Secure State Estimation and Control for Cyber Security of AC Microgrids

1 Secure State Estimation and Control for Cyber Security of A C Microgirds Dariush Fooladi v anda*, Qie Hu*, Y oung Hwan Chang*, and Peter W . Sauer Abstract —A timely , accurate, and secure dynamic state esti- mation is needed for reliable monitoring and efficient control of microgrids. The synchr ophasor technology enables us to obtain synchronized measurements in real-time and to develop dynamic state estimators for real-time monitoring and control of microgrids. In this study , we consider an A C microgrid comprising several synchr onous generators and in verter -interface power supplies, and focus on secur ely estimating the dynamic states of the microgrid fr om a set of corrupted data. W e propose a dynamic state estimator which enables the microgrid operator to reconstruct the dynamic states of the micr ogrid fr om a set of corrupted data. Finally , we consider an A C microgrid with the same topology as the IEEE 33-bus distribution system, and numerically show that the proposed secure estimation algorithm can accurately reconstruct the attack signals. Index T erms —Secure state estimation, dynamic state estima- tion, microgrids, distribution systems. I . I N T RO D U C T I O N F UTURE distribution systems will include interconnected microgrids [1]- [2]. Such systems are designed to be operated and controlled in a hierarchical fashion to deal with various dynamic phenomena with different time scales [3]- [4]. The functionality of control systems in microgrids is highly dependent on state estimation schemes used to observe the state of the system ov er time. T raditional energy management systems are using static state estimation schemes designed from steady-state models [5]- [6]. W ith the high penetration of distributed energy resources (DER) on the generation side, and flexible loads and new demand-response technologies on the demand side, static state estimation methods will be unable to capture po wer systems’ dynamics accurately [7]. Dynamic state estimation schemes will be needed to accurately capture the system dynamics. Such state estimation schemes, designed based on dynamical models, will play an important role in microgrid control and protection [8]- [9]. The focus of this paper is the design of dynamic state estimation schemes which are secure to c yber-physical attacks. Large-scale integration of in verter -interfaced power supplies and distributed controls requires a widespread deployment of the synchrophasor technology and communication networks in future distribution systems. This will lead to high-volume data exchange between different controllers which will make mi- crogrids vulnerable to cyber-ph ysical attacks. Corrupted data D. Fooladi vanda is with the Department of Mechanical and Aerospace Engi- neering at the Univ ersity of California, San Diego, USA (dfooladi@ucsd.edu). Q. Hu is with the Department of Electrical Engineering and Computer Sciences, Univ ersity of California Berkeley , USA (qiehu@berkeley .edu). Y . H. Chang is with the Department of Biomedical Engineering and Com- putational Biology Program, Oregon Health and Science University , USA (chanyo@ohsu.edu). Peter W . Sauer is with the Department of Electrical and Computer Engineering, University of Illinois Urbana-Champaign, USA (psauer@illinois.edu). *These authors contributed equally to this w ork. in controllers can disrupt power generators’ synchrony and result in a network-wide instability . Several attack detection schemes hav e been proposed in recent years [10]- [14]. In false-data injection attacks, disturbances are injected to sensors and actuators to disrupt their measurements and computed control inputs. While it is possible to identify misbehaving agents [10]- [11], such solutions require kno wledge of the communication network and are hard to scale. In [15], the authors propose a computationally-efficient scheme to detect deception attacks on sensors. While such solutions enable us to detect cyber attacks efficiently , these solutions do not mitigate all possible adverse effects. Robust game-theoretic schemes can lead to conservati ve results against cyber attacks [16]- [17]. Cyber attacks can be modeled as noise or disturbance to the system. Basse ville et al. [18] use noise filtration techniques to detect and remove malicious attacks, and the authors in [19] dev elop disturbance attenuation methods for cyber attack detection. Notice that noise filtration or disturbance attenuation techniques operate under certain statistical properties, e.g., white Gaussian noise signal. Ho wever , in practice, cyber attacks can be deliberately designed by a malicious attacker . In [20], the authors propose an attack-resilient distributed control for synchronization of islanded in verter-based microgrids. The authors study the ef fect of attacks on sensors and actuators, and numerically demonstrate the effecti veness of their distrib uted controls on a modified IEEE 34-bus system. In recent years, several researchers hav e focused on state es- timation with security guarantees for both linear and nonlinear dynamical systems [21]-[24]. The existing literature related to secure state estimation in linear dynamical systems can be classified into two classes: 1) noiseless measurements, and 2) noisy measurements. For the noiseless framework, the studies in [21]- [23] show that the state of the system can be ac- curately reconstructed under certain conditions. When sensor measurements are affected by both noise and attack signals, sparse attack v ectors can be distinguished from measurement noise under certain conditions [25]- [27]. In [24], the authors focus on securely estimating the state of a nonlinear dynamical system from a set of corrupted measurements for tw o classes of nonlinear systems without any assumption on the sensor attacks or corruptions. The y propose a secure state estimator for those systems assuming that the set of attack ed sensors can change with time. Finally , they consider a power system comprising several synchronous generators and storage units connected to each other through a set of transmission lines, and assume that the storage units use feedback linearization controls. The authors design a secure estimator that allows us to securely estimate the dynamic states of the power network, i.e., the states of the synchronous generators, under cyber- physical attacks and communication failures. Sev eral approaches in the literature are addressing the dynamic state estimation problem. Howe ver , the existing dy- namic state estimators ha ve the following drawbacks: 1) Loads are considered to be quasi-static, i.e., load dynam- ics are neglected. Unlike large power systems, microgrids are small footprint power systems comprising distribution assets, DERs, and loads. DERs are typically of in verter- interfaced po wer supplies with no inertia. These resources respond to disturbances as fast as their controls, and hence dynamics of loads and DERs are strongly coupled in mi- crogrids. More precisely , load dynamics have significant transient impacts in microgrids [28]- [29]. 2) Controllers are considered to hav e specific structure. For example, storage units are assumed to use feedback linearization controls in [24]. DERs can use several types of distributed and centralized control schemes [30]-[31]. In summary , load dynamics cannot be neglected in securely estimating dynamic states, and controllers cannot be limited to any specific structure. T o overcome the abov e drawbacks, we dev elop a secure state estimation method without linearization or reducing the microgrid into a network of oscillators. In this study , we focus on secure dynamic state estimation in A C microgrids under cyber attacks or communication failures. W e consider an A C microgrid comprising sev eral synchronous generators, in verter-interf aced power supplies, and loads con- trolled via a central controller (i.e., the microgrid operator) as well as local controllers. W e assume that these controllers use the synchrophasor technology , phasor measurement units (PMU), to maintain the system’ s reliability . More precisely , each b us is equipped with a local controller, transceiver , and measurement unit which allo w the controller to exchange its information with the central controller and the local controllers of other buses. The transceiv ers are connected through a communication network which sends the feedback information to the microgrid operator . W e mak e the following assumptions: A.1 The communication paths from the central controller to different b uses are secured while other communication paths and PMUs are subject to cyber attacks. A.2 The set of attacked PMUs or communication paths can change with time. A.3 Attacks or corruptions can follow any particular model. A practical example of cyber attacks in which the set of attacked sensors can change with time is provided in [32]. W e propose a secure state estimator for reconstructing the dynamic states of the A C microgrid from a set of corrupted measurements without any assumption on the attacks. The proposed estimators are computationally efficient. W e then consider an AC microgrid with the same topology as the IEEE 33-bus distribution system, and numerically demonstrate the effecti veness of our estimators in accurately reconstructing the attack or corruption signals. The proposed technique enables microgrid operators to reconstruct dynamic states before using the receiv ed measurements for computing control signals, and to monitor the operation of local controllers. The paper is organized as follo ws: In Section II, we intro- duce the microgrid model adopted in this work, and revie w the classical error correction methods. In Section III, we formulate the dynamic state estimation problem for AC microgrids, and propose a solution technique for recovering dynamic states. Finally , in Section IV, we demonstrate the effecti veness of the proposed state estimation algorithm using the IEEE 33-bus distribution system. I I . P R E L I M I NA R I E S W e first introduce the physical layer model of an A C mi- crogrid with synchronous generators, in verter -interfaced po wer supplies, and loads. W e then describe the cyber layer over which the microgrid operator relies to control its DERs, and introduce the cyber attacks that we are considering in this study . Finally , we briefly revie w the existing secure state estimation techniques for linear dynamical systems. A. Physical Layer Model Consider a microgrid with m + n + l buses. W ithout loss of generality , we assume that m of these buses, indexed by N ( S ) = { 1 , · · · , m } , hav e synchronous generators connected to them, and that n of the microgrid buses, indexed by N ( I ) = { m + 1 , · · · , m + n } , have inv erter-interf aced power supplies attached to them. W e further assume that the remaining buses, index ed by N ( L ) = { m + n + 1 , · · · , m + n + l } , hav e loads and no generation 1 . In addition, we assume that the network interconnecting the generator and load buses is linear so that it can be represented by the nodal admittance matrix Y = G + √ − 1 B where G and B denote the conductance and susceptance matrices, respectively . W e use the standard structure-preserving model to describe the microgrid’ s dynamics [33]. This model that incorporates the dynamics of generators’ rotor angle and response of load power output to frequency deviations, allows us to preserve the structure of the grid, i.e., no load bus elimination is made. W e introduce fictitious buses representing the internal generation voltages for synchronous generators and in verter - interfaced power supplies. Each of these buses is connected to either a synchronous generator or in verter-interf aced power supply bus via reactances that account for transient reactances and connecting lines. These reactances can be considered as transmission lines [34]. Therefore, in the augmented network, the number of b uses is 2( m + n ) + l . W e further denote the set of fictitious buses for synchronous generators and in verter - interfaced po wer supplies by N ( S ) f and N ( I ) f , respectiv ely . The topology of the augmented network can be represented by an undirected graph, G ( N , E ) , where N = N ( S ) ∪ N ( I ) ∪ N ( L ) ∪ N ( S ) f ∪ N ( I ) f ; and where each element in the edge set E corresponds to a transmission line connecting a pair of buses in the augmented network. W e assume that the network topology is fixed and kno wn to the microgrid operator . Let V i and θ i denote the voltage magnitude and phase angle of bus i ∈ N , respecti vely . The dynamics of each synchronous generator are described by a structure-preserving model with constant comple x voltage behind reactance [34, Sec. 7.9.2], augmented to include the gov ernor dynamics. F or a synchronous generator at fictitious bus i ∈ N ( S ) f , let θ i denote the angle of its voltage (the generator’ s internal voltage) as measured with respect to a synchronous reference rotating at the nominal system electrical frequency ω 0 . Further, let ω i denote its rotor electrical angular speed, and let P m i be the 1 W ithout loss of generality , we consider tie-line buses that connect the microgrid to the grid, as load buses. turbine’ s mechanical power . For each synchronous generator i ∈ N ( S ) f , we have ˙ θ i = ω i − ω 0 , (1) M i ˙ ω i = P m i − D i ( ω i − ω 0 ) − X j ∈N i V i V j | y ij | sin ( θ i − θ j + φ ij ) , (2) τ i ˙ P m i = − P m i + P s i − R i ( ω i, meas − ω 0 ) , (3) where y ij = g ij + √ − 1 b ij with g ij and b ij being the entries of the conductance and susceptance matrices, respectiv ely , and φ ij equals arctan ( g ij /b ij ) . N i denotes the set of neighbors of node i in graph G ( N , E ) , D i (in s/rad) is the generator damp- ing coef ficient, and M i (in s 2 /rad) is a scaled inertia constant. Further , R i is the frequency-power speed-droop characteristic constant, τ i is the generator governor time constant, and P s i denotes the generator’ s power set-point. Notice that ω i, meas is the measured value of state ω i for all i ∈ N ( S ) f . The dynamics of in verter -based po wer supplies can similarly be described by a constant voltage behind reactance model, augmented to include a frequency-droop controller . For a in verter -based po wer supply at fictious bus i ∈ N ( I ) f , let θ i denote the angle of its voltage as measured with respect to the nominal system electrical frequency ω 0 , and let P s i denote its generation set-point. For each inv erter-based power supply i ∈ N ( I ) f , we have D i ˙ θ i = P s i − X j ∈N i V i V j | y ij | sin ( θ i − θ j + φ ij ) , (4) where D i (in s/rad) is the speed-droop characteristics slope of the in verter-interf aced power supply . In general, the real po wer drawn by the load at load b us i ∈ N ( S ) ∪ N ( I ) ∪ N ( L ) is a nonlinear function of voltage and frequency . Howev er , for constant voltages and small frequency deviations around the nominal frequency ω 0 , it is reasonable to assume that the real po wer drawn by the load equals P d i + D i ˙ θ i where D i > 0 and P d i > 0 are the constant frequency coefficient of load and the nominal load at b us i ∈ N ( S ) ∪ N ( I ) ∪ N ( L ) , respectiv ely . Therefore, for constant voltages and small frequency deviations, the dynamics of the phase angle at load bus i ∈ N ( S ) ∪ N ( I ) ∪ N ( L ) can be modeled by D i ˙ θ i = − P d i − X j ∈N i V i V j | y ij | sin ( θ i − θ j + φ ij ) . (5) Here, we ignore reacti ve po wers for synchronous generators, in verter -interfaced power supplies, and loads as they are un- necessary for the analysis presented in this study . B. Cyber Layer Model Each b us i is equipped with a local controller , transcei ver , and measurement unit which allow bus i to exchange informa- tion with the central controller (i.e., the microgrid operator) as well as the local controllers of other buses. As men- tioned earlier, fictitious buses represent the internal generation voltages for synchronous generators and in verter -interfaced power supplies. W e assume that each inv erter-interfaced po wer supply is equipped with a local controller , transceiv er, and measurement unit which allo w the in verter-interf aced po wer Secured Communication Network Non-secured Communication Network Secured Communication Path N on-secured Communication Path Microgrid Operator 1 2 3 4 Microgrid Operator 2 1 3 4 Attack type 1 Attack type 2 Fig. 1. A graphical depiction of the cyber network model: For simplicity , we focus on a microgrid comprising four buses. The graph in green (sold lines) shows the secured information flow (i.e., the set of information flows from the microgrid operator to local controllers) while the graph in red (dotted lines) represents the set of non-secured information flows. supply at fictitious b us i to measure and communicate its internal voltage phase angle. The rotor angle of synchronous generators has an electro- mechanic nature, and hence it cannot be measured via electric measurement units. Ho wev er , we can estimate rotor angle by using other electric parameters of synchronous generators. In the literature, sev eral studies are addressing the problem of estimating the rotor angle of synchronous generators [43]- [46]. W e assume that each synchronous generator is equipped with a local controller , transceiv er , and measurement unit, and that the measurement unit at bus i is using a rotor angle estimator to compute the internal voltage phase angle for the synchronous generator at bus i . The transceivers are connected through a communication network which sends the feedback information measurements, including rotors’ speeds and voltage phase angles, to the central controller . The communication network, measurement units, and transceiv ers are not secured. Therefore, these de- vices are subject to cyber attacks and communication failures. W e assume that the communication paths from the central controller to the local controllers are secured while other com- munication paths are not secured 2 . Hence, the communication network can be decomposed into two sub-graphs, one for secured information flow and one for non-secured information flow , as sho wn in Fig. 1. The microgrid operator needs to perform secure state esti- mation before using the receiv ed measurements (e.g., ω i ’ s and θ i ’ s) for computing dif ferent control signals and for monitoring the performance of the local controllers in the microgrid. T o do so, we consider two types of attacks: • Attack 1: an attack that corrupts the communication paths from the transcei vers to the central controller . • Attack 2: an attack that affects measurement units. These types of attacks are illustrated in Fig. 1 for a microgrid comprising four buses. Notice that the set of attacked mea- surements can change at each time instant. 2 In practice, the central controller is strongly protected against cyber attacks, and the local transceiv ers are more vulnerable to cyber attacks than the central controller . For more information, we refer the reader to the North American Electric Reliability Corp. (NERC)s Critical Infrastructure Protection (CIP) standards [35]. C. Err or Correction 1) Compressed Sensing: Let A ∈ R m × n ( m  n ) and b ∈ R m be a sensing matrix and measurement vector . Sparse solutions x ∈ R n , are sought to the following problem: min x k x k 0 subject to b = Ax, (6) where k x k 0 denotes the number of nonzero elements of x . The following results provide a suf ficient condition for a unique solution to (6). Lemma 1. ([36]) If the sparsest solution to (6) has k x k 0 = q and m ≥ 2 q and all subsets of 2 q columns of A are full rank, then the solution is unique. 2) The Error Correction Pr oblem: Consider a full rank coding matrix C ∈ R ` × n ( ` > n ) and a set of corrupted measurements y = C x + e where e is an arbitrary and unknown sparse error vector . In the classical error correction problem, we aim to recover the input vector x ∈ R n from the corrupted measurements y . T o reconstruct x , it is sufficient to reconstruct the error vector e since knowledge of y = C x + e and e gives C x , and then x can be computed using the full rank matrix C [36]. Candes et al. [36] construct a matrix F that annihilates C on the left, i.e., F C x = 0 for all x . Then, by applying F to y , they obtain ˜ y = F ( C x + e ) = F e. (7) Hence, the classical error correction problem can be trans- formed into reconstructing a sparse vector e from the mea- surement vector ˜ y = F e . By using Lemma 1, if all subsets of 2 q columns of F are full rank, we can then reconstruct any e that satisfies k e k 0 ≤ q . 3) Secure Estimation for Linear Dynamical Systems: Con- sider a discrete-time linear control system as follo ws: x [ k + 1] = Ax [ k ] , y [ k ] = C x [ k ] + e [ k ] , (8) where x [ k ] ∈ R n and y [ k ] ∈ R p denote the states and outputs of the system at time slot k , respecti vely . e [ k ] ∈ R p denotes attack signals injected by malicious agents at the sensors. Let Y ∈ R p · K be a collection of corrupted measurements ov er K time slots, and let E q ,K denote the set of error vectors  e [0]; ... ; e [ K − 1]  ∈ R p · K where each e [ k ] satisfies k e [ k ] k 0 ≤ q ≤ p . W e have: Y ,      y [0] y [1] . . . y [ K − 1]      =      C x [0] + e [0] C Ax [0] + e [1] . . . C A K − 1 x [0] + e [ K − 1]      =      C C A . . . C A K − 1      x [0] + E q ,K , Φ x [0] + E q ,K , (9) where Φ ∈ R p · K × n is the K -step observ ability matrix of the system at hand. W e assume that rank(Φ) = n ; otherwise, we cannot determine x [0] e ven if there was no attack E q ,K = 0 . W e can now reconstruct the initial state x [0] from y [ k ] ’ s, where k = 0 , ..., K − 1 , by following a two-step procedure [36] and [37]. First, we compute the error vector E q ,K , and then solve for x [0] . T o compute E q ,K , consider the QR decomposition of Φ as follo ws: Φ =  Q 1 Q 2   R 1 0  = Q 1 R 1 , (10) where  Q 1 Q 2  ∈ R p · K × p · K is orthogonal, Q 1 ∈ R p · K × n , Q 2 ∈ R p · K × ( p · K − n ) , and R 1 ∈ R n × n is a rank- n upper triangular matrix. W e pre-multiply (9) by  Q 1 Q 2  > , and obtain:  Q > 1 Q > 2  Y =  R 1 0  x [0] +  Q > 1 Q > 2  E q ,K . (11) Using the second block ro w , we have: ˜ Y , Q > 2 Y = Q > 2 E q ,K , (12) where Q > 2 ∈ R ( p · K − n ) × p · K . Using Lemma 1, the above optimization has a unique, s -sparse solution (where s ≤ q · K ) if all subsets of 2 s columns (at most 2 q · K columns) of Q > 2 are full rank. Using this observation, we consider solving the following l 1 -minimization problem: ˆ E q ,K = arg min E k E k l 1 subject to ˜ Y = Q > 2 E . (13) Here, we approximate the l 0 -minimization problem with an l 1 - minimization problem to obtain a con vex decoder [38]- [42]. Using the first block row of (11), we can now compute x [0] as follows: x [0] = R − 1 1 Q > 1 ( Y − ˆ E q ,K ) . (14) The following result pro vides the conditions under which exists a unique solution to (14). The proof follows by using Lemma 1 and the fact that the null space of Q > 2 is equal to the column space of Φ . Lemma 2. Ther e exists a unique solution x [0] if all subsets of 2 s columns of Q > 2 ar e linearly independent and Φ is full column rank. Next, we propose a dynamic state estimator for secure state estimation of dynamic states ω i ’ s and θ i ’ s in microgrids. I I I . S E C U R E S TA T E E S T I M A T I O N F O R M I C R O G R I D S Let us assume that the time is slotted in time slot of size δ . At each time slot k , the central controller recei ves the measured values of voltage phase angles, generators’ internal angles, and rotors’ speed. Let y i [ k ] denote the measurement vector received from bus i ∈ N . Since the measurement units and communication paths from the measurement units to the central controller are not secured, y i [ k ] is subject to cyber attacks and corruptions: y i [ k ] =  θ i [ k ] ω i [ k ]  + e i [ k ] , ∀ i ∈ N ( S ) f , (15) y i [ k ] = θ i [ k ] + e i [ k ] , ∀ i ∈ N \ N ( S ) f , (16) where e i [ k ] represents either a corruption or an attack signal injected by a malicious agent. Notice that e i [ k ] ∈ R 2 for all i ∈ N ( S ) f , and e i [ k ] ∈ R for all i ∈ N \ N ( S ) f . Our goal is to reconstruct θ i [ k ] for all i ∈ N and ω i [ k ] for all i ∈ N ( S ) f by using the recei ved measurements. The only assumption concerning the corrupted sensors is the number of sensors that are attacked or corrupted due to failures. W e do not assume the errors e i [ k ] ’ s follow any particular model, i.e., the elements of e i [ k ] can take any value in R . If the sensor at bus i is not attacked and the communication flow from bus i to the central controller is not corrupted, then necessarily the elements of e i [ k ] are zero. A. F ormulation of Secur e State Estimation The microgrid dynamics and po wer flows can be described by the dynamical equations in (1)-(5). W e apply the forward Euler discretization scheme to the continuous-time dynamics in (1)-(5) to obtain a discrete-time approximation, assuming constant discretization step δ . W e begin with the synchronous generators, and use the same approach for in v erter-interfaced power supplies and loads. Synchronous Generators: For each synchronous generator at fictitious bus i ∈ N ( S ) f , we have θ i [ k + 1] = θ i [ k ] + δ ( ω i [ k ] − ω 0 ) , ω i [ k + 1] = α i ω i [ k ] + η i P m i [ k ] + β i + X j ∈N i f ij ( θ i [ k ] , θ j [ k ]) , P m i [ k + 1] = κ i P m i [ k ] + ζ i [ k ] − ν i ( ω i [ k ] +  0 , 1  e i [ k ]) , where f ij ( θ i [ k ] , θ j [ k ]) = γ ij [ k ] sin( θ i [ k ] − θ j [ k ] + φ ij ) , η i = δ / M i , ν i = R i δ /τ i , κ i = (1 − δ /τ i ) , α i = ( M i − δ D i ) /M i , β i = δ D i ω 0 /M i , ζ i [ k ] = δ ( P s i [ k ] + R i ω 0 ) /τ i , γ ij [ k ] = − δV i [ k ] V j [ k ] | y ij | /M i . (17) Notice that ω i, meas [ k ] equals  0 , 1  y i [ k ] which is equal to ( ω i [ k ] +  0 , 1  e i [ k ]) . Using (15)-(16), we hav e f ij ( θ i [ k ] , θ j [ k ]) = γ ij [ k ] sin( θ i [ k ] − θ j [ k ] + φ ij ) = γ ij [ k ] sin( y i [ k ] − e i [ k ] − y j [ k ] + e j [ k ] + φ ij ) = γ s ij [ k ] − γ s ij [ k ] e c ij [ k ] − γ c ij [ k ] e s ij [ k ] , (18) where γ s ij [ k ] = γ ij [ k ] sin( y i [ k ] − y j [ k ] + φ ij ) , γ c ij [ k ] = γ ij [ k ] cos( y i [ k ] − y j [ k ] + φ ij ) , e c ij [ k ] , 1 − cos( e i [ k ] − e j [ k ]) , e s ij [ k ] , sin( e i [ k ] − e j [ k ]) . (19) Notice that the coefficients of γ c ij [ k ] and γ s ij [ k ] can be calculated using the measurement received from the local controllers. Now , the state space model of the synchronous generator at fictitious bus i ∈ N ( S ) f can be represented by x i [ k + 1] = A i x i [ k ] + u i [ k ] −   0 H i [ k ]  i [ k ] 0   − B i e i [ k ] y i [ k ] = C i x i [ k ] + e i [ k ] (20) where the state v ector x i [ k ] =  θ i [ k ] , ω i [ k ] , P m i [ k ]  > , and A i =   1 δ 0 0 α i η i 0 − ν i κ i   , B i =   0 0 0 0 0 ν i   , C i =  1 0 0 0 1 0  , u i [ k ] =  − δ ω 0 , β i + P j ∈N i γ s ij [ k ] , ζ i [ k ]  > ,  i [ k ] =  e c ij 1 [ k ] , · · · , e c ij n ( i ) [ k ] , e s ij 1 [ k ] , · · · , e s ij n ( i ) [ k ]  > , H i [ k ] =  γ s ij 1 [ k ] , · · · , γ s ij n ( i ) [ k ] , γ c ij 1 [ k ] , · · · , γ c ij n ( i ) [ k ]  . Notice that n ( i ) denotes the number of neighbors of node i in graph G ( N , E ) , i.e., n ( i ) = |N i | , and that nodes j 1 , · · · , j n ( i ) represent the neighbors of node i in G ( N , E ) . More precisely , we hav e H i [ k ] ∈ R 1 × 2 n ( i ) and  i [ k ] ∈ R 2 n ( i ) . Next, by using the same approach, we obtain the state space model of in verter - interfaced power supplies and loads. In verter -interfaced Power Supplies: The state space model of the in verter -interfaced power supply at fictitious bus i ∈ N ( I ) f can be described by x i [ k + 1] = x i [ k ] + u i [ k ] − H i [ k ]  i [ k ] , y i [ k ] = x i [ k ] + e i [ k ] , (21) where x i [ k ] = θ i [ k ] and u i [ k ] = δ P s i [ k ] /D i + P j ∈N i γ s ij [ k ] . H i [ k ] and  i [ k ] are defined abov e. Loads: The state space model of the load at bus i ∈ N ( S ) ∪ N ( I ) ∪ N ( L ) can be described by x i [ k + 1] = x i [ k ] + u i [ k ] − H i [ k ]  i [ k ] , y i [ k ] = x i [ k ] + e i [ k ] , (22) where x i [ k ] = θ i [ k ] and u i [ k ] = − δP d i [ k ] /D i + P j ∈N i γ s ij [ k ] . H i [ k ] and  i [ k ] are defined abov e. Consider an enlarged system composed of all the system dynamics: X [ k + 1] = AX [ k ] + U [ k ] − H [ k ]  [ k ] − B E [ k ] , Y [ k ] =      y 1 [ k ] y 2 [ k ] . . . y |N | [ k ]      = C X [ k ] + E [ k ] , (23) where A , blkdiag { A 1 , · · · , A m , I m +2 n + l } ∈ R ( |N | +2 m ) × ( |N | +2 m ) , B , blkdiag { B 1 , · · · , B m , 0 m +2 n + l } ∈ R ( |N | +2 m ) × ( |N | + m ) , C , blkdiag { C 1 , · · · , C m , I m +2 n + l } ∈ R ( |N | + m ) × ( |N | +2 m ) , X [ k ] ,  x 1 [ k ] > , · · · , x |N | [ k ] >  > ∈ R ( |N | +2 m ) , U [ k ] ,  u 1 [ k ] > , · · · , u |N | [ k ] >  > ∈ R ( |N | +2 m ) ,  [ k ] ,   1 [ k ] > , · · · ,  |N | [ k ] >  > ∈ R 2 P i ∈N n ( i ) , E [ k ] ,  e 1 [ k ] > , · · · , e |N | [ k ] >  > ∈ R |N | + m , H [ k ] , blkdiag      0 1 × 2 n (1) H 1 [ k ] 0 1 × 2 n (1)   , · · · ,   0 1 × 2 n ( m ) H m [ k ] 0 1 × 2 n ( m )   , , H m +1 [ k ] , · · · , H |N | [ k ]  ∈ R ( |N | +2 m ) × 2 P i ∈N n ( i ) . Consider K time slots k = 0 , · · · , K − 1 , and collect the measurements corresponding the K time slots in vector Y as follows: Y =        Y [0] Y [1] − C U [0] Y [2] − C AU [0] − C U [1] . . . Y [ K − 1] − C P K − 2 k =0 A K − 2 − k U [ k ]        . (24) Y ∈ R K ( |N | + m ) can be rewritten in the follo wing form: Y = Φ X [0] + Ψ E , (25) where Ψ =  Ψ 1 Ψ 2  with Ψ 1 ∈ R K ( |N | + m ) × K ( |N | + m ) and Ψ 2 ∈ R K ( |N | + m ) × 2 K P i ∈N n ( i ) , and Ψ 1 =        I |N | + m 0 · · · · · · − C B I |N | + m · · · · · · − C AB − C B I |N | + m · · · . . . . . . . . . . . . − C A K − 2 B · · · − C B I |N | + m        , Ψ 2 =       0 0 · · · · · · − C H [0] 0 · · · · · · − C AH [0] − C H [1] 0 · · · . . . . . . . . . . . . − C A K − 2 H [0] · · · − C H [ K − 2] 0       , Φ =  C ; C A ; C A 2 ; · · · ; C A K − 1  , E =  E [0]; · · · ; E [ K − 1];  [0]; · · · ;  [ K − 1]  . The number of columns of the matrix H [ k ] and the number of rows of the column vector  [ k ] can be reduced from 2 P i ∈N n ( i ) to 2 |E | by using the following properties: e c ij [ k ] = 1 − cos( e i [ k ] − e j [ k ]) = e c j i [ k ] , e s ij [ k ] = sin( e i [ k ] − e j [ k ]) = − e s j i [ k ] . (26) Notice that we have γ ij [ k ] = γ j i [ k ] and φ ij = φ j i . Hence, the dimension of Ψ 2 and E can also be reduced as follo ws: dim(Ψ 2 ) → K ( |N | + m ) × 2 K |E | , dim( E ) → K ( |N | + m + 2 |E | ) . (27) W e now choose Ω ∈ R ( K |N |− 2 |N | ) × K ( |N | + m ) which annihi- lates Φ , i.e., ΩΦ = 0 . W e then ha ve: e Y = Ω Y = Ω e Ψ e E , (28) where e Ψ and e E are the reduced Ψ and E . In error correction, accurate decoding can be guaranteed if the coding matrix (i.e., Ω ˜ Φ ) satisfies the Restricted Isometric Properties (RIP), which is often achieved by randomly choos- ing a coding matrix a priori . In [23], Theorem 1 provides a sufficient condition for perfect recovery of the system states against sensor attack and describes estimator design by using a state feedback controller . Ho wever , in the current setting, since there is a limitation to manipulate the coding matrix, we combine our secure estimator with a Kalman Filter (KF) to improv e its practical performance. Since KF filters out both occasional estimation errors by the secure estimator and noisy measurement, a secure estimation based Kalman Filter improv es practical performance [23]. Next, we numerically demonstrate the effecti veness of the proposed estimators. I V . N U M E R I C A L R E S U LT S W e consider an A C microgrid consisting of m = 3 synchronous generators, n = 25 in verter -interfaced power supplies, and l = 5 load buses. The microgrid topology is shown in Fig. 2, a modified IEEE 33-bus distribution system from [47]. Notice that in the augmented network, the number of buses is 61. The synchronous generator buses are buses N ( S ) = { 3 , 6 , 9 } , the load buses without generation are buses N ( L ) = { 1 , 2 , 14 , 22 , 25 } , and the in verter -interfaced power supply buses are N ( I ) = { 1 , · · · , 33 } \ ( N ( L ) ∪ S ( L ) ) . Further , we consider the fictitious buses for the synchronous generators to be buses 34,35, and 36, and the fictitious buses for the inv erter-interfaced power supplies to be buses 37 to 61. The buses are connected via a set of electrical transmission lines. The microgird is connected to the grid via the tie-line connected to bus one. W e take the turbine time constants to be τ i = 5 s, the generator damping coefficients to be D i = 2 , the inertia constants to be M i = 10 , and the droop coefficients to be R i = 9 . 5 for all i ∈ N ( S ) . W e further select the in verter - interfaced power supply droop coefficients to be D i = 0 . 7 for all i ∈ N ( I ) , and the constant frequency coefficients of the loads to be D i = 0 . 1 for all i ∈ N ( L ) . W e simulate the system for t = 20 seconds with a dis- cretization step of δ = 1 / 60 seconds. W e select the nominal loads P d i ’ s randomly from the interval [0 , 0 . 5] pu, and select the generation set-points P s i ’ s such that the system is balanced. Notice that computing the activ e power set-points P s i ’ s is not the subject of this study . Therefore, we only need to select the values of P s i ’ s such that the demand and supply are balanced. W e further ignore reacti ve powers for synchronous generators, in verter -interfaced power supplies, and loads as they are un- necessary for the analysis presented in this study . W ithout loss of generality , we assume that voltage magnitudes V i [ k ] ’ s are constant and equal to 1 pu for all k and i = 1 , · · · , 33 . W e demonstrate the effecti veness of our secure state estima- tion method through simulations of the two types of attacks: 1) T ype A: attacks targeted at synchronous generators, i.e., measurements y i [ k ] ’ s, where i ∈ N ( S ) ∪ N ( S ) f , are corrupted. 2) T ype B: attacks targeted at in verter-interf aced power sup- plies, i.e., measurements y i [ k ] ’ s, where i ∈ N ( I ) ∪ N ( I ) f , are corrupted. For each of these attack types, we simulate three scenarios: 1) Scenario 1: There is no cyber attack on the microgrid. 2) Scenario 2: The microgrid is under cyber attack, and it is not protected by any secure state estimation. 3) Scenario 3: The microgrid is under cyber attack, and it is protected by the proposed secure state estimation. A. Attack T ype A: Synchr onous Generator Attacks The microgrid operator measures rotor angle from the three synchronous generator buses, and rotor angle and speed from the three fictitious synchronous generator buses. Hence, the operator has access to nine measurements that are subject to cyber attacks. W e assume that from t = 1 . 1 seconds onwards, the attacker randomly chooses a set of five measurements out of the nine measurements and corrupts them with random signals at each time step. Fig. 3 shows the simulation results for the three scenarios: 1) there is no attack (No Attack), 2) 1 2 34 56 7 8 9 1 0 11 12 13 14 15 16 17 18 19 22 21 20 23 24 25 26 27 28 29 30 31 32 33 Fig. 2. An A C microgrid comprising m = 3 synchronous generators, n = 25 in verter-interfaced power supplies, and l = 5 load buses. Fig. 3. Phase angles and rotor speeds of the synchronous generators under attack T ype A in the three scenarios. the microgrid system is under attack and there is no secure estimation (SE), and 3) the microgrid is under attack and the microgrid operator uses SE. Notice that in Fig. 3, we only show phase angles and rotor speeds of the three fictitious synchronous generator buses. In the microgrid without cyber attacks, the rotor speeds con- ver ge to 60 Hz after an initial transient period. As mentioned earlier , in Scenario 2, no secure estimation-based protection is implemented while the micor grid operator uses the proposed secure state estimation to protect the system against cyber attacks in Scenario 3. Therefore, when the system is under cyber attack, both rotor angles and speeds cannot be estimated correctly in Scenario 2, as shown in Fig. 3. Howe ver , the operator can perfectly estimate both rotor angles and speeds in Scenario 3. Fig. 4 shows the attack signal, secure estimator’ s estimated attack signal, and the estimation error . The results show that the secure estimator correctly estimates the attack signal throughout the simulation. Hence, the system’ s dynam- ics are identical to the system without an y attacks. B. Attack T ype B: Inverter -interfaced P ower Supply Attac ks The microgrid operator measures phase angles from the in verter -interfaced po wer supply buses. Hence, the operator has access to 50 measurements that are subject to cyber attack: 25 correspond to phase angle measurements of the in verter- interfaced power supply buses and 25 correspond to the phase angle measurements of the corresponding fictitious buses. W e assume that from t = 1 . 1 seconds onwards, the attacker randomly chooses a set of fi ve measurements out of the 50 Fig. 4. T rue and estimated attack signals: The rows and columns correspond to measurements and time steps, respectively . In the subfigures, the color indicates the attack signal: red is a positiv e attack, green is a negati ve attack, and black is no attack. Only measurements of the synchronous generators buses and their corresponding fictitious buses are corrupted by the attack. Notice that measurements 1 to 6 correspond to rotor angle and speed measurements from the fictitious synchronous generator buses, and measurements 34, 37 and 40 correspond to phase angle measurements from the synchronous generator buses. In subfigure “Estimation Error”, the black color indicates there is zero estimation error for all measurements at all times. Fig. 5. Phase angles and rotor speeds of the synchronous generators under attack T ype B in the three scenarios. measurements and corrupts them with random signals at each time step. The simulation results are shown in Fig. 5 and Fig. 6. The results show that both phase angles and rotor speeds are severely affected when the system is under attack and no secure estimation-based protection is implemented. Howe ver , the microgrid operator can perfectly recover the attack signals and restore the system’ s normal dynamics as if there was no attack when secure state estimation is used. V . C O N C L U S I O N W e propose a secure state estimator for dynamic state estimation in AC microgrids under cyber physical attacks. W e show that the microgrid operator can perfectly estimate the dynamic states in its A C microgrid using our estimator . R E F E R E N C E S [1] R. Lasseter, “MicroGrids, ” in IEEE P ower Engineering Society Winter Meeting , vol. 1, pp. 305--308, 2002. [2] N. Hatziagyriou, H. Asano, R. Iravani, and C. Marnay , “Microgrids, ” IEEE P ower and Ener gy Magazine , vol. 5, no. 4, pp. 78–94, 2007. Fig. 6. T rue and estimated attack signals: The rows and columns correspond to measurements and time steps, respectively . In the subfigures, the color indicates the attack signal: red is a positiv e attack, green is a negati ve attack, and black is no attack. Only measurements of the inverter -interfaced power supply b uses and their corresponding fictitious buses are corrupted by the attack. In subfigure “Estimation Error”, the black color indicates there is zero estimation error for all measurements at all times. [3] M. Ili ´ c and S. Liu, Hierar chical P ower Systems Control: Its V alue in a Changing Industry . Springer, 1996. [4] P . Kundur , et al. , “Definition and classification of power system stability IEEE/CIGRE joint task force on stability terms and definitions, ” IEEE T rans. on P ower Systems , vol. 19, no. 3, pp. 1387–1401, Aug. 2004. [5] F . C. Schweppe and J. Wildes, “Power System Static-State Estimation, Part I: Exact Model, ” IEEE Tr ans. on P ower Apparatus and Systems , vol. P AS-89, no. 1, pp. 120–125, Jan. 1970. [6] A. Abur and A. G. Exp ´ osito, P ower System State Estimation: Theory and Application . Marcel Dekker, Inc., 2004. [7] J. Zhao, et al. , “Power System Dynamic State Estimation: Motivations, Definitions, Methodologies and Future W ork, ” IEEE T rans. on P ower Systems , 2019. [8] H. Modir and R. A. Schlueter, “ A Dynamic State Estimator for Dynamic Security Assessment, ” IEEE T rans. on P ower Apparatus and Systems , vol. P AS-100, no. 11, pp. 4644–4652, Nov . 1981. [9] A. P . S. Meliopoulos, et al. , “Dynamic State Estimation-Based Protec- tion: Status and Promise, ” IEEE Tr ans. on P ower Delivery , vol. 32, no. 1, pp. 320–330, Feb. 2017. [10] F . Pasqualetti, A. Bicchi, and F . Bullo, “Consensus computation in unreliable networks: A system theoretic approach, ” IEEE Tr ans. Autom. Contr ol , vol. 57, no. 1, pp. 90–104, Jan. 2012. [11] F . Pasqualetti, F . Dorfler, and F . Bullo, “ Attack detection and identifica- tion in cyber -physical systems, ” IEEE T rans. Autom. Contr ol , vol. 58, no. 11, pp. 2715–2729, Nov . 2013. [12] K. Manandhar, X. Cao, F . Hu, and Y . Liu, “Detection of faults and attacks including false data injection attack in smart grid using kalman filter , ” IEEE T rans. Contr ol Netw . Syst. , vol. 1, no. 4, pp. 370–379, 2014. [13] S. Bi, and Y . J. Zhang, “Graphical methods for defense against false- data injection attacks on power system state estimation, ” IEEE T rans. Smart Grid , vol. 5, no. 3, pp. 1216–1227, May 2014. [14] L. Liu, M. Esmalifalak, Q. Ding, V . A. Emesih, and Z. Han, “Detecting false data injection attacks on power grid by sparse optimization, ” IEEE T rans. Smart Grid , vol. 5, no. 2, pp. 612–621, March 2014. [15] Y . Mo, R. Chabukswar , and B. Sinopoli, “Detecting integrity attacks on scada systems, ” IEEE T rans. Contr ol Syst. T echnol. , vol. 22, no. 4, pp. 1396–1407, July 2014. [16] T . Alpcan, and T . Basar, “ A game theoretic approach to decision and analysis in network intrusion detection, ” in Pr oc. 42nd IEEE Confer ence on Decision and Control , vol. 3, Dec 2003, pp. 2595–2600. [17] P . Srikantha and D. Kundur, “ A DER attack-mitigation differential game for smart grid security analysis, ” IEEE T rans. Smart Grid , vol. 7, no. 3, pp. 1476–1485, May 2016. [18] M. Basseville, I. V . Nikiforov et al. , Detection of abrupt changes: theory and application . Prentice Hall Englewood Cliffs, 1993, vol. 104. [19] Q. Jiao, H. Modares, F . L. Lewis, S. Xu, and L. Xie, “Distributed ` 2 -gain output-feedback control of homogeneous and heterogeneous systems, ” Automatica , vol. 71, pp. 361–368, 2016. [20] S. Abhinav , H. Modares, F . L. Lewis, F . Ferrese, and A. Dav oudi, “Synchrony in Networked Microgrids Under Attacks, ” IEEE T rans. on Smart Grid , vol. 9, no. 6, pp. 6731–6741, Nov . 2018. [21] H. Fawzi, P . T abuada, and S. Diggavi, “Secure estimation and control for cyber-physical systems under adversarial attacks, ” IEEE T rans. on Automatic Contr ol , vol. 59, no. 6, pp. 1454–1467, June 2014. [22] Y . Shoukry and P . T abuada, “Event-T riggered State Observers for Sparse Sensor Noise/Attacks, ” IEEE T rans. on Automatic Contr ol , no. 99, pp. 1–13, 2015. [23] Y . H. Chang, Q. Hu, and C. J. T omlin, “Secure estimation based Kalman Filter for cyber physical systems against sensor attacks, ” Automatica , 95, pp.399-412, Sep. 2018. [24] Q. Hu, D. Fooladiv anda, Y . H. Chang, and C. J. T omlin, “Secure State Estimation and Control for Cyber Security of the Nonlinear Po wer Systems, ” IEEE T rans. on Contr ol of Network Systems , vol. 5, no. 3, pp. 1310–1321, Sept. 2018. [25] Y . Shoukry , P . Nuzzo, A. Puggelli, A. L. Sangiovanni-V incentelli, S. A. Seshia, and P . T abuada, “Secure state estimation for cyber physical systems under sensor attacks: a satisfiability modulo theory approach, ” arXiv pre-print, Dec. 2014. [26] M. Pajic, J. W eimer, N. Bezzo, P . T abuada, O. Sokolsky , I. Lee, and G. Pappas, “Robustness of attack-resilient state estimators, ” in ACM/IEEE International Conference on Cyber-Physical Systems (ICCPS) , 2014. [27] S. Farahmand, G. B. Giannakis, and D. Angelosante, “Doubly robust smoothing of dynamical processes via outlier sparsity constraints, ” IEEE T rans. on Signal Pr ocessing , vol. 59, no. 10, pp. 4529-4543, Oct. 2011. [28] X. Zhang, J. Chen, and C. W ang, “Stability analysis of islanded micro- grids with dynamic loads, ” in Proc. IEEE 14th International Conference on Control, Automation, Robotics, and V ision , pp. 1-6, 2016. [29] A. Haddadi, A. Y azdani, G. Joos, and B. Boulet, “ A Generic load model for simulation studies of microgrids, ” in Proc. IEEE P ower & Energy Society General Meeting , pp. 1-5, 2013. [30] M. Y azdanian, and A. Mehrizi-Sani, “Distributed Control T echniques in Microgrids, ” in IEEE T rans. on Smart Grid , vol. 5, no. 6, pp. 2901–2909, Nov . 2014. [31] A. Hooshyar , and R. Irav ani, “Microgrid Protection, ” in Pr oc. of the IEEE , vol. 105, no. 7, pp. 1332–1353, July 2017. [32] S. Liu, B. Chen, T . Zourntos, D. Kundur , and K. Butler-Purry , “ A Coordinated Multi-Switch Attack for Cascading Failures in Smart Grid, ” IEEE Tr ans. on Smart Grid , vol. 5, no. 3, pp. 1183–1195, May 2014. [33] A. R. Bergen, and D. J. Hill, “ A structure preserving model for power system stability analysis, ” P ower Apparatus and Systems, IEEE T ransactions on , no. 1, pp. 25–35, 1981. [34] P . W . Sauer and M. A. Pai, P ower System Dynamics and Stability . Upper Saddle River , NJ, USA: Prentice-Hall, 1998. [35] A vailable at http://www .nerc.com/pa/Stand/Pages/CIPStandards.aspx [36] E. Candes, J. Romberg, and T . T ao, “Stable Signal Reco very from Incomplete and Inaccurate Measurements, ” Communications on pure and applied mathematics, vol. 59, no. 8, pp. 1207–1223, 2006. [37] D. Hayden, Y . H. Chang, J. Goncalves, and C. T omlin, “Sparse network identifiability via Compressed Sensing, ” Automatica , vol. 68, pp. 9–17, Jun. 2016. [38] E. J. Candes, and T . T ao, “Decoding by linear programming, ” IEEE T rans. on Info. Theory , vol. 51, no. 12, pp. 4203–4215, Dec. 2005. [39] D. L. Donoho, and M. Elad, “Optimally sparse representation in general (nonorthogonal) dictionaries via l 1 minimization, ” in Proc. National Academy of Sciences , pp. 2197–2202, 2003. [40] M. Elad, and A. M. Bruckstein, “ A generalized uncertainty principle and sparse representation in pairs of bases, ” IEEE T rans. on Information Theory , vol. 48, no. 9, pp. 2558–2567, 2002. [41] R. Gribonv al, and M. Nielsen, “Sparse representations in unions of bases, ” IEEE T rans. on Information Theory , vol. 49, no. 12, pp. 3320– 3325, 2003. [42] J.A. T ropp, “Greed is good: algorithmic results for sparse approxima- tion, ” IEEE T rans. on Information Theory , vol. 50, no. 10, pp. 2231– 2242, 2004. [43] P . Tripathy , S. C. Sriv astava, and S. N. Singh, “ A Divide-by-Difference- Filter Based Algorithm for Estimation of Generator Rotor Angle Uti- lizing Synchrophasor Measurements, ” in IEEE T ransactions on Instru- mentation and Measur ement , vol. 59, no. 6, pp. 1562–1570, June 2010. [44] G. K. V enayagamoorthy , and R. G. Harley , “MLP/RBF neural- networkbased online global model identification of synchronous gen- erator , ” IEEE T rans. Ind. Electron. , vol. 52, no. 6, pp. 1685–1695, Dec. 2005. [45] A. D. Angel, P . Geurts, D. Ernst, M. G. Glavic, and L. W ehenkel, “Estimation of rotor angles of synchronous machines using artificial neural networks and local PMU-based quantities, ” Int. J. Neur ocomput. , vol. 70, no. 16–18, pp. 2668–2678, Oct. 2007. [46] V . V enkatasubramanian, and R. G. Kav asseri, “Direct computation of generator internal states from terminal measurements, ” in Pr oc. 37th Annu. Hawaii Int. Conf. Syst. Sci. , 2004. [47] M. E. Baran, and F . F . W u, “Network reconfiguration in distrib ution systems for loss reduction and load balancing, ” in IEEE T ransactions on P ower Delivery , vol. 4, no. 2, pp. 1401–1407, Apr 1989.