Abstract— In this paper a power system protection scheme
based on energy storage system placement against closed-loop
dynamic load altering attacks is proposed. The protection design
consists in formulating a non-convex optimization problem,
subject to a Lyapunov stability constraint and solved using a
two-step iterative procedure. Simulation results confirm the
effectiveness of the approach and the potential relevance of using
energy storage systems in support of primary frequency
regulation services.
I. INTRODUCTION
Over the last years, the need for securing power grids
against the danger of cyber-physical attacks has been
increasingly encouraging the development of distributed
intelligence technologies accompanied by appropriate security
enforcements. In particular, cyber-physical attacks have been
targeting all sectors of power systems, i.e., generation,
distribution and control, and consumption. In this respect, a
suitable classification with meaningful examples is given in
[1]. More specifically, as concerns cyber-physical attacks
targeting the generation sector, the interested reader is referred
to [2] and [3]; as concerns, instead, cyber-physical attacks
targeting the distribution and control sector, the reader is
referred to [4] and [5].
This paper is focused on cyber-physical attacks targeting
the consumption sector. In particular, we are concerned with
Load Altering Attacks (LAAs) whose aim is to maliciously
alter a group of remotely accessible yet unsecured controllable
loads, thus artificially creating power imbalances in the power
network responsible for frequency and load angle instability,
and consequently network blackout through sequential
generator tripping.
In particular, LAAs can be classified into static ones,
which abruptly modify the volume of certain vulnerable loads
una tantum, and dynamic ones (hereafter referred to as D-
LAAs), which not only determine the volume of the change
enforced onto the compromised load, but also establish the
load trajectory over time.
D-LAAs can either be open-loop – such that the attacker is
not capable of monitoring the power grid in real-time and
*Research supported by the European Commission in the framework of
the H2020 ATENA project (Advanced tools to assess and mitigate the
criticality of ICT components and their dependencies over critical
infrastructures) under Grant Agreement no. 700581.
A. Di Giorgio, A. Giuseppi, A. Ornatelli, A. Rabezzano, and L. Ricciardi
Celsi are with the Department of Computer, Control and Management
Engineering Antonio Ruberti, University of Rome La Sapienza, via Ariosto
therefore assigns a pre-programmed trajectory to the
compromised load based on some available historical data – or
closed-loop. Whenever a closed-loop D-LAA is struck against
a power grid, the attacker continuously monitors the grid
conditions through his own installed sensors or by hacking into
an existing monitoring infrastructure, and consequently uses
the feedback from the power grid frequency to alter the victim
load buses.
Moreover, we distinguish between single-point closed-
loop D-LAAs, which compromise only the vulnerable load at
one victim load bus, and multi-point ones, which compromise
the vulnerable loads at several victim load buses in a
coordinated fashion in order to maximize the attack impact [6].
In this paper, based on the IEEE 39-bus test system, we design
a protection scheme against closed-loop single-point and
multi-point D-LAAs by formulating and solving a non-convex
optimization problem subject to a Lyapunov stability
constraint. The paper takes into account the most relevant
power system dynamics, and feedback control theory is here
used – following approaches similar to those appearing in
other papers which apply control-based methodologies to
several application fields [7]-[16] – as a tool to model and
build a remedy action against the attack: this adds to the
already existing results on the control-theoretic study of cyber-
physical systems [17][18]. The proposed protection scheme
relies upon the proper installation of suitably-sized Energy
Storage Systems (ESSs) [19][20] in order to mitigate the
effects of the ongoing D-LAA and preserve the power
system’s stability. In this regard, ESS technology has
significantly improved over the last years, with possible
applications starting to be investigated at transmission
[21][22], distribution [23]-[26], microgrid [27][28] and
consumer [29] level. The presented setup is also of practical
interest due to its link to the concept of frequency-responsive
loads [30][31], which are expected to support traditional
power plants in the provisioning of frequency regulation
services.
In particular, this study has been carried out within the
framework of the H2020 ATENA project, which is aimed at
developing ICT networked components for the detection of
and reaction to adverse events in the context of cyber-physical
security for Critical Infrastructures (CI), where it is crucial to
25, 00185 Rome, Italy (email:{digiorgio, giuseppi,
ricciardicelsi}@diag.uniroma1.it).
F. Liberati is with the SMART Engineering Solutions & Technologies
(SMARTEST) Research Center, eCampus University, Via Isimbardi 10,
22060 Novedrate (CO), Italy (e-mail: francesco.liberati@uniecampus.it).
On the Optimization of Energy Storage System Placement for
Protecting Power Transmission Grids Against Dynamic Load
Altering Attacks*
Alessandro Di Giorgio, Alessandro Giuseppi, Francesco Liberati,
Antonio Ornatelli, Antonio Rabezzano, and Lorenzo Ricciardi Celsi
prevent the propagation of damage to other CIs interdependent
with the power grid (see also the FP7 projects MICIE and
CockpitCI [32]-[35] as well as the SHIELD framework and
the related publications [36]-[44]). The paper is organized as
follows. Section II provides the mathematical model of the
IEEE 39-bus test system undergoing a closed-loop D-LAA.
Section III formulates the problem of optimizing the number
and location of ESSs for protecting the power grid against the
ongoing D-LAA. Section IV shows and discusses the
performed simulations. Concluding remarks in Section V end
the paper.
II. MATHEMATICAL MODEL OF THE IEEE 39-BUS TEST
SYSTEM UNDER A D-LAA
Figure 1. The IEEE 39-bus test system.
We now present the mathematical model for the IEEE 39-
bus test system based on the 10-machine New-England power
network and depicted in Fig. 1: we will use this model for the
design, relying upon ESSs, of a protection scheme against D-
LAAs.
Let and represent the sets of generator buses and load
buses, respectively, across the grid. More in detail, the IEEE
39-bus test system is made of 10 generator buses and 29 load
buses, so we assume that and .
Let then represent the set of all buses across the
grid. For a generic bus , the total amount of power
delivered can be separated into generator and load terms [1].
Namely, power flow equations can be written distinguishing
the power amount
injected into the grid by each generator
and the total power
absorbed by each load bus
. By defining
as the voltage phase angle of the -th
generator bus,
as the voltage phase angle of the -th load
bus and
as the admittance value between the generic -th
and -th buses, it follows that
(1)
As regards the generator buses, the swing equations are
adopted to model the dynamic behavior of each generator
, i.e.,
(2)
, (3)
where
is the rotor frequency deviation at the -th generator
bus,
is the rotor inertia associated with the -th generator,
is the mechanical power input and
is the damping
term, proportional to the frequency deviation, . We
assume that the inertia
and the damping coefficient
are
strictly positive.
In particular, according to [45] and [46], it is possible to
combine a turbine-governor control action with a load-
frequency one into a proportional-integral (PI) controller,
aimed at keeping the rotor frequency at its nominal level by
pushing the frequency deviation
back to zero. Said PI
controller is represented by
(4)
Consequently, the rotor frequency dynamics in equation (3)
can be rewritten by expressing the mechanical power
for
each generator in terms of frequency deviation
, as defined
in (4). It follows that
and, since the power
injected by the generating unit is
defined according to (1) and the integral of the frequency
deviation is equal to the voltage phase angle of the generator,
we obtain, ,
After some manipulations, we have
. (5)
As regards the load buses, instead, following [31] we use
to define the aggregate power consumption of (i)
uncontrollable loads as well as of (ii) controllable but
frequency-insensitive ones. On the other hand, (iii)
controllable and frequency-sensitive loads can be assumed to
increase linearly with the frequency deviation at the load
buses: it follows that the related power consumption can be
modeled by
, where
is the strictly positive damping
term of the -th load bus and
is the frequency
deviation at each bus . We can rewrite (1), , as
follows,
(6)
(7)
Equations (2), (5), (6), and (7) define the complete
dynamical model of the IEEE 39-bus test system depicted in
Fig. 1. The power grid can now be represented in the form of
a linear state-space descriptor model. First of all, we need to
arrange the admittance values, appearing in equations (5) and
(7), into four different matrices, that is, (i)
, containing
the admittance values associated with the lines connecting
buses in ; (ii)
, containing the admittance values
associated with the lines between generator and load buses;
(iii)
; (iv)
, containing the admittance
values associated with the lines connecting the buses in .
Therefore, the complete admittance matrix of the power
system is
Moreover, the inertia and damping values (
and
,
respectively) in (5), as well as the damping terms
in (7),
can be collected into properly-dimensioned diagonal
matrices, namely ,
, and
. The same considerations
apply to the proportional and integral values
and
as
well as to the load power consumptions
. Eventually, by
defining
as the vector of the voltage
phase angles associated with the generators,
as the vector of the voltage phase angles
associated with the load buses,
as the
vector of the frequency deviations of the generators, and
as the vector of the load frequency
deviations, and considering and as state variables,
the complete linear state-space descriptor model for the IEEE
39-bus test system is
(8)
where the ’s are properly-dimensioned identity matrices.
Let us now plug a D-LAA into the system reported above.
By definition, a D-LAA is aimed at compromising a certain
amount of vulnerable load in specific grid areas and at
controlling its evolution over time so that the overall
interconnected system is considerably altered and damaged.
Therefore, in line with [6], we regard power consumption at
the load buses, i.e.,
, as the sum of two contributions: part
of the load consumption is identified as a protected portion
, while
denotes the vulnerable unprotected portion of
the load:
(9)
Let be the set of victim load buses and let be
the set of the positions of sensors which are capable of attack
detection. Accordingly, let
denote the attack gain at
victim bus if the sensor bus is a generator bus
(belonging to ), and
denote the control gain of the
attacker at bus if the sensor bus
is a load bus
(belonging to ). A D-LAA against the power grid can then
be modelled by the proportional controller
(10)
where
is the generator frequency deviation measured by a
sensor bus , and
is the frequency deviation of the
load buses measured by a sensor bus
. In particular, the
D-LAA is such that the update of
is inversely
proportional to frequency deviation: namely, if
decreases
(increases), then the amount of vulnerable load increases
(decreases), and the same holds with respect to
. Hence,
equation (10) is a proportional controller modelling a D-LAA
against the power grid. By the way, note that other choices
(such as PID or PD controllers) are also possible to model
such attacks.
On this basis, the power grid under attack is modelled by
substituting (10) into (9), and then into (8), thus obtaining
(11)
When the system is under attack, the attacker can compromise
the grid stability by properly modifying the controller gains,
and, subsequently, the amount of vulnerable unprotected load
. Formally, from a control-theoretic point of view, the
closed-loop system above becomes unstable if controller
gains
and
are capable of moving the system poles to
the right-hand side of the complex plane, that is, to the
unstable region for continuous-time linear systems.
III. OPTIMIZATION OF ESS PLACEMENT FOR PROTECTING
THE POWER GRID AGAINST A D-LAA
As in [6], the idea is to exploit the notion of Lyapunov
stability in combination with an optimization criterion so as
to guarantee power grid security in the presence of a D-LAA
characterized as in (10). More specifically, in this paper it is
proposed to solve the following problem: given a power grid
whose load buses are assumed to be potential victims to a D-
LAA, determine the minimum number of ESSs (with fixed
size) and their exact locations in order to protect the system
against the ongoing D-LAA. In this respect, a proper
optimization problem can be defined where ESSs are
modelled based on feedback from the frequency deviations
detected all across the power grid. Let us assume that the term
, that is, the protected portion of the power consumption
at the load buses, be the power provided by a certain
number of ESSs at different locations in the power grid.
Let us suppose that the sensor bus is necessarily a
generator bus, i.e., , and consequently
is set to
zero. The power provided by an ESS placed at the victim load
bus can be modelled by a proportional controller in the
form
,
where
denotes the storage gain at each victim load
bus when the sensor is located at generator bus and
is
the frequency deviation measured at bus . In other words, we
assume that the ESS operating conditions are strictly related to
the power grid state and, therefore, to the frequency deviations
that occur as a result of the D-LAA being struck against the
power grid itself.
Neglecting the
term due to the assumption on the
sensor bus, the power consumption
in (9) can be then
rewritten as
(12)
The resulting closed-loop system dynamics – modelling the
power grid subject to the D-LAA and to ESS control for attack
mitigation – is obtained by substituting (12) into (8) so as to
have
The last row of the descriptor system above can be solved with
respect to and properly substituted in order to obtain an
equivalent linear state-space model, i.e.,
where
(13)
At this point, we can formulate the optimization problem. In
particular, according to Lyapunov’s stability theorem for
linear systems, the system poles are required to be kept inside
the left-hand side of the complex plane. In this respect, the
1
We recall that the
-norm of a vector is the number of its non-zero
elements, i.e., its cardinality.
following linear matrix inequality has to hold if we want to
ensure Lyapunov stability, i.e.,
, (14)
with as in (13), thus implying that the stability of the overall
system is strictly related to (i) the entity of the D-LAA against
the power grid, and to (ii) the ESS size.
Before formulating the optimization problem, a feasibility
constraint on the entity of the D-LAA has to be formulated.
Namely, we assume that the attack intensity cannot be greater
than the difference between the total vulnerable load at victim
load bus (
) and the power provided by the corresponding
ESS. In other words, the more power the ESSs provide, the
less effective the D-LAA against the power grid is.
(15)
where
denotes the maximum admissible frequency
deviation for generator before its over or under frequency
relays trip [6]. Another constraint to be enforced can be
expressed in terms of the ESS size. Namely, the storage control
gain is limited according to the following relation:
(16)
where
is the maximum power provided by the ESS,
expressed in p.u. Under these constraints, the optimization
problem can be formulated as follows.
Problem 1 (Optimization of number and location of ESSs
protecting the power grid against a D-LAA). Given the total
vulnerable load
at victim load bus and given a proper
ESS size, determine the minimum number and the exact
location of ESSs so that the power grid is asymptotically
stable, that is,
subject to
Eqs. (14), (15), and (16),
By minimizing the
-norm
1
of vector
(i.e., the vector
listing all energy storage control gains
at and
), it is possible to determine the minimum number and the
optimal location of the ESSs to be installed in the power grid
in order to prevent a D-LAA in the form (10) from
compromising the overall system stability.
However, note that a solution to this problem is not easily
found, because solving a cardinality minimization problem is
NP-hard [47], and due to the presence of the non-convex
quadratic constraint defined by (15).
For the former problem, an approximation is needed to
reduce the computational complexity. A common choice is the
minimization of the
norm, characterized by sparse feasible
solutions (i.e., solutions which have null elements) [48].
Generally, a non-convex optimization problem may have
multiple solutions, it may be infeasible or it can take
exponential time to determine the global minimum across all
admissible solution regions. In order to overtake non-
convexity, we exploit a two-step solution approach, adapted
from [6] and inspired by the coordinate descent method whose
convergence is guaranteed [49].
First, note that inequality (15) has to turn into an equality
when attempting to solve Problem 1. In fact, if (15) holds as a
strict inequality, when the optimal solution is found, one could
think of reducing the value of
and consequently lower the
objective function, thus contradicting the optimality status. It
then follows that the constraint in (15) should be rewritten as
an equality, making
act as a slack variable, i.e.,
(17)
This way, we reduce the decision variables of the optimization
problem to
and , since
is now univocally defined by
the vulnerable loads and the power injected by the ESSs.
Nevertheless, these two variable sets are still coupled through
the attack control gain
and the non-convex constraint
defined by equation (17). To this end, the problem is split up
into the two following coupled subproblems.
Step (1). Initially, the storage control gain vector
is
assumed to be constant, thus easily determining the attack
control gain
according to constraint (17). This way,
we can solve a feasibility problem over variable , i.e.,
subject to
Eqs. (14) and (17), ,
where the decision variables are the entries of matrix .
Such a feasibility problem can also be classified as a semi-
definite program [50].
Step (2). Next, we take the solution of the feasibility
problem above as a constant and we solve Problem 1 over
only, i.e.,
subject to Eqs. (14), (16), and (17),
where the decision variables are the entries of
.
These two steps are iterated until convergence is reached. In
particular, note that the ESS number and placement is
assessed, as a result of the optimization procedure: the non-
zero elements of the resulting
vector identify the optimal
number and location of the ESSs to be deployed.
IV. SIMULATION RESULTS
The simulations presented in this section have been carried
out using MATLAB®: in particular, the authors relied upon
the CVX package [51] for determining a numerical solution
to Problem 1 according to the two-step iterative procedure
explained above. As regards the values of the parameters of
the transmission lines, of the inertia (i.e., ) and damping
coefficients (i.e.,
) of generators, of the generator
controller gains (i.e., the
’s) and of the damping
coefficients for each dynamic load (i.e., the
’s), such values
are chosen as in [6]. In particular, the controller parameters
are set in order to keep the overall system stable during
normal operations, i.e., in the absence of an attack. The
nominal system frequency is Hz. We assume that the over-
frequency relays of the generators trip at Hz, whereas the
under-frequency relays trip at Hz. Consequently, i.e.,
. The vulnerable loads at each load bus are
reported in Table I. Note that, unlike [6] we are assuming the
power loads reported in Table I to be entirely vulnerable.
Therefore, in our scenario, the way chosen to protect them is
by relying on the power provision allowed by suitably-
deployed ESSs.
TABLE I. VULNERABLE LOADS AT EACH LOAD BUS (
)
Load
Bus
(p.u.)
Load
Bus
(p.u.)
Load
Bus
(p.u.)
1
4
11
4
21
6.7
2
4
12
4.1
22
4
3
7.2
13
4
23
9.8
4
9
14
4
24
7
5
4
15
7.2
25
6.2
6
7
16
10.9
26
5.4
7
6.3
17
4
27
6.8
8
9.2
18
5.6
28
6.1
9
4
19
5.6
29
15.1
10
4
20
10.3
-
-
A. First Attack Scenario
With respect to the 10-machine New-England power
network depicted in Fig. 1, in the first attack scenario we
assume that only a subset of vulnerable loads can be regarded
as potential victims to a D-LAA. Let us consider as potential
victims only the load buses identified by
and let us assume that the sensor capable
of detecting the ongoing attack is located at generator bus
. Let us also assume that the vulnerable loads at the
victim load buses are
and let the
ESS size be equal to the available load at the victim load
buses. This last assumption implies that the initial values of
the storage control gains are set to
.
Starting from control gains initialized to the maximum
admissible values, the iterative algorithm discussed in Section
III is run so as to solve this instance of Problem 1. Since we
intend to determine the minimum number of ESSs and their
exact location in the power grid, the obtained simulation
results claim that, by introducing one ESS located at load bus
no. 19 with storage capacity equal to p.u., the power grid
remains stable under the considered D-LAA.
