-time clock. Fig. 7c the behavior of the system while emulation is designed
demonstrates how for real-time simulation the to duplicate the behavior of the system. A more detailed
computation time for the system is synchronized description of the difference between simulation and
with the simulation clock. The computation time emulation is given below in the context of the resources
needed to solve all the states of the simulated required to effectively replicate the cyber-system layer.
system needs to be lower or exactly the same i) Simulation: In network simulations, theoretical
as the simulation clock, i.e., the real-time clock. and mathematical models are developed to cre-
Real-time simulation setups allow researchers to ate entirely virtual models of the correspond-
connect real devices using HIL techniques such ing networking components. Network simulation
as CHIL and PHIL. Some tools and software tools use discrete-event simulation approaches
which are available for this type of simulations that generate sequences of discrete events that
include: eMegaSim (EMT), ePhasorSim (TS), characterize the discrete cyberspace. The two crit-
HyperSim (EMT), RTDS (EMT), and Typhoon ical components of such discrete-event driven
HIL (EMT). simulators include the simulation time variable
b) Hardware: Real-time HIL implementations allow and a list of pending future events. The simu-
the interconnection of external hardware devices lation time variable represents the current time
to a real-time simulation environment through the at which the state of the system is known (in
appropriate I/O or networking interfaces. the simulation), while the list of pending future
Two of these HIL techniques are CHIL events contains all the state changes that have
and PHIL. been scheduled to occur in the future, which guide
i) Controller Hardware-in-the-Loop (CHIL): In the flow of the simulation. In a network simula-
CHIL, physical devices are in constant communi- tion, external devices cannot be interfaced with
cation and interaction with a simulation running virtual simulated devices, contrary to a network
in the real-time environment. This interconnec- emulation, hence, the entire communication net-
tion includes sending control signals and receiv- work needs to be simulated. Some of the available
ing feedback signals through I/O and/or network- software tools that support this type of simula-
ing ports [150], [151]. As seen in the hardware tions are: ns-2 [155], ns-3 [156], SimPy [157], and
section of Fig. 5, a physical device connected EXata [148], [158].
using a CHIL implementation can be interfaced ii) Emulation: In network emulation, hardware and
directly: i) with the physical-system layer simula- software solutions are designed to accurately
tion using the appropriate interface, or ii) through replicate the behavior of networking components,
the cyber-system layer using standard communi- exactly as if they were actual parts of an external
cation protocols and corresponding networking network. Network emulation tools enable the con-
components. figuration and manipulation of network param-
ii) Power Hardware-in-the-Loop (PHIL): In PHIL, eters and constraints (e.g., packet loss, delays,
a power hardware system such as a PV panel, jitter, etc.) to mimic the mirrored network. Some
inverter, or battery system is physically con- of the available software tools that support this
nected to the RTS through analog and digital type of network modeling are: the Common Open
I/O ports. A PHIL implementation needs the use Research Emulator (CORE) [159], NetEm [160],
of a power amplification unit that is responsible and EXata [158]. Notably, some tools are capa-
for the amplification and conversion of the dig- ble of adapting network simulation models for
ital voltage and current data signals – coming emulation purposes by adding real-time syn-
from the simulation environment – into analog chronization mechanisms between the virtualized
voltage and current signals required by the con- simulated environment and the real networking
nected actual/physical device. Interfacing algo- components [161], [162].
rithms are also essential to facilitate the inter- b) Hardware (HIL): Similarly to the HIL implementations
connection between the software models and the realized in the physical-system layer, HIL implemen-
physical-system [152]. tations of network components in the cyber-system
VOLUME 9, 2021 29795

TABLE 5. Physical-system layer performance metrics. These metrics are divided according to the domain where they can be measured.
layer can also be performed using the corresponding control routines present at the physical-system layer.
networking interfaces. Networking HIL provides emu- The evaluation can include the steady-state response
lation capabilities that allow the integration of real of the system or other system performance indicators
equipment into the emulated network through standard such as rise time, percent overshoot, settling time,
communication protocols. Commonly, a larger portion steady-state error, and integrate absolute error.
of the network or system is emulated and connected b) EPS resiliency, stability, and optimization: Perfor-
with external (real) devices. Such a method provides mance metrics can be defined in order to evaluate the
high-fidelity responses – as expected from the actual performance of the system according to a predefined
device – while maintaining the scale of the emulation. baseline behavior. For instance, in an EPS where the
Some software tools that support HIL with communica- operation of a new MG controller is investigated, per-
tion network models are EXataCPS [158], ns-3 [156], formance metrics related to voltage regulation, fre-
and CORE through the RJ45 utility [159]. quency regulation, energy cost, and power quality can
be utilized. Similarly, especially for controllers, which
C. PERFORMANCE METRICS are limited by their computing resources, different per-
A multitude of metrics exists to evaluate the performance of formance metrics can be utilized to determine execu-
the modeled cyber- and physical-system layers. The use of tion times, CPU utilization, and memory utilization.
metrics allows the concise evaluation of the overall system c) Simulation accuracy: The simulation accuracy, either
alongside its corresponding subsystems. In essence, these offline or real-time, can also be assessed based on
metrics provide quantitative ways to measure and evaluate different performance metrics dependent on the stabil-
the performance of the system’s operation at a particular time, ity and accuracy of the system response, respectively.
both at the cyber- and the physical-system layers. The main objective of these metrics is to validate the
response of different physical systems (being simu-
1) PHYSICAL-SYSTEM LAYER lated) when compared to the actual response expected
Some of the most commonly used metrics employed to eval- from the system under examination.
uate the performance and operation of different functions
that exist in the physical-system layer of CPES are presented 2) CYBER-SYSTEM LAYER
in Table 5 and described below: Different metrics can be utilized to evaluate the performance
a) Control systems: Metrics related to control systems of the modeled cyber-system layer communication network.
can be used to examine the performance of different Here, we demonstrate, as a practical example, some of the
29796 VOLUME 9, 2021

TABLE 6. Cyber-system layer performance metrics. These metrics are divided according to the OSI model layer and connection where they can be
measured.
most widely used metrics designed to evaluate the network c) Transport (L4), Session (L5), Presentation (L6), and
performance at different layers of the open systems intercon- Application (L7) Layers: These layers describe the
nection (OSI) model [148]. Table 6 outlines some represen- shared communication protocols and interfacing meth-
tative network performance metrics. ods used by the nodes in the network. In essence, these
a) Physical (L1) and Data Link Layers (L2): These layers are the layers responsible for providing full end-user
describe how data should be generated and transmitted access to the communication network infrastructure.
by network devices over the corresponding physical It is important to note that many other network and
media. physical performance metrics can be used to evaluate spe-
b) Network Layer (L3): This layer describes how data cific scenarios. The presented lists include a subset of the
packets are transferred between a source and a des- available metrics discussed in the literature. There are also
tination node inside the network. It represents layer application-specific metrics that can be defined according to
3 of the OSI model. The main performance metrics each study’s requirements. Overall, researchers should care-
described below are designed to evaluate two main fully model their systems as well as select the corresponding
routing functions: path selection, and network topol- resources and metrics to accurately represent the cyber- and
ogy management. Path selection aims to determine the physical-layer of the CPES under test. This will allow the
best path from source to destination, while network integration of any external physical device, either through
topology management defines how network entities are CHIL and/or PHIL, and ensure the holistic validation of the
interconnected for data forwarding purposes. system’s operation.
VOLUME 9, 2021 29797
TABLE 7. Threat model of the attack case studies.
V. EXPERIMENTAL SETUP & CASE STUDIES The attack cases presented in this section can be char-
The case studies discussed in this section demonstrate how acterized as either DIA or data availability attacks (DAA).
the presented threat modeling approach, the CPS framework, Table 9 provides the essential notation for the case studies.
and risk assessment methodology can be utilized to perform Each scenario follows a mathematical background as part of
detailed CPES studies. Table 7 describes how each study can a CPS plant formulation:
be formalized using our proposed threat modeling method.
Following, the corresponding modeling layers, resources, and
evaluation metrics are identified for each case study accord- x(k + 1) = Gx(k) + Bu(k) (3)
ing to the conceptual CPS framework. Additionally, for each y(k) = Cx(k) + e(k) (4)
attack scenario, the specific background, and mathematical
formulation are described and the corresponding threat model
is provided based on Section III. The threat model describes
TABLE 9. Symbols and notation for case studies formulation.
the assumptions made for the adversary intentions and capa-
bilities as well as the attack-specific details, demonstrating
the practicality of our modeling approach for diverse attack
scenarios. Furthermore, we demonstrate how the proposed
risk assessment procedure can be applied to each case study
and assist in prioritizing mitigation strategies. In our work,
the objective priority for CPES is outlined in Table 8. It should
be noted that the order of objectives might change depending
on the system’s component being analyzed or the stakehold-
ers’ priorities. For instance, the impact of the ‘‘uninterrupted
operation and service provision’’ objective could indicate less
priority in the case of a compromised inverter serving as an
ancillary power generation source in a residential deploy-
ment, in contrast to a T&D system-wide attack.
TABLE 8. Objective Priority for CPES Risk Assessment.
29798 VOLUME 9, 2021

where x(k) ∈ Rn represents the states of the system, the firmware level could result in compromising the integrity
u(k) ∈ Rl represents the control variables, and y(k) ∈ Rm of data at different CPS layers.
represents the system measurements. G ∈ Rn×n , B ∈ Rn×l , In this type of DIA, the adversary (though firmware mod-
and C ∈ Rm×n represent the system matrix, input matrix, and ifications) can tamper with the input/sensed measurements
output matrix, respectively. The term e ∈ Rm represents mea- (e.g., modify, scale, etc.), y(k), and thus directly affect the
surement noise in the system’s input measurements. As for inverter control strategy and variables, u(k), driving the sys-
the cyber part of the CPS, it can be generally expressed as: tem into instability. This type of attack can be characterized as
a combined DIA attack [164]–[166]. In more detail, the sys-
u(k + 1) = Hy(k) (5) tem’s input measurements are modified using both an additive
random/white noise component and an attack model in which
where H ∈ Rl×m represents the control matrix [163]. nominal measurements are scaled (increased or decreased).
Fig. 8 depicts a diagram of the CPS mathematical formu- These DIAs can be modeled as:
lation and the respective variables compromised by attackers (
during DIA and DAA scenarios. In the DIA case, either the y(k), when k ∈/ Tattack
ya (k) = (6)
measurements (y) or the control variables (u) can be com- βy(k) + W, when k ∈ Tattack
promised by attackers via modification or fabrication. On the where β represents the multiplicative attack term, W repre-
other hand, in a DAA scenario, either the measurements (y) sents the additive random/white noise attack, Tattack repre-
or controls (u) can be compromised by attackers via inter- sents the period of time when the DIA is performed, and ya
ruption, i.e., delaying their acquisition or utilization by the represents the ‘altered’/attacked input measurements. β > 1
system. represents increasing-type of attacks, and β < 1 decreasing
attacks.
Following this combined-type DIA mathematical formu-
lation, we demonstrate how the inverter operation can be
compromised by spoofing its energy conversion module. The
results of this compromise affect not only the inverter behav-
ior but also propagate and impact the MG operation as well.
Threat Model: As presented in Section III, the threat mod-
eling process for any attack can be characterized by the
FIGURE 8. Diagram of CPS plant under DIA and DAA scenarios.
adversary model and the attack model formulations. Specifi-
cally, in this cross-layer firmware attack case, we assume an
oblivious adversary without full observability of the CPES,
A. CASE STUDY 1: CROSS-LAYER FIRMWARE ATTACKS and who has direct physical access to the targeted hardware
Background & Formulation: Cross-layer firmware attacks controller (i.e., adversary access: possession). Regarding
refer to attacks targeting the firmware code of embed- adversarial specificity, the attack is presumed to be a non-
ded devices (i.e., the device read-only resident code which targeted attack. The adversarial resources could range from
includes microcode and macro-instruction level routines), the minimum, i.e., Class I, up to state-funded criminal orga-
aiming to generate and propagate impacts from the device nizations (Class II), in the worst-case scenario.
layer to system and application layers, respectively. Typ- Furthermore, our case study assumes an attack that occurs
ically, embedded devices in industrial CPS run on bare iteratively and can be reproduced multiple times. The targeted
metal hardware without OS and directly boot monolithic asset is a solar inverter controller, so the attack level is
single-purpose software. In such devices, tasks are executed defined as Level 1. Finally, the technique employed to com-
on a single-threaded infinite loop. If the device firmware promise the system involves control logic code modification,
code execution is maliciously modified, adversaries could and the attack premise can be categorized as either invasive
gain total control over the embedded device. The effects of or non-invasive (on the physical domain) or could target the
such attacks can have a cross-layer impact affecting mul- inverter control (e.g., power conversion, power factor, active
tiple components and processes of the CPS. For example, reactive injections, setpoints, etc.) using malicious commands
in a CPES, by modifying the firmware controlling grid-tied (on the cyber domain).
inverters connected to BESS or EV chargers, an adversary Attack Setup & Evaluation: In this case study, a cross-
could compromise the system’s measurements, thus caus- layer firmware attack is modeled as a DIA that compromises
ing frequency fluctuations, voltage sags, and system sta- physical components, more specifically a PV inverter, at the
bility issues. Other scenarios could even cause wide-area physical-system layer of the CPES. Both EMT and TS simu-
outages, such as the Ukrainian power grid attack in 2015, lation modeling approaches are used to model a MG system
in which attackers replaced the legitimate firmware of serial- comprised of a solar PV with its inverter, a Li-ion BESS,
to-Ethernet converters at substations causing them to become a diesel generator, and residential and industrial loads. The
inoperable [14]. In general, cross-layer firmware attacks can MG is connected to the main grid via a 13.8 kV/5 kV distri-
be categorized as a DIA-type of attack since modifications at bution substation transformer with a capacity of 250 MVA.
VOLUME 9, 2021 29799

The nameplate generation capacity for the diesel generator

is set to 1 MW. The maximum generation capacity that the
PV inverter can reach is 250 kW based on the provided
solar irradiance profile. The BESS is capable of providing
up to 100 kW and storing 100 kWh. The loads of the MG
include aggregated residential loads with a constant power
demand of 250 kW and a variable lumped industrial load
whose power demand ranges between 250-750 kW. Fig. 9
shows a conceptual illustration of the described MG. The
main software resource used to conduct the EMT and TS
offline-simulations of the physical-system layer for this case
study is MATLAB/Simscape Electrical.
FIGURE 9. Conceptual illustration of the MG system used for the

cross-layer firmware case study.
In Fig. 10 we illustrate, the top-level architectural overview

of an inverter, the core components comprising it, and the
maximum power point tracking (MPPT) controller block that
is the main target of this attack use case. Attackers can
FIGURE 11. Cross-layer firmware attack impact on the DC-DC converter
disrupt the nominal inverter operation by tampering with the stage: (a) solar irradiance profile, (b) impact on the DC voltage output,
firmware subroutines which control both the DC-DC boost and (c) impact on the DC power output.
and the DC-AC conversion stages. In particular, Figs. 11, 12
demonstrate the specifics of how the operation of an inverter
can be affected by an adversary capable of compromising
operation of the MPPT algorithm – within the firmware code
the firmware. For our use case, we employ a grid-tied solar
of the control card that the inverter utilizes to optimize the
inverter module provided by Texas Instruments [167]. The
output power generated by the solar panels – the attacker is
inverter leverages an F2803x series control card which is
able to destabilize the operation of the converter.
responsible for managing the inverter’s peripheral devices
MPPT algorithms enable inverters to obtain high power
(e.g., sensing modules, analog-to-digital converters, transis-
conversion efficiencies. By constantly monitoring the solar
tor gate driver circuits, etc.) as well as the power conversion
PV outputs (i.e., PV generated voltage and current), MPPT
process (i.e., solar energy to electricity). By modifying the
algorithms regulate the converter’s operating point achiev-
ing maximal power transfer. Given that the PV real-time
generation measurements are critical for the MPPT opera-
tion, any perturbations of the sensed values can potentially
compromise the inverter’s nominal operation. For our case
study, the modification of the inverter’s firmware tampers
with the inverter’s MPPT function and the controls of the
DC-DC and DC-AC converters. In the context of DIA attacks,
the sensed inputs to the MPPT function, i.e., PV voltage
and current, are maliciously modified. By tampering with
the MPPT input measurements, down-scaling, and introduc-
ing additive sinusoidal noise (combined-type DIA attack),
we are able to generate the oscillatory behavior depicted
FIGURE 10. Cross-layer firmware attack targeting the inverter’s in Fig. 11. This unstable behavior propagates through the
maximum power point tracking (MPPT) controller. inverter’s power conversion process leading to anomalous
29800 VOLUME 9, 2021

FIGURE 12. Cross-layer firmware attack impact on the DC-AC converter

stage (grid-tied inverter end): (a) impact on the AC voltage output,
(b) impact on the AC current output, and (c) impact on the AC power
output.
FIGURE 13. Cross-layer firmware attack impact on the power grid:

(a) renewable source generated power, (b) phasor and EMT magnitude of
the MG voltage, and (c) MG operating frequency.
behavior on the grid-tied inverter end, as seen in Fig. 12. The
result of this compromise is the eventual disconnection of the
inverter-enabled power resource (t = 1sec) in order to protect the converter. It can be observed that both the DC voltage and
the rest of the MG devices and avoid operational disruptions. current fluctuate, creating harmonic distortion at the output.
The metrics used to evaluate the performance and behavior Similarly, Fig. 12 demonstrates how the AC power generation
of the MG operation, based on the presented CPS framework, is affected by the firmware modification attack. At t = 1sec
are the physical-system layer performance metrics related to the oscillatory behavior causes an islanding scenario that
frequency stability and voltage stability. Fig. 13 demonstrates disconnects the PV system from the rest of the MG. Fig. 14
the overall impact of malicious inverter operation on the shows the mapping of the presented case study with the
MG, and how the grid’s power, voltage, and frequency are CPS framework.
affected. In more detail, we notice that at t = 35sec when a
significant load increase in the MG occurs, the contribution
of the anomalous inverter behavior significantly impacts the
frequency causing potential stability issues. However, at t =
15sec and t = 50sec, when the power generation of the
inverter as well as its power contribution to the grid is much FIGURE 14. Mapping of cross-layer firmware attack case study with
lower following the solar irradiance profile, the impact of CPS framework.
the inverter’s malicious behavior is reduced. Thus, from an
adversarial perspective, targeting an inverter device during It is important to note that in the presented case study, it is
peak-hours when the solar generation is reaching its maxi- assumed that the cross-layer firmware attack is performed
mum can yield significant implications on the grid’s opera- by an adversary with the capability of compromising the
tion. Fig. 11 shows the impact of the attack on the DC-side of physical device, hence, modeling the cyber-system layer was
VOLUME 9, 2021 29801

not required. An extension of this study could involve the ones being directly manipulated by the adversary. Using the
implementation of an over-the-air cross-layer firmware attack same CPS system described by Eqs. (3) – (5), the generalized
that compromises a device via the cyber-system layer. The DIA for the load-changing attack scenario is described by:
implementation of such a scenario would also require the
xa (k + 1) = Gx(k) + B u(k) + 1u(k)

(7)
modeling of the cyber-system layer, i.e., the communication
network that serves as the medium and entry point for the ya = C x(k + 1) + B1u(k) + e(k + 1) (8)
attack. where xa and ya represent the states and measurements,
Risk Assessment: Due to the inherent difficulty of getting respectively, ‘altered’ by the manipulation of the system’s
simultaneous access to multiple devices in order to cause control variables 1u.
severe impacts on grid operation, the Threat Probability In order to map the above formulation to the load-changing
for this type of attack is set to Medium (2). For the attack case within CPES, the term u in Eq. (7) can be adapted
resulting damage part of the Risk formula, we use the pri- to represent the controllable ‘altered’ load demand in the
orities indicated in Table 8, and set the ‘‘People health system as:
and personnel safety’’, ‘‘Uninterrupted operation and service
provision’’, and ‘‘Equipment damage and legal punish- da (k) = di (k) + 1d(k) (9)
ment’’ attack impacts to Low (1), while the ‘‘Organiza- where d represents the controllable load demand, di is the
tion financial profit’’ counterpart is set to Medium (2). initial ‘un-altered’ load demand, 1d is the portion of the total
Thus, the comprehensive Risk for the evaluatedPcross-layer load demand affected by the attack, and da represents the
firmware attack study is estimated to be 2 ∗ (4 + 3 + total load demand ‘altered’ by the load-changing attack. If the
2 + 2) = 22. attackers simultaneously compromise more than one load in
the system, Eq. (9) can be extended as:
B. CASE STUDY 2: LOAD-CHANGING ATTACKS m n
X X
Background & Formulation: In load-changing attacks, DT (k) = di,l (k) + da,n (k) + Ploss (10)
an adversary triggers an unexpected or sudden demand l=1 j=1
increase or decrease of IoT connected high-wattage appli-
where DT represents the total demand in the system, m is the
ances and DERs, with the objective of causing grid insta-
number of total ‘unaltered’ loads, n is the total number of
bilities [12]. Although currently hypothetical, due to the low
loads compromised by adversaries, and Ploss is the total loss
penetration rates of IoT-controllable high-wattage loads and
in the distribution network.
DERs, load-changing attacks are projected to become a ‘real’
Based on the CPES requirement to balance load and gen-
threat in the near future as the number of controllable DERs
eration in real-time in order to maintain frequency stability in
and loads is anticipated to grow exponentially [168]–[170].
the system [172], the summation of all generation output and
Attackers able to install malware that could control DERs
all load demands and losses must be approximately equal:
and load consumption, can therefore maliciously manipu-
late system operating conditions and affect the CPES. One Ng
X
example of such an attack can entail an adversary capable DT (k) ≈ Pg (k) (11)
of synchronously switching on and off high-wattage devices g=1
at unexpected times, causing power, voltage, and frequency where Ng represents the number of g generators in the sys-
instabilities, i.e., an Aurora-type attack at the load side [171]. tem. To understand the effect of sudden load changes in the
This event could also potentially damage utility equipment or frequency stability at each generator bus, we use the swing
initiate cascading failures in distribution systems. equations. The swing equations in Eq. (12) – (14) describe
In terms of mathematical formulation, load-changing the relationship between the input mechanical power (Pm ),
attacks can be framed as a DIA-type that maliciously mod- output electrical power (Pe ), and the rotational speed of the
ifies the control variables of loads in CPES, causing signifi- generator (ω) [173]. The term Pe is directly related to Pg ,
cant unexpected power variations that could, in turn, lead to since it represents the generator power output plus electrical
circuit overflows or instabilities at certain vulnerable loca- losses of the generating unit.
tions of the electric grid. This type of attack involves the mali-
2 H d 2δ
cious manipulation of high-wattage appliances and/or DERs = Pm − Pe (12)
that can significantly disturb the balance between power ωs dt 2
supply and demand. In order to perform this type of attack, dδ(t)
= ω(t) − ωs (13)
we assume that the adversary accesses and controls multiple dt
compromised elements through the cyber layer of the sys- 2 H dω(t)
= Pm − Pe (14)
tem, i.e., its communication network infrastructure, and then ωs dt
manipulates their control variables causing rapid fluctuations Vs Vr
Pe = sin(δ) (15)
in the system’s response. A load-changing attack is different X
from a ‘measurements-altering’ DIA in the sense that, instead In these equations, H represents the constant normalized
of measurements being affected, the control variables are the inertia, ωs is the synchronous speed (i.e., 50 or 60 Hz), and
29802 VOLUME 9, 2021

δ is the power angle; the angle between the generator’s inter-

nal voltage, i.e., the voltage at the generator bus Vs , and its
terminal voltage, i.e., the voltage at receiving bus Vr . X is the
reactance based on the classical model of a generator [174].
The relationship between the electrical frequency ω(t) with
the power angle δ is shown in Eq. (13). Based on these
relationships, any sudden change in load demand, caused
by high-wattage loads turning on/off in the system, will
affect Pe , and thus cause subsequent frequency fluctuations,
as seen in Eq. (14).
Threat Model: In the load-changing attack case study,
the adversary is assumed to be either oblivious, i.e., hav-
ing no knowledge of the system topology, or with limited
knowledge. Such limited information regarding the CPES
could assist in optimally coordinating the attack and could
be acquired, for example, via open-source intelligence tech-
niques. The adversary can perform the attack remotely, thus, FIGURE 15. Load-changing attack on IEEE-39 bus system. Load-changing
attack targets are shown as red arrows in the system topology.
non-possession is presumed of the IoT devices controlling
the high-wattage loads. Load-changing attacks are targeted
attacks aiming to destabilize grid operation by causing black-
models [177]. The mapping of this load changing attack case
outs, voltage sags, and/or frequency fluctuations. As a conse-
study to the CPS framework is presented in Fig. 16. The main
quence, determined adversaries with significant resources at
software resource used to conduct the EMT real-time simula-
their disposal (Class II attackers) are required to successfully
tions of the physical-system layer is eMegaSim (from Opal-
materialize such attacks.
RT). The metrics used to evaluate the performance and behav-
As for the attack model of the load-changing scenario,
ior of the IEEE-39 bus test system, based on the presented
the attack frequency component is considered iterative due
CPS framework, are the physical-system layer performance
to the fact that in order to cause a significant effect on the
metrics related to frequency stability (Table 5).
system, a single attack incident may not be sufficient. The
reproducibility of such stealthy and indirect attacks is set to
multiple-times. Furthermore, the attack functional level is at
Level 1 or 2, per the assets that are vulnerable and enable
this load-changing scenario (e.g., PLCs, controllers, HMIs,
etc.). Last, the attack techniques that the adversaries use can FIGURE 16. Mapping of load-changing attack case study leveraging the
either include control logic modifications if PLCs are targeted CPS framework.
or wireless compromise if a wireless controller is affected.
In both cases, the attacks target the cyber domain, and specif- In order to evaluate the impact of the load-changing attack
ically, the integrity of the in-transit data issued from HMIs or on the power grid frequency, we observe the frequency vari-
SCADA MTUs (i.e., communications and protocols), or the ations measured at the generators’ connections to the grid.
control commands to PLCs. We develop four different scenarios of load-changing attacks
Attack Setup & Evaluation: In order to demonstrate the in which the system is initialized with original load values
effects of load-changing attacks on CPES, we simulate such from literature [178], and the system frequency is kept at
attacks targeting multiple load buses in the IEEE-39 bus a nominal value of 60 Hz. All load-changing attacks are
system. Three vulnerable load buses (bus 16, 23, and 29) are triggered at t = 4sec with a duration of 0.5sec. Fig. 17a
selected as the targets for the load-changing attacks [175], shows the effect of a 20% load demand increase at bus 29.
as shown in Fig. 15. Such sudden load demand increase causes the measured fre-
In this case study, it is important to examine the dynamic quency to decrease to around 59.87 Hz on the nearby gen-
impact of frequency instabilities caused by load-changing erator 9 while having a smaller impact on other generators.
attacks. Hence, to study these frequency instabilities, At t = 4.5sec, when the load demand increase is terminated,
we model the physical-system layer using an EMT-approach the frequency fluctuates and increases to around 60.11 Hz
with support from real-time simulation. At this layer, the gen- at bus 29. Fig. 17b shows the results of a simultaneous
erators are modeled as synchronous machines taking into load-changing attack that causes a 20% load demand increase
consideration the dynamics of the stator, the field, and the at buses 29 and 16. The main difference between this case
damper windings. An excitation system is used for the sys- compared to the first scenario is the higher number of gener-
tem’s control and protection functions designed to handle any ators that are affected by the attack.
disturbances measured in the power system [176]. Loads are A load-changing attack with greater system impact is
modeled as constant impedance, current, and power (ZIP) depicted in Fig.17c. In this scenario, an attack is simulated as
VOLUME 9, 2021 29803

the attack. The frequency measured at multiple generators

reaches minimum and maximum values of 59.85 Hz and
60.23 Hz at the respective trigger and termination events of
the attack. The most affected generators in this case study are
generators 9 and 6.
In the aforementioned scenarios, the attacker is assumed
to be able to alter the power consumption profiles of
IoT-connected controllable loads, and therefore cause sudden
load demand increase. The presented results demonstrate
the feasibility and impact of load-changing attacks. The fre-
quency fluctuations from such adverse events can lead to
exceeding the nominal EPS frequency limits [179], [180],
thus causing potential load-shedding incidents or equipment
failures [181]. As demonstrated in Fig. 18, EPS have in-built
control and protection mechanisms to maintain the power
system frequency within its nominal range. For example,
the AGC mechanisms can adjust minute frequency deviations
from their nominal value. However, if the EPS frequency
deviates more than 0.036 Hz from the predefined grid fre-
quency (i.e., 60 Hz), the generator governor systems are
employed to account for such frequency discrepancies and
stabilize the system. On the other hand, during more severe
incidents, such as overfrequency (at or above at 62.2 Hz)
or underfrequency (at or below 57.8 Hz) events, switching
equipment and relays will automatically trip to protect gen-
erators from such instantaneous and potentially catastrophic
frequency fluctuations [182]. Furthermore, during underfre-
quency incidents load shedding is typically employed to bring
the system frequency within acceptable operational limits
(between 58.4 Hz– 59.5 Hz) [179]. An ancillary mechanism
like the generator governors and AGC can then be utilized
to bring the system back to its nominal frequency state.
On the other hand, during severe events, where the frequency
keeps decreasing even further, generators’ CBs are tripped to
protect the equipment from permanent damage.
FIGURE 17. Frequency variation impact on the power grid: (a) with 20%
demand increased at bus 29, (b) with 20% demand increased at
buses 29 and 16, (c) with 50 % load increase at buses 29 and 16, and
(d) with 50 % load increase at buses 29, 16, and 23.
a 50% load demand increase that affects simultaneously buses

29 and 16. Here, we observe that the frequency measured at
multiple generators approximately reaches 59.85 Hz when FIGURE 18. Power system corrective mechanisms to maintain stability
under different frequency deviations.
the load-changing attacks are triggered at t = 4sec, and
60.23 Hz when the load demand assumes nominal values Risk Assessment: Similar to case study 1, load-changing
(t = 4.5sec). The final scenario is shown in 17d, where we attacks require access to multiple devices to properly coor-
implement an attack that suddenly increases the load demand dinate a successful attack. Thus, the Threat Probability for
by 50% at buses 29, 16, and 23. In this scenario, we observe this type of attack is set to Medium (2). Following the
how every generator in the system is heavily affected by same objective priorities depicted in Table 8, we set the
29804 VOLUME 9, 2021

‘‘People health and personnel safety’’, and ‘‘Equipment dam- compromised CPES, the adversaries might require fewer or
age and legal punishment’’ attack impact to Low(1). On the an extensive array of skills and resources. Thus, adversaries’
other hand, since potential protection mechanisms could be resources for performing TDAs can be classified in either
triggered in the event of a load-changing attack causing Class I or Class II type of attackers.
potential brownouts, in order to avoid cascading system In order for TDAs to compromise CPES and severely
effects [183], the ‘‘Uninterrupted operation, and service pro- impact their operation, TDAs should be performed iteratively
vision" as well as the ‘‘Organization financial profit’’ are set and multiple-times. In addition, Level 2 assets are commonly
to Medium (2). Consequently, the Risk of the presented P the ones being targeted by TDAs. As mentioned before, typi-
load-changing demand attacks is estimated to be 2 ∗ (4 + cally, TDAs occur on the cyber domain, i.e., communications
2 + 6 + 2) = 28. and protocols, and target asset availability by tampering with
control commands issued by control server devices. Con-
C. CASE STUDY 3: TIME-DELAY ATTACKS sequently, wireless compromise, MitM, spoofing, and DoS
Background & Formulation: Time-delay attacks (TDA) are a attacks are the most prominent techniques adopted by adver-
type of DAAs where attackers aim to destabilize the operation saries to cause anomalous incidents and cascading failures
of a compromised control system by delaying measurements based on TDAs.
and/or control commands of sensors and actuators. This type Attack Setup & Evaluation: In this case study, we develop
of attack does not require a massive amount of attacker and simulate a TDA scenario in order to demonstrate its effect
resources. For example, it can be implemented via network on a MG CPES. Specifically, in our study, a MG disconnects
congestion, caused by flooding the network with a huge from the main grid by an intentional islanding command
amount of data, thus disrupting the nominal operation of the relayed from the MG controller at time t = 10sec. Due to
attacked system. the insufficient generation capacity in the system, the MG
The mathematical formulation of TDAs is formu- controller sends a load shedding command to a breaker that
lated as follows. Consider the CPS system described by controls a controllable load. At this point, the adversary
Eqs. (3) – (5). If Tattack is defined as the period of time when performs a TDA that will delay this load shedding command
the TDA is performed, then the TDA can be structured as: sent from the MG controller to one of the controllable loads,
( thus causing major disturbances at the physical-system layer
sr (k − d), if k ∈ Tattack of the CPES. The TDA occurs at the cyber-system layer of
fD sr (k) = (16) the CPES, so for this particular case study, models for the
sr (k), otherwise
cyber-system layer and the physical-system layer are required
where sr represents the compromised signal (which can be to perform a real-time co-simulation of the respective layers.
either u, i.e., the control variable, or y, i.e., the measurements, The physical-system layer is modeled using an EMT-
in the CPS), fD represents a time-delay function, and d repre- simulation approach with support from real-time simula-
sents either a discrete constant delay value or a time-varying tion. At this layer, the MG is modeled as a test system
delay function. composed of a conventional generator operated using a fre-
TDAs are considered a major threat to CPES due to their quency control mechanism rated at 1 MW, a Li-ion BESS
potential capability of disturbing the stability of islanded rated at 100 kW/100 kWh, two controllable loads rated at
MGs, or even the overall power grid, by simply delaying 300 kW (load #1) and 700 kW (load #2), and a critical
measurements or control commands transmitted and received (non-sheddable) load rated at 200 kW. The main software
from sensing and control devices (e.g., smart meters, PMUs, resource used to conduct the EMT real-time simulations of
etc.). Due to the importance of TDAs, existing literature the physical-system layer for this case study is eMegaSim
aims to understand the complications such attacks could (from Opal-RT). The cyber-system layer is modeled using
cause to CPES operations [32], [184], [185]. For instance, a communication network emulation platform that supports
in [185], the authors present an analysis of different TDA con- co-simulation capabilities. Specifically, the software resource
cepts (e.g., TDA margins, boundaries, surfaces, etc.) regard- used to model the communication network that represents the
ing effective conditions for TDA disruptions against grid cyber-system layer is EXataCPS.
stability. Every MG component from the physical layer is mapped
Threat Model: In the TDA case study, we assume an with a virtual communication node inside the network emu-
oblivious adversary having essentially no knowledge of the lation platform. The backbone of the communication net-
system topology; such detailed information is not necessary work is represented by a network router. The network router
to perform TDA events [186], [187]. Additionally, since this is responsible for sending control commands and receiv-
type of attack is performed by introducing substantial delays, ing measurements from the MG components, i.e., BESS,
mainly on the network level, possession of the targeted device loads, and generator, to the MG controller, respectively. The
is not required. Due to the objective of TDAs aiming to communication protocol used is the IEEE Std 1815, com-
destabilize power grids by obstructing controls, crucial for monly known as DNP3. IEDs in the network are modeled as
the system’s assets operation, TDA can be seen as a tar- DNP3 outstations and communicate with the MG controller
geted attack. Depending on the size and complexity of the which is modeled as a DNP3 master. The DNP3 master
VOLUME 9, 2021 29805

and outstation devices exchange data and control commands

including, power generation, load consumption, breaker sta-
tus, etc. The connections between the communication net-
work nodes are modeled as wired 802.3 Ethernet connections
with 100 Mbps bandwidth. Fig. 19 shows a conceptual illus-
tration of the real-time co-simulation scenario designed to
perform the described case study. The metrics used to evalu-
ate the performance and behavior of the MG operation, based
on the proposed CPS framework, are the physical-system
layer performance metrics related to frequency stability, and
the cyber-system layer performance metrics related to aver-
age end-to-end delay and total number of packets delayed by
the TDA.
FIGURE 19. Conceptual illustration of the real-time co-simulation FIGURE 20. Normal operation Vs. 0.5sec time-delay attack (TDA)
MG system testbed used in the TDA case study. scenario: (a) EPS frequency response during a 0.5sec time-delay
attack (TDA) on the islanding command, and (b) generator power
fluctuation during the 0.5sec time-delay attack (TDA).
Based on the described setup, the impact of a malicious
TDA in an islanded MG system is evaluated. An attacker
compromises the communication link between the MG con- as the MG islands, while in the TDA scenario the shedding
troller and the IED controlling the disconnection of the procedure gets delayed by the amount of the time-delay
breaker at the controllable (sheddable) load #1 (300 kW). attack. Notably, the maximum and minimum values of the
Three different attack test cases are evaluated by vary- MG frequency during the normal operation scenario are
ing the time-delay duration of the TDA. These delays are 60.02 Hz and 59.71 Hz, respectively. On the other hand,
0.5sec, 5sec, and 15sec approximately. In the communi- the maximum and minimum values of the MG frequency
cation network, the attacks are modeled by modifying the during the 0.5sec TDA scenario are 60.42 Hz and 59.32 Hz,
exchanged packets while introducing a timing delay between indicating (see Fig. 18) that system operators would have to
the DNP3 master and the corresponding outstation. employ emergency corrective measures to maintain system
The first attack scenario shows a 0.5sec TDA that blocks stability. Fig. 20b depicts the output power of the generator
the load shedding command performed by the MG controller. set and the ESS during both scenarios.
Fig. 20a showcases the impact of the 0.5sec seconds TDA Similarly, the second test scenario demonstrates a 5sec
when compared to the normal operation of the MG sys- TDA that blocks the load shedding command performed by
tem. In the graph, we observe how at t = 10sec the breaker the MG controller. Fig. 21a presents the impact of the 5sec
at the point of common coupling (PCC) is disconnected, TDA when compared to the normal operation of the MG
i.e., breaker command goes from 1 to 0, in order to perform system. As seen, the impact on the operating frequency of
intentional islanding of the MG. Then, due to the insufficient the MG is greater than the first test scenario due to the sus-
generation capacity, the MG controller sheds controllable tained timing attack. The 5sec TDA causes a maximum and
load #1 (shed command goes from 0 to 1). In the normal minimum MG frequency of 60.52 Hz and 55.75 Hz, respec-
operation case, the shedding procedure is performed as soon tively. Granted the substantial under-frequency incident,
29806 VOLUME 9, 2021

FIGURE 21. Normal operation Vs. 5sec time-delay attack (TDA) scenario: FIGURE 22. Normal operation Vs. 15sec time-delay attack (TDA) scenario:
(a) EPS frequency response during a 5sec time-delay attack (TDA) on the (a) EPS frequency response during a 15sec time-delay attack (TDA) on the
islanding command, and (b) generator power fluctuation during the 5sec islanding command, and (b) generator power fluctuation during the
time-delay attack (TDA). 15sec time-delay attack (TDA).
i.e., 55.75 Hz, load-curtailment along with generator tripping framework we can perform worst-case scenario analyses,
would have to be enforced to protect the EPS equipment and evaluate the system behavior under coordinated attacks (e.g.,
avoid the incident propagation leading to a generalized grid if an attacker disables automated grid safety mechanisms),
collapse (Fig. 18). As a result, this attack case demonstrates and identify critical system components and contingencies
the potential of TDAs to greatly disrupt the operation of the without endangering the EPS operation.
system causing major equipment damages. In order to explore the behavior of the CPES at the
In the third test scenario, we perform a 15sec TDA that cyber-system layer, we analyze two metrics that provide
blocks the load shedding command performed by the MG important information regarding the response of the com-
controller. This case is analogous to a DoS attack, due to munication devices to the TDA. These two metrics are the
the long period of the TDA, which can greatly disrupt the average end-to-end delay at the communication network,
operation of the MG’s load shedding mechanism. As seen and the number of packets delayed by the TDA. Fig. 23
in Fig. 22a, this scenario demonstrates the worst-case sce- shows the average end-to-end delay of all the network
nario of a TDA to the CPES. The MG frequency decreases devices communicating using DNP3 at the cyber-system
rapidly until it hits a minimum value of 15.31 Hz. Addi- layer. Fig. 24 presents the total number of packets delayed
tionally, as depicted in Fig. 22b, the frequency-mode gen- due to the TDA that compromises the correct operation of
erator set is not capable of maintaining the stability of the the CPES according to two of the TDA scenarios (0.5sec and
system for such a prolonged period causing large oscillations 5sec TDA). As seen in Fig. 23, the average end-to-end delay
in its power output. Notably, in realistic systems frequency of the communication network, operating under normal con-
violations should be averted before reaching such extreme ditions, has a maximum value of 0.0144sec. This value is
values (e.g., 15.31 Hz). However, by leveraging the CPES related to the master DNP3 device located at the PCC that
VOLUME 9, 2021 29807

FIGURE 25. Mapping of TDA case study with CPS framework.
personnel safety’’ as well as the ‘‘Organization financial

profit’’ are set to Low (1). However, TDAs can poten-
tially cause severe impacts on the grid operation. For this
reason, the ‘‘Uninterrupted operation and service provision’’
is set to Medium (2), and the ‘‘Equipment damage and
legal punishment’’ objective priority is set to High (3).
FIGURE 23. Average end-to-end delay of all nodes in the communication
TheP resulting Risk for the TDA is estimated to be equal to
network (cyber layer). 3 ∗ (4 + 1 + 6 + 6) = 51.
D. CASE STUDY 4: PROPAGATING ATTACKS IN

INTEGRATED TRANSMISSION AND
DISTRIBUTION (T&D) CPES
Background & Formulation: As mentioned in Section IV,
T&D integrated models for real-time simulation within CPES
co-simulation testbeds can provide comprehensive and accu-
rate simulation results able to capture the dynamic behavior
of CPES. Specifically, integrated T&D model co-simulations
can be used to holistically evaluate the impact of disrup-
tions (e.g., malicious attacks, faults, etc.) in EPS, and exhibit
how maloperations on the transmission system extend to
the distribution system and vice versa. Thus, in this case
study, we present DIA-type attacks as propagating processes,
similar to computer viruses, evaluated in real-time integrated
FIGURE 24. Number of packets delayed by time-delay attack (TDA) at T&D simulation models.
delay = 0.5sec and delay = 5sec Vs. total number of packets in 30sec.
EMT and TS power system simulations often model
only the transmission or the distribution system of power
grids. This is mostly due to the high computational power
is communicating with all the DNP3 outstations. This is the required to have a real-time simulation model of an entire
average time that the MG controller takes to communicate the EPS [145]. Aggregated distribution system sections are
load shedding signal to the respective sheddable load under typically replaced by static or dynamic loads when sim-
normal operating conditions. In contrast, the TDA compro- ulating transmission system models [172]. Correspond-
mises the system’s operation by delaying the load shedding ingly, the transmission system’s behavior is often abstracted
signal based on the scenarios presented previously. In order to using ideal voltage sources in distribution system model-
get more details regarding the attack study, the total number ing [188]. In addition, T&D models are usually simplified
of packets delayed by the TDA are measured and plotted to a single-phase representation [189], [190]. Such model-
in Fig. 24. Here, we observe a side-by-side comparison of ing approaches lose key information related to the behavior
the number of packets delayed in two of the presented test of highly unbalanced distribution systems. In reality, T&D
scenarios, i.e., 0.5sec and 5sec delay scenarios, and the total systems are highly coupled [191], and in order to perform
number of packets sent by the master and outstation devices comprehensive and accurate security assessment and impact
in the 30sec real-time co-simulation. Fig. 25 shows the map- analysis studies in CPES, both T&D domains need to be accu-
ping of the presented case study with the CPS framework. rately modeled and simulated in a coordinated fashion. This
Risk Assessment: In this type of attack, an adversary coordination involves a clock-synchronized loop in which,
does not require significant resources or capabilities to even if the two models are executed on different cores of a
compromise the CPES, as long as the system has not been for- machine, they communicate in parallel to match boundary
tified with state-of-the-art defense mechanisms. This ‘‘low- conditions (i.e., voltages, power values, etc.) at every simula-
bar’’ requirement of resources increases the probability of tion step, as seen in Fig. 26.
successfully performing such an attack on a vulnerable CPES. There are different techniques that can be used to
As a result, the Threat Probability for the TDA case study develop real-time integrated T&D models. Different plat-
is set to High (3). The impact on ‘‘People health and forms provide different solutions and methods that allow
29808 VOLUME 9, 2021

adversary and the type of the attack, the threat model may be
adjusted to the specific details. For our use case, we assume
an adversary with strong knowledge of the system’s topology
and its components. Additionally, in our setup, the adversary
aims to destabilize the integrated T&D system by maliciously
controlling switching devices, i.e., the CBs, thus possession
of the device is assumed. In the worst-case scenario analysis,
FIGURE 26. Transmission and distribution (T&D) integrated simulation the attackers could lead the CPES towards full system col-
system setup.
lapse, designating a targeted attack by Class II adversaries
with abundant resources (e.g., nation-state funded groups).
In terms of the attack model formulation, the attack fre-
the parallel execution of different systems in real-time
quency is non-iterative, since compromising a critical sys-
EMT environments. In general, the overall T&D system
tem asset (crown-jewel) could impact the overall system.
is separated into different groups (assigned to different
The reproduction of such types of attacks can be seen as
cores of the machine) that are solved individually using
impractical due to their high system impact. Thus, we model
a state-space approach. State-space equations and matri-
them as one-time attacks. The attack level is presumed to
ces are used to describe the system group dynamics, while
be Level 2 since critical system components need to be
the interaction between the groups is solved using a nodal
compromised. Such assets for our case include engineering
admittance method [192]. In the state-space approach the
workstations since the attacker targets – in a DIA-type event –
physical-system is modeled as:
the control and coordination between the T&D systems. The
s0 = Aq s + Dq v (17) attack technique is correspondingly an engineering worksta-
o = Eq s + Fq v (18) tion compromise. Directly issuing malicious commands from
an engineering workstation can also be a possible attack path,
where s is the state vector, v is the input vector, o is the output assuming a malicious insider scenario. However, in our case
vector, and A, D, E, and F are the state-space matrices. The study, we assume a sophisticated and stealthy attack imple-
term q represents the size of the matrices. mented on the cyber domain targeting the data integrity of the
In a typical EMT state-space implementation, such as the issued control commands from the engineering workstations
one available in Matlab Simscape Power Systems, every time (DIA). For instance, disruptions on the T&D can occur by
a switch changes status (on/off), the entire state-space solu- falsifying the in-transit data exchanged between engineering
tions are re-computed. Using such an approach for real-time workstations and CB control devices, triggering unexpected
simulation (<≈50µs simulation time-step) of large inter- CB tripping and system sectionalization.
connected T&D systems could be infeasible due to the Attack Setup: In this case study, an integrated real-time
required computational resources. With every single sta- EMT T&D system is modeled in order to investigate different
tus change within the system model, the state-space out- interactions of propagating attacks and disturbances between
puts of the entire system would need to be re-computed. a transmission and an unbalanced distribution system. Specif-
To address this computational issue, platforms such as Opal- ically, we integrate a transmission system, modeled as the
RT, and its Advanced Real-Time Electro-Magnetic Solvers IEEE-9 bus system, with a distribution system, modeled as
(ARTEMiS) package, use state-space nodal methods [193]. the IEEE-13 bus test system. In order to match the power
ARTEMiS implementations discretize, pre-compute, and generation and load consumption between the power grid
store into cache memory, the state-space matrices for all benchmarks, we scale some of the systems’ parameters. For
the combinations of switch topologies that can occur. Then, example, the active power and reactive power of the genera-
using a nodal method, the common voltages, admittances, and tors and the loads in the transmission system are reduced by
currents of the system (i.e., shared values between groups) are an order of magnitude, while all the loads in the distribution
solved as: system are increased by an order of magnitude. Addition-
ally, as shown in Fig. 27, the load at bus 5 of the IEEE-9
VY = I (19)
bus transmission model is ‘replaced’ by the IEEE-13 bus
where V , I , and Y are the respective common voltages, distribution system. Generator 1 (G1) is used as the slack
currents, and admittance matrices at the boundaries of the bus. The EMT modeling and real-time simulation of this case
groups. In essence, the use of this approach improves the study’s physical-system layer are performed using eMegaSim
accuracy and computational execution time of the entire of Opal-RT.
system’s solutions. As a result, this is a feasible way for In order to evaluate the bi-directional impact of propaga-
simulating a real-time integrated T&D system and evaluating tion attacks in integrated T&D models of CPES, we develop
the propagation impact of adverse disruptions, e.g., faults, two attack scenarios in this case study. The first scenario
attacks, etc. assumes that the adversary has the capability of altering the
Threat Model: Integrated T&D models can be seen as com- EPS topology. This can be achieved by decoupling the T&D
plex structures. Depending on the T&D aspect targeted by an system at the PCC via a DIA attack on the EPS switch
VOLUME 9, 2021 29809

FIGURE 27. The integrated T&D real-time simulation model: it includes

the IEEE-9 bus system (transmission model) and IEEE-13 bus system
(distribution model).
devices (i.e., the distribution feeder CBs). The second sce-

nario demonstrates the impact on the distribution system
when transmission system components are compromised.
Following our CPS framework, the metrics used to evaluate
the performance and behavior of the T&D system under the
propagation attack scenarios, are the physical-system layer
performance metrics related to frequency stability and voltage
stability.
In the first propagation attack scenario, we assume that the
adversary by tripping the CBs at the PCC between the T&D
system can disturb the EPS frequency impacting its operation
and potentially causing damages to field equipment (e.g.,
transformers, commercial and residential loads, etc.). Differ-
ent attack paths can be pursued to compromise and decou-
ple T&D systems. For instance, such adversarial objectives
(i.e., T&D decoupling) can be achieved by i) intruding via FIGURE 28. Frequency response when the CB at bus 5 of the IEEE-9 bus
system is: (a) opened at t = 1.5sec, (b) opened at t = 1.5sec and then
the communication infrastructure and remotely manipulating closed at t = 1.75sec, and (c) opened at t = 1.5sec, closed at t = 1.75sec,
the control tags issued by engineering workstations located at and opened again at t = 2sec.
the system operation management facilities, ii) implementing
DoS attacks on the targeted PLCs, disabling the CBs, iii)
compromising the controller logic of IED-enabled switching CB is tripped open, and between t = 1.75sec and t = 2sec
equipment, or iv) penetrating the utility SCADA network and when the CB is closed. The last scenario assumes an attacker
maliciously manipulating control settings (e.g., over/under - aiming to damage system components by asynchronously
voltage or current limits) [194]. changing the status of the CB multiple times. Fig. 28c demon-
The results presented in Fig. 28a are measured at the gener- strates the frequency fluctuations on the generator buses when
ator buses, i.e., buses 1, 2, and 3 of Fig. 27. The frequency at the CB between the T&D systems is opened at t = 1.5sec,
the transmission side of the network rapidly increases when closed at t = 1.75sec, and then opened again at t = 2sec.
the CB is tripped at t = 1.5sec, and returns to its nominal Notably, if safety mechanisms are not promptly enforced,
values at around t = 1.8sec. The peak frequency value is the frequency instabilities occurring between t = 1.5sec and
around 60.23 Hz. Fig.28b shows the frequency response of t = 2.4sec could affect frequency-sensitive grid components
the system when the attacker opens the CB between the T&D (i.e., consumer, commercial, and industrial loads), and impact
system at t = 1.5sec, and then closes it after 15 cycles grid equipment and control functions (e.g., generators, trans-
(approximately 0.25sec later) which would avoid triggering formers, automated voltage control, etc.).
any protection countermeasures during this intermittent fre- In the second scenario, it is assumed that an adversary has
quency transient [171]. We observe how such attacks could the capability of compromising components at the transmis-
stealthily destabilize the EPS just by tampering with the CB sion side of the power grid. For example, such types of attacks
controls between different zones of the power grid. Here, have been experimentally evaluated and indicate that if they
two main fluctuations are observed following the CB tripping last around three minutes, they can cause permanent damage
behavior, one between t = 1.5sec and t = 1.75sec when the on generators [122]. In this use case, our aim is to evaluate
29810 VOLUME 9, 2021

how an attack on the transmission level can propagate on the

distribution level and manifest as a voltage variation. Con-
tingency analysis is employed in the integrated simulation
environment to study the effects of transmission-side adverse
events on the distribution system. In more detail, contingency
analysis is a simulation-based system analysis tool used to
assess the impact of various combinations of component fail-
ures occurring in transmission systems. The North American
Electric Reliability Corporation (NERC) enforces a N − 1
constraint for the U.S. power grid, which means that EPS
transmission systems need to maintain nominal operation
even if one component fails [195]. Such components include
generators, transmission lines, transformers, etc. Depending
on the security level of the EPS, a higher N − k criterion may
be required, where k ≥ 2 represents two or more contingency
events. For example, a nuclear plant may be required to
satisfy a N − 2 constraint, allowing the grid to withstand the
simultaneous failure of two components.
For the purpose of our study, we assume that the attacker is
able to compromise one or more components of the transmis-
sion system, causing under-voltage events at the distribution-
side. When component failures occur, the system aims to FIGURE 29. Voltage response at bus 632 (distribution system) during
maintain stability. However, the intermittent transmission N-1 transmission system contingencies when: a) generator G2 is
disconnected at t = 1.5sec, and (b) generator G3 is disconnected at
system instability along with the potential inability to support t = 1.5sec.
power demand results in voltage deviations which are also
propagated to the distribution level. Four main sub-cases are
designed in this second scenario to illustrate the correspond-
ing voltage impact at bus 632 of the distribution system. The
first two sub-cases consider an attacker that compromises one
generator (G2 or G3) once at a time (N − 1), where the rest
sub-cases consider an attack on two generators (G2 and G3)
consecutively (N − 1 − 1), or simultaneously (N − 2). In all
sub-cases, we evaluate the voltage variation (depicted in per
unit – p.u.) measured at bus 632.
As seen in Fig. 29a and Fig. 29b, the voltage measured
at bus 632 of the distribution system drops from 1 p.u.
to 0.5 p.u. at t = 1.5sec, i.e., when one of the generators
(G2 or G3) is disconnected from the transmission system
(N − 1). Fig. 30a demonstrates the voltage variations of the
N − 1 − 1 contingency event in which G2 and G3 are dis-
connected at t = 1.5sec and t=1.6sec, respectively. During
this case, the bus voltage initially drops from 1 p.u. to 0.5 p.u.
(G2 disconnection), and then to 0.2 p.u. when G3 is also dis-
connected. In the N −2 case, presented in Fig. 30b, the simul-
taneous disconnection of G2 and G3 from the system lowers
the voltage significantly at t = 1.5sec. The voltage mea-
sured at bus 632 of the distribution system decreases to
under 0.2 p.u. within 0.05sec. Fig. 31 illustrates the mapping FIGURE 30. Voltage response at bus 632 (distribution system) during
of the propagating attack case study in T&D systems with the transmission system contingency scenarios:a) N-1-1 contingency where
generators G2 is disconnected at t = 1.5sec and G3 at t = 1.6sec
CPS framework. consecutively, and (b) N-2 contingency where generators G2 and G3 are
Risk Assessment: Compromising T&D systems requires disconnected at t = 1.5sec simultaneously.
determined adversaries possessing both strong knowledge
of the system architecture as well as ample resources since
these can enhance the probability of materializing successful attacks by leveraging the knowledge of system topology,
attacks. Thus, we set the Threat Probability to High (3) asset placement information, power demand profiles, etc.
[196]–[199]. Attackers could perform stealthy and disastrous As a result, by targeting mission-critical system components
VOLUME 9, 2021 29811

attacks. Typically, attacks belonging to pool 1 should be

mitigated at all costs since they can compromise the whole
system (in our case the CPES). However, the mitigation
of attacks belonging to lower-ranked pools might either be
FIGURE 31. Mapping of T&D case study with CPS framework. i)deferred if they do not pose significant threats to system
operation, ii) transferred to other parties instead of allocating
during peak utilization periods (e.g., peak power demand time system resources to resolve them, or iii) accepted if the
of the day), adversaries could maximize the corresponding cost of mitigating them outweighs the impact that could be
attack impact [84]. A power system collapse (e.g., blackout), inflicted on the system. Thus, the risk assessment does not
which could be the impact of the successful propagation of only provide better awareness of system risks and an efficient
T&D attacks, can significantly affect ‘‘People health and way to perform risk comparisons, but it can also automate
personnel safety’’, ‘‘Uninterrupted operation and service pro- the process of handling risks and administering corrective
vision’’, and ‘‘Equipment damage and legal punishment’’. measures.
Based on these assumptions, the ResultingDamage is set to
High (3), while the ‘‘Organization financial profit’’ is set VI. CONCLUSION
to Low (1). The aggregated
P Risk for this type of attack can In this work, we provide a comprehensive analysis of CPS
be estimated to be 3 ∗ (12 + 9 + 6 + 1) = 84. security, with particular emphasis on CPES applications. The
first step in this process encompasses an extensive threat
E. POST-RISK ASSESSMENT DISCUSSION modeling procedure, where adversary and attack models are
The next step after the risk score calculation includes risk constructed. The adversary and attack models provide an
prioritization. The risk identification, assessment, and pri- in-depth understanding of attackers’ motives and capabilities,
oritization serve as preliminary steps and are critical for in addition to the attack’s details including potential entry
the decision making and formulation of mitigation plans. points, attack techniques, and end goals. The next step in the
Specifically, in this work, we have considered four diverse analysis includes the presentation of a CPS framework, where
attack use cases aimed at CPES while targeting different the resources, metrics, and modeling techniques needed to
cyber or physical subsystems or components. In more detail, effectively evaluate CPS, and more specifically CPES, are
we discuss cross-layer firmware attacks with a calculated discussed in detail. This framework is designed with the
risk score equal to 22, load changing attacks with risk score objective of assisting researchers and stakeholders identify
equal to 28, TDAs with a risk score evaluated to 51, and the models and resources required to perform high-fidelity
finally propagating attacks targeting integrated T&D CPES and reliable CPS studies. Furthermore, we present a risk
with an 84 risk score. These risk scores provide a useful way assessment methodology that leverages both the treat mod-
to perform one-to-one comparisons between attacks even if eling as well as the CPS framework to characterize system
their specifics are unknown. risks.
Attacks with higher risk scores (e.g., the T&D propagation In order to illustrate the suitability of the overall method-
attacks) will induce a higher impact on the system when com- ology and description of the CPES security landscape,
pared to other attacks such as the cross-layer firmware attack we investigate four attack case studies. For each scenario,
with a less pronounced risk score. In Section III-C, we justify we provide a fundamental background alongside its math-
how the use of each case’s risk score variations depend on ematical formulation and discuss the corresponding threat
the corresponding attack characteristics (e.g., threat proba- model and attack setups. The presented case studies are sim-
bility, objective priorities, and potential impact on the CPES ulated under nominal and abnormal operating conditions to
operation). As a result, attacks similar to the one targeting uncover their system-wide impacts. Risk assessment analysis
the integrated T&D system, aim to affect almost every CPES is also performed as part of each case’s security investigation.
operational objective. Furthermore, they are attractive from During the risk assessment stage, we calculate the relative
an adversarial perspective due to the maximization of the risk scores indicating the severity of each compromise. The
inflicted system disruption. Hence, such attacks will obtain risk scores correspond to the discussed studies, the threat
high-risk scores. The same cannot be argued for attacks that scenarios, and the targeted assets (e.g., microinverters, T&D
can be sustained even post-compromise, targeting less critical system, time-delay, etc.). These scores can be utilized for
CPES equipment. the ranking and prioritization of possible disruptions, and the
The risk score-based ranking helps to categorize the attacks determination of proper risk mitigation strategies to address
(and their corresponding risks) into pools [93]. For exam- malicious attacks implications.
ple, assuming that we have four pools, the most devastat- The holistic approach and studies presented in this paper
ing attacks (i.e., with scores greater than a system-defined provide guidelines for modeling CPS threats as well as
threshold) would be placed into pool 1, while less critical designing, simulating, and evaluating detailed CPS models.
attacks – with smaller risk scores – would be allocated to The presented framework can promote rigorous security anal-
pools 2 -4 in a descending risk score fashion. For each of the ysis of CPS. Our future work will extend this framework and
pools, predefined strategies are designed to mediate potential advance its capabilities even further, allowing for:
29812 VOLUME 9, 2021

• Secure and resilient CPES operation: In this work, system resources we will provide classes of crisis-
we have stressed the importance of cyber-secure CPES handling plans promoting CPES self-healing capabili-
as well as that the integration of contemporary cyber ties. These classes will provide tailor-made strategies
features and new physical components can increase the to overcome emergencies, depending on the current
attack surface. The emphasis though, should not only be state of the CPES and the under-investigation scenario
placed on detecting attacks, limiting and mitigating them characteristics. For example, during a transmission sys-
but also in designing fault-tolerant and resilient CPES. tem contingency, the corresponding class would pro-
Having identified potential vulnerabilities present in the vide alternative ways to dispatch power overcoming
CPES and leveraging our framework, we will define this issue and potential predicaments. These dynamic
resiliency methodologies and metrics to assess CPES re-configurations and self-healing CPES capabilities
posture. In more detail, the resiliency methodologies will stimulate the design of future secure and resilient
will serve as CPES design best practices promoting systems and prove invaluable tools for system operators.
the design of robust systems with in-built redundancy
mechanisms if adverse scenarios occur. On the other REFERENCES
hand, the resiliency metrics will be ported to our current [1] NIST. Cyber-Physical Systems. Accessed: Jul. 12, 2020. [Online]. Avail-
framework and have a twofold objective, i) they will able: https://www.nist.gov/el/cyber-physical-systems
indicate how effectively the system can handle adverse [2] S. McLaughlin, C. Konstantinou, X. Wang, L. Davi, A.-R. Sadeghi,
M. Maniatakos, and R. Karri, ‘‘The cybersecurity landscape in industrial
circumstances, and ii) they will serve as criteria for control systems,’’ Proc. IEEE, vol. 104, no. 5, pp. 1039–1057, May 2016.
the categorizations of CPES based on their ability to [3] NIST. (2018). CVE-2018-0296 Detail. [Online]. Available:
withstand attacks. https://nvd.nist.gov/vuln/detail/CVE-2018-0296
• Autonomous CPES operation and simulation-aided risk [4] MITRE. (2018). CVE-2018-0296. [Online]. Available: https://cve.mitre.
org/cgi-bin/cvename.cgi?name=CVE-2018-0296
assessments: CPES are becoming more sophisticated [5] NERC Lesson Learned, Risks Posed by Firewall Firmware Vulnerabili-
and support a plethora of automated processes (e.g., ties, North Amer. Electr. Rel. Corp., Atlanta, GA, USA, 2019.
automated control mechanisms, PLCs, AGC, etc.). Such [6] Gartner. (2017). Focus on the Biggest Security Threats, Not
the Most Publicized. [Online]. Available: https://www.gartner.
automated systems should be capable to make real-time com/smarterwithgartner/focus-on-the-biggest-security-threats-not-
decisions, especially for time-critical parts of CPES, and the-most-publicized/
coordinate the dynamic system behavior. It is expected [7] J. Weeks. U.S. Electrical Grid Undergoes Massive Transition to Connect
to Renewables. Accessed: Nov. 6, 2020. [Online]. Available: https://www.
that CPES will become more complex and densely inter- scientificamerican.com/article/what-is-the-smart-grid/
connected as they integrate more features (remote access [8] D. Gritzalis, M. Theocharidou, and G. Stergiopoulos, Critical Infrastruc-
and control, assets, communications protocols, etc.). ture Security and Resilience. Springer, Jan. 2019.
During their autonomous operation, the system might [9] A. Keliris, C. Konstantinou, N. G. Tsoutsos, R. Baiad, and
M. Maniatakos, ‘‘Enabling multi-layer cyber-security assessment
encounter unexpected states (e.g., unintended faults dur- of industrial control systems through hardware-in-the-loop testbeds,’’
ing natural disasters, or malicious attacks) that might in Proc. 21st Asia South Pacific Design Autom. Conf. (ASP-DAC),
require specific handling. Thus, determining and eval- Jan. 2016, pp. 511–518.
[10] C. Konstantinou, ‘‘Towards a secure and resilient all-renewable energy
uating their security should be facilitated in a dynamic, grid for smart cities,’’ IEEE Consum. Electron. Mag., early access,
albeit abstract way. Following this approach, guarantees Jan. 29, 2021, doi: 10.1109/MCE.2021.3055492.
that every unexpected scenario will be accounted for, [11] S. Muyeen and S. Rahman, Communication, Control and Security Chal-
lenges for the Smart Grid. Edison, NJ, USA: IET, 2017.
and adverse situations will be timely prevented. Digital [12] J. Ospina, X. Liu, C. Konstantinou, and Y. Dvorkin, ‘‘On the feasibility
twin system configurations can achieve these objectives of load-changing attacks in power systems during the COVID-19 pan-
and enable the design and real-time evaluation of risk demic,’’ IEEE Access, vol. 9, pp. 2545–2563, 2021.
[13] A. Dabrowski, J. Ullrich, and E. R. Weippl, ‘‘Grid shock: Coordinated
mitigation strategies. As a result, a CPES testbed will
load-changing attacks on power grids: The non-smart power grid is
be designed to support the fully-automated operation, vulnerable to cyber attacks as well,’’ in Proc. 33rd Annu. Comput. Secur.
and incident-response structures, where attacks can be Appl. Conf. New York, NY, USA: Association for Computing Machinery,
Dec. 2017, pp. 303–314, doi: 10.1145/3134600.3134639.
promptly detected and optimally mitigated, eliminating
[14] C. Konstantinou and M. Maniatakos. (2017). Security Analysis
any adverse consequence on the actual system. of Smart Grid. pp. 451–487. [Online]. Available: https://digital-
• Dynamic reconfiguration and self-healing capabilities: library.theiet.org/content/books/10.1049/pbpo095e_ch15
Securing CPES should be viewed from two direc- [15] Idaho National Lab Grid Resilience Program. Accessed: Sep. 9, 2020.
[Online]. Available: https://inl.gov/research-programs/grid-resilience/
tions. The first direction includes the security measures [16] Idaho National Lab Resilience Optimization Center. Accessed:
and practices which should be employed to protect Sep. 9, 2020. [Online]. Available: https://factsheets.inl.gov/
system operations and avert attackers. On the other FactSheets/INLResilienceOptimizationCenter.pdf
[17] Idaho National Lab Infrastructure and Capabilities. Accessed:
hand, the second direction features the policies and Sep. 9, 2020. [Online]. Available: https://factsheets.inl.gov/SitePages/
strategies which should be pursued post-compromise AboutINLFactSheets-Internal.aspx
or during dire circumstances. The first direction has [18] Idaho National Lab Nuclear Programs. Accessed: Sep. 9, 2020. [Online].
been extensively discussed in this paper; we aim to Available: https://factsheets.inl.gov/FactSheets/NuclearPrograms.pdf
[19] Idaho National Lab Nuclear Laboratory. Accessed:
account for the second direction in our future framework Sep. 9, 2020. [Online]. Available: https://factsheets.inl.gov/FactSheets/
extensions. Specifically, utilizing our framework and NationalNuclearLaboratory_Overview.pdf
VOLUME 9, 2021 29813

[20] Idaho National Lab Energy Systems Laboratory. Accessed: [42] M. O. O. Faruque and V. Dinavahi, ‘‘Hardware-in-the-Loop simulation
Sep. 9, 2020. [Online]. Available: https://factsheets.inl.gov/FactSheets/ of power electronic systems using adaptive discretization,’’ IEEE Trans.
EnergySystemsLaboratory.pdf Ind. Electron., vol. 57, no. 4, pp. 1146–1158, Apr. 2010.
[21] Idaho National Lab Energy, Environment Science and Technology. [43] S. Boschert and R. Rosen, Digital Twin—The Simulation Aspect.
Accessed: Sep. 9, 2020. [Online]. Available: https://factsheets.inl. Cham, Switzerland: Springer, 2016, pp. 59–74, doi: 10.1007/978-3-319-
gov/FactSheets/EESandT.pdf 32156-1_5.
[22] National Renewable Energy Laboratory (NREL). Accessed: Sep. 9, 2020. [44] M. Zhou, J. Yan, and D. Feng, ‘‘Digital twin framework and its application
[Online]. Available: https://www.nrel.gov/index.html to power grid online analysis,’’ CSEE J. Power Energy Syst., vol. 5, no. 3,
[23] National Renewable Energy Laboratory Flatirons Campus. Accessed: pp. 391–398, 2019.
Sep. 9, 2020. [Online]. Available: https://www.nrel.gov/flatirons-campus/ [45] T. Huang, F. R. Yu, C. Zhang, J. Liu, J. Zhang, and Y. Liu, ‘‘A survey on
[24] Increasing Power Expands Research Capabilities at NREL’s Flatirons large-scale software defined networking (SDN) testbeds: Approaches and
Campus. Accessed: Sep. 9, 2020. [Online]. Available: https://www.nrel. challenges,’’ IEEE Commun. Surveys Tuts., vol. 19, no. 2, pp. 891–917,
gov/news/program/2020/increasing-power-at-flatirons-campus.html 2nd Quart., 2017.
[46] J. Ospina, N. Gupta, A. Newaz, M. Harper, M. O. Faruque, E. G. Collins,
[25] B. Chen, K. L. Butler-Purry, A. Goulart, and D. Kundur, ‘‘Implementing a
R. Meeker, and G. Lofman, ‘‘Sampling-based model predictive control
real-time cyber-physical system test bed in RTDS and OPNET,’’ in Proc.
of PV-integrated energy storage system considering power generation
North Amer. Power Symp. (NAPS), Sep. 2014, pp. 1–6.
forecast and real-time price,’’ IEEE Power Energy Technol. Syst. J., vol. 6,
[26] C. Queiroz, A. Mahmood, and Z. Tari, ‘‘SCADASim—A framework for no. 4, pp. 195–207, Dec. 2019.
building SCADA simulations,’’ IEEE Trans. Smart Grid, vol. 2, no. 4, [47] A. Keliris, C. Konstantinou, M. Sazos, and M. Maniatakos, ‘‘Low-
pp. 589–597, Dec. 2011. budget energy sector cyberattacks via open source exploitation,’’ in Proc.
[27] N. Dorsch, F. Kurtz, H. Georg, C. Hagerling, and C. Wietfeld, ‘‘Software- IFIP/IEEE Int. Conf. Very Large Scale Integr. (VLSI-SoC), Oct. 2018,
defined networking for smart grid communications: Applications, chal- pp. 101–106.
lenges and advantages,’’ in Proc. IEEE Int. Conf. Smart Grid Commun. [48] Y. Xiang, L. Wang, and N. Liu, ‘‘Coordinated attacks on electric power
(SmartGridComm), Nov. 2014, pp. 422–427. systems in a cyber-physical environment,’’ Electr. Power Syst. Res.,
[28] H. Georg, S. C. Muller, N. Dorsch, C. Rehtanz, and C. Wietfeld, vol. 149, pp. 156–168, Aug. 2017.
‘‘INSPIRE: Integrated co-simulation of power and ICT systems for real- [49] J. Tian, B. Wang, T. Li, F. Shang, and K. Cao, ‘‘Coordinated cyber-
time evaluation,’’ in Proc. IEEE Int. Conf. Smart Grid Commun. (Smart- physical attacks considering DoS attacks in power systems,’’ Int. J. Robust
GridComm), Oct. 2013, pp. 576–581. Nonlinear Control, vol. 30, no. 11, pp. 4345–4358, Jul. 2020.
[29] M. J. Stanovich, I. Leonard, K. Sanjeev, M. Steurer, T. P. Roth, S. Jackson, [50] H. Tu, Y. Xia, C. K. Tse, and X. Chen, ‘‘A hybrid cyber attack
and M. Bruce, ‘‘Development of a smart-grid cyber-physical systems model for cyber-physical power systems,’’ IEEE Access, vol. 8,
testbed,’’ in Proc. IEEE PES Innov. Smart Grid Technol. Conf. (ISGT), pp. 114876–114883, 2020.
Feb. 2013, pp. 1–6. [51] K. Pan, A. Teixeira, M. Cvetkovic, and P. Palensky, ‘‘Data attacks on
[30] CAPS–Florida State University. (2020). Center for Advanced Power power system state estimation: Limited adversarial knowledge vs. Lim-
Systems Infrastructure. [Online]. Available: https://www.caps. ited attack resources,’’ in Proc. 43rd Annu. Conf. IEEE Ind. Electron. Soc.
fsu.edu/media/1256/caps-flyer.pdf (IECON), Oct. 2017, pp. 4313–4318.
[31] C. Ogilvie, J. Ospina, C. Konstantinou, T. Vu, M. Stanovich, K. Schoder, [52] A. Barua and M. A. Al Faruque, ‘‘Hall spoofing: A non-invasive dos
and M. Steurer, ‘‘Modeling communication networks in a real-time simu- attack on grid-tied solar inverter,’’ in Proc. 29th USENIX Secur. Symp.,
lation environment for evaluating controls of shipboard power systems,’’ 2020, pp. 1273–1290.
in Proc. IEEE CyberPELS (CyberPELS), Oct. 2020, pp. 1–7. [53] V. Venkataramanan, A. Hahn, and A. Srivastava, ‘‘CP-SAM: Cyber-
[32] J. Ospina, I. Zografopoulos, X. Liu, and C. Konstantinou, ‘‘DEMO: Trust- physical security assessment metric for monitoring microgrid resiliency,’’
worthy cyberphysical energy systems: Time-delay attacks in a real-time IEEE Trans. Smart Grid, vol. 11, no. 2, pp. 1055–1065, Mar. 2020.
co-simulation environment,’’ in Proc. Joint Workshop CPS&IoT Secur. [54] Y. Zhang, V. V. G. Krishnan, J. Pi, K. Kaur, A. Srivastava, A. Hahn, and
Privacy. New York, NY, USA: Association for Computing Machinery, S. Suresh, ‘‘Cyber physical security analytics for transactive energy sys-
Nov. 2020, p. 69, doi: 10.1145/3411498.3422926. tems,’’ IEEE Trans. Smart Grid, vol. 11, no. 2, pp. 931–941, Mar. 2020.
[33] S. Sridhar, A. Ashok, M. Mylrea, S. Pal, M. Rice, and [55] A. Peedikayil Kuruvila, I. Zografopoulos, K. Basu, and
S. N. G. Gourisetti, ‘‘A testbed environment for buildings-to-grid C. Konstantinou, ‘‘Hardware-assisted detection of firmware attacks
cyber resilience research and development,’’ in Proc. Resilience Week in inverter-based cyberphysical microgrids,’’ 2020, arXiv:2009.07691.
(RWS), Sep. 2017, pp. 12–17. [Online]. Available: http://arxiv.org/abs/2009.07691
[34] J. N. Haack, B. A. Akyol, N. D. Tenney, B. J. Carpenter, R. M. Pratt, and [56] X. Liu, J. Ospina, and C. Konstantinou, ‘‘Deep reinforcement learning
T. E. Carroll, ‘‘VOLTTRON: An agent platform for integrating electric for cybersecurity assessment of wind integrated power systems,’’ IEEE
vehicles and smart grid,’’ in Proc. Int. Conf. Connected Vehicles Expo Access, vol. 8, pp. 208378–208394, 2020.
(ICCVE), Dec. 2013, pp. 81–86. [57] H. Orojloo and M. A. Azgomi, ‘‘A stochastic game model for evaluating
the impacts of security attacks against cyber-physical systems,’’ J. Netw.
[35] HELICS. (2020). Hierarchical Engine for Large-Scale Infrastructure
Syst. Manage., vol. 26, no. 4, pp. 929–965, Oct. 2018.
Co-Simulation (HELICS). [Online]. Available: https://gmlc-
tdc.github.io/helics.org/ [58] Y. Fan, J. Li, D. Zhang, J. Pi, J. Song, and G. Zhao, ‘‘Supporting sus-
tainable maintenance of substations under cyber-threats: An evaluation
[36] HELICS. (2020). Tools With HELICS Support. [Online]. Available:
method of cybersecurity risk for power CPS,’’ Sustainability, vol. 11,
https://docs.helics.org/en/latest/Tools_using_HELICS.html
no. 4, p. 982, Feb. 2019.
[37] T. Duy Le, A. Anwar, R. Beuran, and S. W. Loke, ‘‘Smart grid co- [59] Y. Yang, S. Wang, M. Wen, and W. Xu, ‘‘Reliability modeling and
simulation tools: Review and cybersecurity case study,’’ in Proc. 7th Int. evaluation of cyber-physical system (CPS) considering communication
Conf. Smart Grid (icSmartGrid), Dec. 2019, pp. 39–45. failures,’’ J. Franklin Inst., vol. 358, no. 1, pp. 1–16, Jan. 2021.
[38] N. Duan, N. Yee, B. Salazar, J. Y. Joo, E. Stewart, and E. Cortez, [60] L. Wei, D. Gao, and C. Luo, ‘‘False data injection attacks detection with
‘‘Cybersecurity analysis of distribution grid operation with distributed deep belief networks in smart grid,’’ in Proc. Chin. Autom. Congr. (CAC),
energy resources via co-simulation,’’ in Proc. IEEE Power Energy Soc. Nov. 2018, pp. 2621–2625.
Gen. Meeting (PESGM), Aug. 2020, pp. 1–5. [61] J. J. Q. Yu, Y. Hou, and V. O. K. Li, ‘‘Online false data injection attack
[39] B. S. Palmintier, ‘‘Helics for integrated transmission, distribution, com- detection with wavelet transform and deep neural networks,’’ IEEE Trans.
munication, & control (tdc+ c) modeling,’’ Nat. Renew. Energy Lab., Ind. Informat., vol. 14, no. 7, pp. 3271–3280, Jul. 2018.
Golden, CO, USA, Tech. Rep. NREL/PR-5D00-73977, 2019. [62] D. Ye and T.-Y. Zhang, ‘‘Summation detector for false data-injection
[40] C. Siaterlis, B. Genge, and M. Hohenadel, ‘‘EPIC: A testbed for scien- attack in cyber-physical systems,’’ IEEE Trans. Cybern., vol. 50, no. 6,
tifically rigorous cyber-physical security experimentation,’’ IEEE Trans. pp. 2338–2345, Jun. 2020.
Emerg. Topics Comput., vol. 1, no. 2, pp. 319–330, Dec. 2013. [63] B. Li, R. Lu, W. Wang, and K.-K.-R. Choo, ‘‘Distributed host-based
[41] C. Konstantinou, ‘‘Cyber-physical systems security education through collaborative detection for false data injection attacks in smart grid
hands-on lab exercises,’’ IEEE Des. Test. IEEE Des. Test. Comput., cyber-physical system,’’ J. Parallel Distrib. Comput., vol. 103, pp. 32–41,
vol. 37, no. 6, pp. 47–55, Dec. 2020. May 2017.
29814 VOLUME 9, 2021

[64] A. Sayghe, Y. Hu, I. Zografopoulos, X. Liu, R. G. Dutta, Y. Jin, and [86] T. J. Williams, ‘‘The purdue enterprise reference architecture’’ Com-
C. Konstantinou, ‘‘Survey of machine learning methods for detect- put. Ind., vol. 24, no. 2, pp. 141–158, Sep. 1994, doi: 10.1016/0166-
ing false data injection attacks in power systems,’’ IET Smart Grid, 3615(94)90017-5.
vol. 3, no. 5, pp. 581–595, Oct. 2020. [Online]. Available: https://digital- [87] Ackerman, Pascal. Industrial Cybersecurity. [Online]. Available:
library.theiet.org/content/journals/10.1049/iet-stg.2020.0015 https://subscription.packtpub.com/book/networking_and_servers/
[65] J. Goh, S. Adepu, M. Tan, and Z. S. Lee, ‘‘Anomaly detection in cyber 9781788395151
physical systems using recurrent neural networks,’’ in Proc. IEEE 18th [88] MITRE Enterprise Engineering. Crown Jewels Analysis. Accessed:
Int. Symp. High Assurance Syst. Eng. (HASE), 2017, pp. 140–145. Oct. 10, 2020. [Online]. Available: https://www.mitre.org/publications/
[66] C. M. Ahmed, M. Ochoa, J. Zhou, A. P. Mathur, R. Qadeer, C. Murguia, systems-engineering-guide/enterprise-engineering/systems-engineering-
and J. Ruths, ‘‘NoisePrint: Attack detection using sensor and process for-mission-assurance/crown-jewels-analysis
noise fingerprint in cyber physical systems,’’ in Proc. Asia Conf. Comput. [89] A. Shostack. Experiences Threat Modeling at Microsoft. Accessed:
Commun. Secur., May 2018, pp. 483–497. Aug. 17, 2020. [Online]. Available: https://adam.shostack.org/modsec08/
[67] P. Schneider and K. Böttinger, ‘‘High-performance unsupervised anomaly Shostack-ModSec08-Experiences-Threat-Modeling-At-Microsoft.pdf
detection for cyber-physical system networks,’’ in Proc. Workshop Cyber- [90] J. D. Meier, A. Mackman, M. Dunner, S. Vasireddy, and
Phys. Syst. Secur. PrivaCy, Jan. 2018, pp. 1–12. R. E. A. Murukan. Improving Web Application Security: Threats and
[68] S. Huda, S. Miah, M. Mehedi Hassan, R. Islam, J. Yearwood, M. Alruba- Countermeasures. Accessed: Nov. 20, 2020. [Online]. Available: https://
ian, and A. Almogren, ‘‘Defending unknown attacks on cyber-physical docs.microsoft.com/en-us/previous-versions/msp-n-p/ff648644(v=p and
systems by semi-supervised approach and available unlabeled data,’’ Inf. p.10)
Sci., vol. 379, pp. 211–228, Feb. 2017. [91] R. Khan, K. McLaughlin, D. Laverty, and S. Sezer, ‘‘STRIDE-based
[69] O. M. Anubi and C. Konstantinou, ‘‘Enhanced resilient state estimation threat modeling for cyber-physical systems,’’ in Proc. IEEE PES Innov.
using data-driven auxiliary models,’’ IEEE Trans. Ind. Informat., vol. 16, Smart Grid Technol. Conf. Eur. (ISGT-Europe), Sep. 2017, pp. 1–6.
no. 1, pp. 639–647, Jan. 2020. [92] H. Mahmood. Application Threat Modeling using DREAD and
[70] I. Zografopoulos and C. Konstantinou, ‘‘DERauth: A battery-based STRIDE. Accessed: Oct. 26, 2020. [Online]. Available: https://haiderm.
authentication scheme for distributed energy resources,’’ in Proc. IEEE com/application-threat-modeling-using-dread-and-stride/
Comput. Soc. Annu. Symp. VLSI (ISVLSI), Jul. 2020, pp. 560–567. [93] R. A. Caralli, J. F. Stevens, J. F. Young, and W. R. Wilson.
[71] T. R. B. Kushal, K. Lai, and M. S. Illindala, ‘‘Risk-based mitigation Introducing OCTAVE Allegro: Improving the Information Security
of load curtailment cyber attack using intelligent agents in a shipboard Risk Assessment Process. Accessed: Aug. 5, 2020. [Online]. Available:
power system,’’ IEEE Trans. Smart Grid, vol. 10, no. 5, pp. 4741–4750, https://resources.sei.cmu.edu/asset_files/TechnicalReport/2007_005_001
Sep. 2019. _14885.pdf
[72] C. Kwon and I. Hwang, ‘‘Cyber attack mitigation for cyber–physical [94] P. Radanliev, D. De Roure, J. R. C. Nurse, R. Nicolescu, M. Huth,
systems: Hybrid system approach to controller design,’’ IET Control S. Cannady, and R. M. Montalvo, ‘‘Integration of cyber security
Theory Appl., vol. 10, no. 7, pp. 731–741, Apr. 2016. frameworks, models and approaches for building design principles
[73] X. Hao, M. Lv, J. Zheng, Z. Zhang, and W. Yi, ‘‘Integrating cyber-attack for the Internet-of-Things in industry 4.0,’’ in Proc. IET Conf.
defense techniques into real-time cyber-physical systems,’’ in Proc. IEEE Edison, NJ, USA: IET, 2018, pp. 41 and 1–6. [Online]. Available:
37th Int. Conf. Comput. Design (ICCD), Nov. 2019, pp. 237–245. https://digital-library.theiet.org/content/conferences/10.1049/cp.2018.
[74] I. Zografopoulos, J. Ospina, and C. Konstantinou, ‘‘Special session: Har- 0041, doi: 10.1049/cp.2018.0041.
ness the power of DERs for secure communications in electric energy sys- [95] K. Stouffer, J. Falco, and K. Scarfone, ‘‘Guide to industrial control
tems,’’ in Proc. IEEE 38th Int. Conf. Comput. Design (ICCD), Oct. 2020, systems (ICS) security,’’ NIST Special Publication, vol. 800, no. 82, p. 16,
pp. 49–52. 2011.
[75] M. Z. Gunduz and R. Das, ‘‘Cyber-security on smart grid: Threats [96] S. D. Anton, D. Fraunholz, C. Lipps, F. Pohl, M. Zimmermann, and
and potential solutions,’’ Comput. Netw., vol. 169, Mar. 2020, H. D. Schotten, ‘‘Two decades of SCADA exploitation: A brief his-
Art. no. 107094. tory,’’ in Proc. IEEE Conf. Appl., Inf. Netw. Secur. (AINS), Nov. 2017,
[76] K. Kimani, V. Oduol, and K. Langat, ‘‘Cyber security challenges for IoT- pp. 98–104.
based smart grid networks,’’ Int. J. Crit. Infrastruct. Protection, vol. 25, [97] MITRE ATT&CK. Accessed: Oct. 30, 2020. [Online]. Available:
pp. 36–49, Jun. 2019. https://attack.mitre.org/
[77] B. Canaan, B. Colicchio, and D. Ould Abdeslam, ‘‘Microgrid cyber- [98] MITRE ATT&CK for Enterprise. MITRE ATT&CK Groups Overview.
security: Review and challenges toward resilience,’’ Appl. Sci., vol. 10, Accessed: Oct. 30, 2020. [Online]. Available: https://attack.
no. 16, p. 5649, Aug. 2020. mitre.org/groups/
[78] Z. E. Mrabet, N. Kaabouch, H. E. Ghazi, and H. E. Ghazi, ‘‘Cyber- [99] MITRE Cybersecurity. 7 Steps For an APT Detection Playbook
security in smart grid: Survey and challenges,’’ Comput. Electr. Eng., using ATT&CK. Accessed: Oct. 30, 2020. [Online]. Available:
vol. 67, pp. 469–482, Apr. 2018. https://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-
[79] F. Nejabatkhah, Y. W. Li, H. Liang, and R. Reza Ahrabi, ‘‘Cyber-security blog/7-steps-for-an-apt-detection-playbook-using
of smart microgrids: A survey,’’ Energies, vol. 14, no. 1, p. 27, Dec. 2020. [100] MITRE ATT&CK for Industrial Control Systems. Accessed:
[80] IEEE Standard for Synchrophasor Data Transfer for Power Systems, Oct. 30, 2020. [Online]. Available: https://collaborate.mitre.org/
IEEE Standard C37.118.2-2011 (Revision IEEE Standard C37.118- attackics/index.php/Main_Page
2005), 2011, pp. 1–53. [101] The MITRE Corporation. MITRE ATT&CK for ICS Levels.
[81] C. Konstantinou, M. Sazos, A. S. Musleh, A. Keliris, A. Al-Durra, and Accessed: Oct. 30, 2020. [Online]. Available: https://collaborate.
M. Maniatakos, ‘‘GPS spoofing effect on phase angle monitoring mitre.org/attackics/index.php/All_Levels
and control in a real-time digital simulator-based hardware-in-the-loop [102] L. Piètre-Cambacédès and M. Bouissou, ‘‘Attack and defense modeling
environment,’’ IET Cyber-Phys. Syst., Theory Appl., vol. 2, no. 4, with BDMP,’’ in Proc. Int. Conf. Math. Methods, Models, Archit. Comput.
pp. 180–187, Dec. 2017. Netw. Secur. Cham, Switzerland: Springer, 2010, pp. 86–101.
[82] S. K. Mazumder et al., ‘‘A review of current research trends in [103] X. Li, C. Zhou, Y.-C. Tian, N. Xiong, and Y. Qin, ‘‘Asset-based dynamic
power-electronic innovations in cyber-physical systems,’’ IEEE J. impact assessment of cyberattacks for risk analysis in industrial con-
Emerg. Sel. Topics Power Electron., early access, Jan. 14, 2021, doi: trol systems,’’ IEEE Trans. Ind. Informat., vol. 14, no. 2, pp. 608–618,
10.1109/JESTPE.2021.3051876. Feb. 2018.
[83] A. Keliris, C. Konstantinou, and M. Maniatakos, ‘‘GE Multilin SR pro- [104] K. Huang, C. Zhou, Y.-C. Tian, S. Yang, and Y. Qin, ‘‘Assessing the
tective relays passcode vulnerability,’’ in Proc. Black Hat USA, 2017. physical impact of cyberattacks on industrial cyber-physical systems,’’
[84] I. Zografopoulos, C. Konstantinou, N. Georgios Tsoutsos, D. Zhu, and IEEE Trans. Ind. Electron., vol. 65, no. 10, pp. 8153–8162, Oct. 2018.
R. Broadwater, ‘‘Security assessment and impact analysis of cyberattacks [105] R. E. Bloomfield, P. Popov, K. Salako, V. Stankovic, and
in integrated T&D power systems,’’ 2021, arXiv:2102.03215. [Online]. D. Wright, ‘‘Preliminary interdependency analysis: An approach to
Available: http://arxiv.org/abs/2102.03215 support critical-infrastructure risk-assessment,’’ Rel. Eng. Syst. Saf.,
[85] Department of Homeland Security. Recommended Practice: vol. 167, pp. 198–217, Nov. 2017.
Improving Industrial Control System Cybersecurity with Defense- [106] E. Bompard, C. Gao, R. Napoli, A. Russo, M. Masera, and
in-Depth Strategies. [Online]. Available: https://www.us- A. Stefanini, ‘‘Risk assessment of malicious attacks against power
cert.gov/sites/default/files/recommended_practices/NCCIC_ICS- systems,’’ IEEE Trans. Syst., Man, Cybern. A, Syst. Humans, vol. 39,
CERT_Defense_in_Depth_2016_S508C.pdf no. 5, pp. 1074–1085, Sep. 2009.
VOLUME 9, 2021 29815

[107] W. Li, Risk Assessment Of Power Systems: Models, Methods, and Appli- [129] J. Shi, ‘‘Security risk assessment about enterprise networks on the base
cations. Hoboken, NJ, USA: Wiley, 2014. of simulated attacks,’’ Procedia Eng., vol. 24, pp. 272–277, Jan. 2011.
[108] X. Liu, M. Shahidehpour, Z. Li, X. Liu, Y. Cao, and Z. Li, ‘‘Power [130] W. Wu, R. Kang, and Z. Li, ‘‘Risk assessment method for cyber security
system risk assessment in cyber attacks considering the role of pro- of cyber physical systems,’’ in Proc. 1st Int. Conf. Rel. Syst. Eng. (ICRSE),
tection systems,’’ IEEE Trans. Smart Grid, vol. 8, no. 2, pp. 572–580, Oct. 2015, pp. 1–5.
Mar. 2017. [131] Q. Zhang, C. Zhou, N. Xiong, Y. Qin, X. Li, and S. Huang, ‘‘Multimodel-
[109] W. Wang, A. Cammi, F. Di Maio, S. Lorenzi, and E. Zio, based incident prediction and risk assessment in dynamic cybersecu-
‘‘A Monte Carlo-based exploration framework for identifying rity protection for industrial control systems,’’ IEEE Trans. Syst., Man,
components vulnerable to cyber threats in nuclear power plants,’’ Cybern. Syst., vol. 46, no. 10, pp. 1429–1444, Oct. 2016.
Rel. Eng. Syst. Saf., vol. 175, pp. 24–37, Jul. 2018. [Online]. Available: [132] Y. Peng, T. Lu, J. Liu, Y. Gao, X. Guo, and F. Xie, ‘‘Cyber-physical system
http://www.sciencedirect.com/science/article/pii/S0951832017308621 risk assessment,’’ in Proc. 9th Int. Conf. Intell. Inf. Hiding Multimedia
[110] G. Giannopoulos, R. Filippini, and M. Schimmer, ‘‘Risk assessment Signal Process., 2013, pp. 442–447.
methodologies for critical infrastructure protection. Part I: A state of the [133] E. Zio, ‘‘The future of risk assessment,’’ Rel. Eng. Syst.
art,’’ JRC Tech. Notes, 2012. Saf., vol. 177, pp. 176–190, Sep. 2018. [Online]. Available:
[111] M. Theocharidou and G. Giannopoulos, ‘‘Risk assessment methodologies http://www.sciencedirect.com/science/article/pii/S0951832017306543
for critical infrastructure protection. Part II: A new approach,’’ EUR— [134] J. Wan, S. Tang, D. Li, M. Imran, C. Zhang, C. Liu, and Z. Pang,
Sci., Publications Office Eur. Union, Luxembourg City, Luxembourg, ‘‘Reconfigurable smart factory for drug packing in healthcare industry
Tech. Res. Rep., 2015, doi: 10.2788/621843. 4.0,’’ IEEE Trans. Ind. Informat., vol. 15, no. 1, pp. 507–516, Jan. 2019.
[112] C. Vellaithurai, A. Srivastava, S. Zonouz, and R. Berthier, ‘‘CPIndex: [135] Y. Zhang, M. Qiu, C.-W. Tsai, M. M. Hassan, and A. Alamri, ‘‘Health-
Cyber-physical vulnerability assessment for power-grid infrastructures,’’ CPS: Healthcare cyber-physical system assisted by cloud and big data,’’
IEEE Trans. Smart Grid, vol. 6, no. 2, pp. 566–575, Mar. 2015. IEEE Syst. J., vol. 11, no. 1, pp. 88–95, Mar. 2017.
[113] A. Chakraborty, M. Alam, V. Dey, A. Chattopadhyay, and [136] Y. Chang, ‘‘Architecture design for performing grasp-and-lift tasks in
D. Mukhopadhyay, ‘‘Adversarial attacks and defences: A survey,’’ 2018, brain–machine-interface-based human-in-the-loop robotic system,’’ IET
arXiv:1810.00069. [Online]. Available: http://arxiv.org/abs/1810.00069 Cyber-Phys. Syst., Theory Appl., vol. 4, no. 3, pp. 198–203, Sep. 2019.
[114] K. Ren, T. Zheng, Z. Qin, and X. Liu, ‘‘Adversarial attacks and defenses [137] J. K. Naufal, J. B. Camargo, L. F. Vismari, J. R. de Almeida, C. Molina,
in deep learning,’’ Engineerig, vol. 6, no. 3, pp. 346–360, 2020, doi: R. I. R. Gonzalez, R. Inam, and E. Fersman, ‘‘A2CPS: A vehicle-centric
10.1016/0166-3615(94)90017-5. safety conceptual framework for autonomous transport systems,’’ IEEE
[115] G. Liang, J. Zhao, F. Luo, S. R. Weller, and Z. Yang Dong, ‘‘A review of Trans. Intell. Transp. Syst., vol. 19, no. 6, pp. 1925–1939, Jun. 2018.
false data injection attacks against modern power systems,’’ IEEE Trans. [138] J. Johnson, J. Quiroz, R. Concepcion, F. Wilches-Bernal, and M. J. Reno,
Smart Grid, vol. 8, no. 4, pp. 1630–1638, Jul. 2017. ‘‘Power system effects and mitigation recommendations for DER cyber-
[116] J. Zhang, . Chu, L. Sankar, and O. Kosut, ‘‘False data injection attacks on attacks,’’ IET Cyber-Phys. Syst., Theory Appl., vol. 4, no. 3, pp. 240–249,
power system state estimation with limited information,’’ in Proc. IEEE Sep. 2019.
Power Energy Soc. Gen. Meeting (PESGM), Jul. 2016, pp. 1–5. [139] C. B. Vellaithurai, S. S. Biswas, R. Liu, and A. Srivastava, ‘‘Real time
[117] M. A. Rahman and H. Mohsenian-Rad, ‘‘False data injection attacks with modeling and simulation of cyber-power system,’’ in Cyber Physical Sys-
incomplete information against smart power grids,’’ in Proc. IEEE Global tems Approach to Smart Electric Power Grid. Berlin, Germany: Springer,
Commun. Conf. (GLOBECOM), Dec. 2012, pp. 3153–3158. 2015, pp. 43–74, doi: 10.1007/978-3-662-45928-7_3.
[118] M. Mohammadpourfard, A. Sami, and Y. Weng, ‘‘Identification of false [140] X. Fan, S. G. Aksoy, Q. Huang, J. P. Ogle, D. Wang, A. Tbaileh, and
data injection attacks with considering the impact of wind generation and T. Fu, ‘‘Coordination of transmission, distribution and communication
topology reconfigurations,’’ IEEE Trans. Sustain. Energy, vol. 9, no. 3, systems for prompt power system recovery after disasters: Report–grid
pp. 1349–1364, Jul. 2018. and communication interdependency review and characterization of typ-
[119] J. Zhao, G. Zhang, M. La Scala, Z. Y. Dong, C. Chen, and J. Wang, ical communication systems,’’ Pacific Northwest Nat. Lab. (PNNL),
‘‘Short-term state forecasting-aided method for detection of smart grid Richland, WA, USA, Tech. Rep. PNNL-28598, 2019. [Online]. Available:
general false data injection attacks,’’ IEEE Trans. Smart Grid, vol. 8, https://www.osti.gov/servlets/purl/1526728, doi: 10.2172/1526728.
no. 4, pp. 1580–1590, Jul. 2017. [141] S. L. Hub. (2019). Scientific Modeling. [Online]. Available:
[120] C. Konstantinou and M. Maniatakos, ‘‘A case study on implementing false https://www.sciencelearn.org.nz/resources/575-scientific-modelling
data injection attacks against nonlinear state estimation,’’ in Proc. 2nd [142] V. Jalili-Marandi, V. Dinavahi, K. Strunz, J. A. Martinez, and A. Ramirez,
ACM Workshop Cyber-Phys. Syst. Secur. Privacy CPS-SPC. New York, ‘‘Interfacing techniques for transient stability and electromagnetic tran-
NY, USA: Association for Computing Machinery, 2016, pp. 81–92, doi: sient programs IEEE task force on interfacing techniques for simulation
10.1145/2994487.2994491. tools,’’ IEEE Trans. Power Del., vol. 24, no. 4, pp. 2385–2395, Oct. 2009.
[121] S. P. Skorobogatov and R. J. Anderson, ‘‘Optical fault induction attacks,’’ [143] P. Le-Huy, G. Sybille, P. Giroux, L. Loud, J. Huang, and I. Kamwa,
in Cryptographic Hardware and Embedded Systems—CHES 2002, ‘‘Real-time electromagnetic transient and transient stability co-simulation
B. S. Kaliski, ç. K. Koç, and C. Paar, Eds. Berlin, Germany: Springer, based on hybrid line modelling,’’ IET Gener., Transmiss. Distrib., vol. 11,
2003, pp. 2–12. no. 12, pp. 2983–2990, Aug. 2017.
[122] J. Meserve. (2007). Staged Cyber Attack Reveals Vulnerability in [144] D. Shu, X. Xie, V. Dinavahi, C. Zhang, X. Ye, and Q. Jiang, ‘‘Dynamic
Power Grid. [Online]. Available: http://www.cnn.com/2007/US/ phasor based interface model for EMT and transient stability hybrid
09/26/power.at.risk/index.html simulations,’’ IEEE Trans. Power Syst., vol. 33, no. 4, pp. 3930–3939,
[123] X. Lyu, Y. Ding, and S. Yang, ‘‘Safety and security risk assessment in Jul. 2018.
cyber-physical systems,’’ IET Cyber-Phys. Syst., Theory Appl., vol. 4, [145] R. Huang, R. Fan, J. Daily, A. Fisher, and J. Fuller, ‘‘Open-source
no. 3, pp. 221–232, Sep. 2019. framework for power system transmission and distribution dynam-
[124] W. A. Conklin, ‘‘IT vs. OT security: A time to consider a change in CIA ics co-simulation,’’ IET Gener., Transmiss. Distrib., vol. 11, no. 12,
to include resilienc,’’ in Proc. 49th Hawaii Int. Conf. Syst. Sci. (HICSS), pp. 3152–3162, Aug. 2017.
Jan. 2016, pp. 2642–2647. [146] A. Hariri and M. O. Faruque, ‘‘A hybrid simulation tool for the study of
[125] R. Paes, D. C. Mazur, B. K. Venne, and J. Ostrzenski, ‘‘A guide to securing PV integration impacts on distribution networks,’’ IEEE Trans. Sustain.
industrial control networks: Integrating IT and OT systems,’’ IEEE Ind. Energy, vol. 8, no. 2, pp. 648–657, Apr. 2017.
Appl. Mag., vol. 26, no. 2, pp. 47–53, Mar. 2020. [147] Y. N. Velaga, G. Krishnamoorthy, A. Dubey, A. Chen, and
[126] P. K. Garimella, ‘‘IT-OT integration challenges in utilities,’’ in Proc. P. K. Sen, ‘‘Advancements in co-simulation techniques in combined
IEEE 3rd Int. Conf. Comput., Commun. Secur. (ICCCS), Oct. 2018, transmission and distribution systems analysis,’’ J. Eng., vol. 2019,
pp. 199–204. no. 12, pp. 8432–8438, Dec. 2019.
[127] R. J. Rodriguez, ‘‘On qualitative analysis of fault trees using structurally [148] M. S. Obaidat, F. Zarai, and P. Nicopolitidis, Modeling and Simulation
persistent nets,’’ IEEE Trans. Syst., Man, Cybern. Syst., vol. 46, no. 2, of Computer Networks and Systems: Methodologies and Applications.
pp. 282–293, Feb. 2016. San Mateo, CA, USA: Morgan Kaufmann, 2015.
[128] A. A. Cárdenas, S. Amin, Z.-S. Lin, Y.-L. Huang, C.-Y. Huang, and [149] J. Mahseredjian, V. Dinavahi, and J. A. Martinez, ‘‘Simulation tools
S. Sastry, ‘‘Attacks against process control systems: Risk assessment, for electromagnetic transients in power systems: Overview and chal-
detection, and response,’’ in Proc. 6th ACM Symp. Inf., Comput. Commun. lenges,’’ IEEE Trans. Power Del., vol. 24, no. 3, pp. 1657–1669,
Secur. (ASIACCS), 2011, pp. 355–366. Jul. 2009.
29816 VOLUME 9, 2021

[150] M. D. Omar Faruque, T. Strasser, G. Lauss, V. Jalili-Marandi, P. Forsyth, [174] I. Boldea, Synchronous Generators. Boca Raton, FL, USA: CRC Press,
C. Dufour, V. Dinavahi, A. Monti, P. Kotsampopoulos, J. A. Martinez, 2015.
K. Strunz, M. Saeedifard, X. Wang, D. Shearer, and M. Paolone, ‘‘Real- [175] S. Amini, F. Pasqualetti, and H. Mohsenian-Rad, ‘‘Dynamic load alter-
time simulation technologies for power systems design, testing, and ing attacks against power system stability: Attack models and protec-
analysis,’’ IEEE Power Energy Technol. Syst. J., vol. 2, no. 2, pp. 63–73, tion schemes,’’ IEEE Trans. Smart Grid, vol. 9, no. 4, pp. 2862–2872,
Jun. 2015. Jul. 2018.
[151] A. Newaz, J. Ospina, and M. O. Faruque, ‘‘Controller hardware-in-the- [176] S. K. Singh, B. P. Padhy, S. Chakrabarti, S. N. Singh, A. Kolwalkar, and
loop validation of a graph search based energy management strategy S. M. Kelapure, ‘‘Development of dynamic test cases in OPAL-RT real-
for grid-connected distributed energy resources,’’ IEEE Trans. Energy time power system simulator,’’ in Proc. 18th Nat. Power Syst. Conf.
Convers., vol. 35, no. 1, pp. 520–528, Mar. 2020. (NPSC), Dec. 2014, pp. 1–6.
[152] G. Lauss, M. O. Faruque, K. Schoder, C. Dufour, A. Viehweider, and [177] A. Bokhari, A. Alkan, R. Dogan, M. Diaz-Aguilo, F. de Leon,
J. Langston, ‘‘Characteristics and design of power hardware-in-the-loop D. Czarkowski, Z. Zabar, L. Birenbaum, A. Noel, and R. E. Uosef,
simulations for electrical power systems,’’ IEEE Trans. Ind. Electron., ‘‘Experimental determination of the ZIP coefficients for modern residen-
vol. 63, no. 1, pp. 406–417, Jan. 2016. tial, commercial, and industrial loads,’’ IEEE Trans. Power Del., vol. 29,
[153] T. Key and K. Forsten, ‘‘Security, quality, reliability and availability: no. 3, pp. 1372–1381, Jun. 2014.
Metrics definition: Progress report,’’ in Proc. EPRI, 2005. [Online]. [178] M. Pai, Energy Function Analysis for Power System Stability. Cham,
Available: https://www.epri.com/research/products/1008568 Switzerland: Springer, 2012.
[154] W. Ren, ‘‘Accuracy evaluation of power hardware-in-the-loop [179] NERC. (2019). 2019 Frequency Response Annual Analysis. [Online].
(PHIL) simulation,’’ Ph.D. dissertation, Florida State Univ., Available: https://www.nerc.com/
Tallahassee, FL, USA, 2007. [Online]. Available: https://fsu. [180] NYISO. (2020). Transmission and Dispatch Operations Manual.
digital.flvc.org/islandora/object/fsu:176356/datastream/PDF/view [Online]. Available: https://www.nyiso.com/documents/20142/2923301/
[155] USC ISI. The Network Simulator-NS-2. Accessed: Nov. 22, 2020. trans_disp.pdf/9d91ad95-0281-2b17-5573-f054f7169551
[Online]. Available: https://www.isi.edu/nsnam/ns/ [181] T. Shekari, A. Gholami, F. Aminifar, and M. Sanaye-Pasand, ‘‘An
[156] NS-3 Project. NS-3 Network Simulator. Accessed: Nov. 22, 2020. adaptive wide-area load shedding scheme incorporating power sys-
[Online]. Available: https://www.nsnam.org/ tem real-time limitations,’’ IEEE Syst. J., vol. 12, no. 1, pp. 759–767,
[157] MIT. Simpy–Discrete Event Simulation for Python. Accessed: Nov. 22, Mar. 2018.
2020. [Online]. Available: https://simpy.readthedocs.io/en/latest/ [182] NERC. (2020). NERC Reliability Standard PRC NERC
[158] Scalable Network Technologies. Accessed: Nov. 22, 2020. [Online]. Reliability Standard PRC-024-1. [Online]. Available: https://
Available: https://www.scalable-networks.com/ www.nerc.com/
[159] The CORE Project. CORE: Common Open Research Emulator. [183] H. Seyedi and M. Sanaye-Pasand, ‘‘New centralised adaptive
Accessed: Nov. 22, 2020. [Online]. Available: https://github.com/ load-shedding algorithms to mitigate power system blackouts,’’
coreemu/core IET Gener., Transmiss. Distrib., vol. 3, no. 1, pp. 99–114,
[160] Linux Man Pages. NetEm–Network Emulator. Accessed: Nov. 22, 2020. Jan. 2009.
[Online]. Available: https://www.linux.org/docs/man8/tc-netem.html [184] A. Sargolzaei, K. K. Yen, and M. Abdelghani, ‘‘Time-delay switch attack
[161] E. Weingärtner, F. Schmidt, H. Vom Lehn, T. Heer, and K. Wehrle, on load frequency control in smart grid,’’ Adv. Commun. Technol., vol. 5,
‘‘Slicetime: A platform for scalable and accurate network emulation,’’ pp. 55–64, Dec. 2013.
in Proc. 8th USENIX Conf. Netw. Syst. Design Implement., 2011, [185] J. K. Wang and C. Peng, ‘‘Analysis of time delay attacks against power
pp. 253–266. grid stability,’’ in Proc. 2nd Workshop Cyber-Physical Secur. Resilience
[162] E. Weingärtner, F. Schmidt, T. Heer, and K. Wehrle, ‘‘Synchronized Smart Grids, Apr. 2017, pp. 67–72.
network emulation: Matching prototypes with complex simulations,’’ [186] A. Sargolzaei, K. K. Yen, and M. N. Abdelghani, ‘‘Preventing time-
ACM SIGMETRICS Perform. Eval. Rev., vol. 36, no. 2, pp. 58–63, delay switch attack on load frequency control in distributed power
Aug. 2008. systems,’’ IEEE Trans. Smart Grid, vol. 7, no. 2, pp. 1176–1185,
[163] Z. Zhang, Y. Wang, and L. Xie, ‘‘A novel data integrity attack detection Mar. 2016.
algorithm based on improved grey relational analysis,’’ IEEE Access, [187] A. Teixeira, I. Shames, H. Sandberg, and K. H. Johansson,
vol. 6, pp. 73423–73433, 2018. ‘‘A secure control framework for resource-limited adversaries,’’
[164] L. Ma, Z. Wang, Q.-L. Han, and H.-K. Lam, ‘‘Variance-constrained Automatica, vol. 51, pp. 135–148, Jan. 2015. [Online]. Available:
distributed filtering for time-varying systems with multiplicative noises http://www.sciencedirect.com/science/article/pii/S0005109814004488
and deception attacks over sensor networks,’’ IEEE Sensors J., vol. 17, [188] W. H. Kersting, Distribution System Modeling and Analysis. Boca Raton,
no. 7, pp. 2279–2288, Apr. 2017. FL, USA: CRC Press, 2012.
[165] M. S. Chong, M. Wakaiki, and J. P. Hespanha, ‘‘Observability of linear [189] M. Emmanuel and R. Rayudu, ‘‘The impact of single-phase grid-
systems under adversarial attacks,’’ in Proc. Amer. Control Conf. (ACC), connected distributed photovoltaic systems on the distribution network
Jul. 2015, pp. 2439–2444. using P-Q and P-V models,’’ Int. J. Electr. Power Energy Syst., vol. 91,
[166] G. Na and Y. Eun, ‘‘A multiplicative coordinated stealthy attack and pp. 20–33, Oct. 2017.
its detection for cyber physical systems,’’ in Proc. IEEE Conf. Control [190] A. K. Pradhan, A. Routray, and S. Madhan Gudipalli, ‘‘Fault direction
Technol. Appl. (CCTA), Aug. 2018, pp. 1698–1703. estimation in radial distribution system using phase change in sequence
[167] Texas Instruments. (2019). Grid-tied Solar Micro Inverter With MPPT. current,’’ IEEE Trans. Power Del., vol. 22, no. 4, pp. 2065–2071,
[Online]. Available: https://www.ti.com/tool/TIDM-SOLARUINV Oct. 2007.
[168] U. S. DOE. (2019). Annual Energy Outlook 2019 With Projec- [191] A. Singhal and V. Ajjarapu, ‘‘Long-term voltage stability assessment of an
tions to 2050. [Online]. Available: https://www.eia.gov/outlooks/aeo/ integrated transmission distribution system,’’ in Proc. North Amer. Power
pdf/aeo2019.pdf Symp. (NAPS), Sep. 2017, pp. 1–6.
[169] M. Antonakakis, T. April, M. Bailey, M. Bernhard, E. Bursztein, [192] C. Dufour, H. Saad, J. Mahseredjian, and J. Bélanger, ‘‘Custom-coded
J. Cochran, Z. Durumeric, J. A. Halderman, L. Invernizzi, D. Kallitsis, models in the state space nodal solver of ARTEMiS,’’ in Proc. Int. Conf.
M. Kumar, C. Lever, Z. Ma, J. Mason, D. Menscher, C. Seaman, Power Syst. Transients (IPST), 2013, pp. 1–6.
N. Sullivan, K. Thomas, and Y. and Zhou, ‘‘Understanding the Mirai [193] Opal-RT. ARTEMiS User Guide, v 6.1. Accessed: Nov. 26, 2020.
Botnet,’’ in Proc. 26th USENIX Secur. Symp. (USENIX Secur.), 2017, [Online]. Available: https://www.opal-rt.com/
pp. 1093–1110. [194] S. Adepu, N. K. Kandasamy, J. Zhou, and A. Marthur, ‘‘Attacks on
[170] S. Soltan, P. Mittal, and H. V. Poor, ‘‘Blackiot: IoT Botnet of high wattage smart grid: Power supply interruption and malicious power generation,’’
devices can disrupt the power grid,’’ in Proc. 27th USENIX Secur. Symp. Int. J. Inf. Secur., vol. 19, pp. 189–211, 2020, doi: 10.1007/s10207-019-
(USENIX Secur.), 2018, pp. 15–32. 00452-z.
[171] C. Konstantinou and M. Maniatakos, ‘‘Impact of firmware modification [195] NERC. (2010). Reliability Considerations From the Integration of
attacks on power systems field devices,’’ in Proc. IEEE Int. Conf. Smart Smart Grid. [Online]. Available: https://www.nerc.com/files/SGTF_
Grid Commun. (SmartGridComm), Nov. 2015, pp. 283–288. Report_Final_posted_v1.1.pdf
[172] P. Kundur, N. J. Balu, and M. G. Lauby, Power System Stability and [196] A. Nicholson, S. Webber, S. Dyer, T. Patel, and H. Janicke,
Control, vol. 7. New York, NY, USA: McGraw-Hill, 1994. ‘‘SCADA security in the light of cyber-warfare,’’ Comput. Secur.,
[173] J. D. Glover, M. S. Sarma, and T. Overbye, Power System Analysis and vol. 31, no. 4, pp. 418–436, Jun. 2012. [Online]. Available: http://
Design. Boston, MA, USA: Cengage Learning, 2012. www.sciencedirect.com/science/article/pii/S0167404812000429
VOLUME 9, 2021 29817

[197] L. Maglaras, M. A. Ferrag, A. Derhab, M. Mukherjee, H. Janicke, XIAORUI LIU (Student Member, IEEE) received
and S. Rallis, ‘‘Threats, protection and attribution of cyber attacks on the M.S. degree in electrical engineering from
critical infrastructures,’’ 2019, arXiv:1901.03899. [Online]. Available: Florida State University, Tallahassee, FL, USA,
https://arxiv.org/abs/1901.03899 in 2017, where she is currently pursuing the Ph.D.
[198] Y. Mo, T. Hyun-Jin Kim, K. Brancik, D. Dickinson, H. Lee, A. Perrig, degree in electrical engineering. Her research
and B. Sinopoli, ‘‘Cyber–Physical security of a smart grid infrastructure,’’ interests include real-time simulation of power
Proc. IEEE, vol. 100, no. 1, pp. 195–209, Jan. 2012.
[199] C. Wilson, Cyber Threats to Critical Information Infrastructure. systems, cybersecurity, and machine learning.
New York, NY, USA: Springer, 2014, pp. 123–136, doi: 10.1007/978-1-
4939-0962-9_7.
IOANNIS ZOGRAFOPOULOS (Graduate Stu-

dent Member, IEEE) received the B.Eng. and
M.Eng. degrees in computer, communications, and
network engineering, and the M.Sc. degree in elec-
trical and computer engineering from the Uni-
versity of Thessaly, Volos, Greece, in 2014 and
2015, respectively. He is currently pursuing the
Ph.D. degree with the Department of Electrical and
CHARALAMBOS KONSTANTINOU (Senior
Computer Engineering, FAMU-FSU College of
Member, IEEE) received the Dipl.-Ing.-M.Eng.
Engineering, Florida State University. His research
degree in electrical and computer engineering
interests include cyber-physical and communications security, with emphasis
from the National Technical University of Athens
on the IoT and embedded systems for industrial, distributed energy, and
(NTUA), Greece, in 2012, and the Ph.D. degree in
power grid applications. He is also an IEEE PES Student Member and has
electrical engineering from New York University,
served as a reviewer for the IEEE Consumer Electronics Magazine and
New York City, NY, USA, in 2018. He is currently
IEEE COMPUTER SOCIETY JOURNAL, as well as a sub-reviewer for ISVLSI and
an Assistant Professor of electrical and computer
CPSIoTSec.
engineering with Florida A&M University and the
FAMU-FSU College of Engineering, Florida State
JUAN OSPINA (Member, IEEE) received the University (FSU), Tallahassee, FL, USA, and the Director of the Decision &
dual B.Sc. degree in electrical and computer engi- Secure Systems Laboratory, Center for Advanced Power Systems (CAPS),
neering, the M.S. degree in electrical engineer- FSU. He has authored multiple articles in the IEEE/ACM TRANSACTIONS and
ing, and the Ph.D. degree in electrical engineer- conference proceedings, and serves in the program committee of several
ing from Florida State University, Tallahassee, international conferences. His research interests include cyber-physical
FL, USA, in 2016, 2018, and 2019, respectively. and embedded systems security with focus on power systems. He is also
He is currently a Postdoctoral Research Asso- a member of ACM and an ACM Distinguished Speaker. He is also the
ciate with Florida State University and the Center Secretary of the IEEE Task Force on Cyber-Physical Interdependence for
for Advanced Power Systems, Tallahassee. His Power System Operation and Control. He was a recipient of the 2020 Myron
research interests include the development of intel- Zucker Student-Faculty Grant Award from IEEE Foundation, the Southeast-
ligent systems for electric power systems (EPS) and smart-grid applica- ern Center for Electrical Engineering Education (SCEEE) Young Faculty
tions, machine learning and reinforcement learning models for DER control, Development Award 2019, and the Best Paper Award at the International
renewable energy integration, cybersecurity, and real-time simulation. He is Conference on Very Large Scale Integration (VLSI-SoC) 2018.
also an IEEE PES Member.
29818 VOLUME 9, 2021

Cyber-Physical Energy Systems Security Threat Modeling Risk Assessment Resources Metrics and Case Studies

Uploaded by

Copyright:

Available Formats

Cyber-Physical Energy Systems Security Threat Modeling Risk Assessment Resources Metrics and Case Studies

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cyber-Physical Energy Systems Security Threat Modeling Risk Assessment Resources Metrics and Case Studies

Uploaded by

Copyright:

Available Formats

Received January 25, 2021, accepted February 2, 2021, date of publication February 10, 2021, date of current version

February 24, 2021.

Cyber-Physical Energy Systems Security: Threat

NOMENCLATURE CORE common open research emulator

DoS denial-of-service devices. According to the National Institute of Standards

29776 VOLUME 9, 2021

VOLUME 9, 2021 29777

FIGURE 1. Roadmap of the paper.

CPES hardware-assisted testbeds integrate physical equip-

VOLUME 9, 2021 29779

29780 VOLUME 9, 2021

VOLUME 9, 2021 29781

TABLE 2. CPES security study categories and research examples.

29782 VOLUME 9, 2021

VOLUME 9, 2021 29783

29784 VOLUME 9, 2021

VOLUME 9, 2021 29785

29786 VOLUME 9, 2021

the objectives and goals of the adversary who executes the

VOLUME 9, 2021 29787

b) Non-targeted attacks are similar to targeted

29788 VOLUME 9, 2021

VOLUME 9, 2021 29789

provide attackers with user or even root-level C. RISK ASSESSMENT METHODOLOGY

29790 VOLUME 9, 2021

Risk = Threat Probability × Damage (1) IV. CYBER-PHYSICAL SYSTEM FRAMEWORK:

VOLUME 9, 2021 29791

29792 VOLUME 9, 2021

VOLUME 9, 2021 29793

29794 VOLUME 9, 2021

eMegaSim (EMT), ePhasorSim (TS), and ETAP 2) CYBER-SYSTEM LAYER

VOLUME 9, 2021 29795

29796 VOLUME 9, 2021

TABLE 7. Threat model of the attack case studies.

TABLE 8. Objective Priority for CPES Risk Assessment.

29798 VOLUME 9, 2021

VOLUME 9, 2021 29799

The nameplate generation capacity for the diesel generator

FIGURE 9. Conceptual illustration of the MG system used for the

In Fig. 10 we illustrate, the top-level architectural overview

29800 VOLUME 9, 2021

FIGURE 12. Cross-layer firmware attack impact on the DC-AC converter

FIGURE 13. Cross-layer firmware attack impact on the power grid:

VOLUME 9, 2021 29801

29802 VOLUME 9, 2021

δ is the power angle; the angle between the generator’s inter-

VOLUME 9, 2021 29803

the attack. The frequency measured at multiple generators

a 50% load demand increase that affects simultaneously buses

29804 VOLUME 9, 2021

VOLUME 9, 2021 29805

and outstation devices exchange data and control commands

29806 VOLUME 9, 2021

VOLUME 9, 2021 29807

FIGURE 25. Mapping of TDA case study with CPS framework.

personnel safety’’ as well as the ‘‘Organization financial

D. CASE STUDY 4: PROPAGATING ATTACKS IN

29808 VOLUME 9, 2021

VOLUME 9, 2021 29809