=Paper=
{{Paper
|id=Vol-3887/paper4
|storemode=property
|title=Cyber Attacks Simulation for Modern Energy Facilities
|pdfUrl=https://ceur-ws.org/Vol-3887/paper4.pdf
|volume=Vol-3887
|authors=Oleksii Novikov,Mariia Shreider,Iryna Stopochkina,Mykola Ilin
|dblpUrl=https://dblp.org/rec/conf/its2/NovikovSSI23
}}
==Cyber Attacks Simulation for Modern Energy Facilities==
https://ceur-ws.org/Vol-3887/paper4.pdf
Oleksii Novikov1, Mariia Shreider1, Iryna Stopochkina1 and Mykola Ilin1
1
National Technical University of Ukraine "Igor Sikorsky KPI", Beresteiskyi Ave, 37, Kyiv, 03056, Ukraine
Abstract
This work focuses on enhancing the toolkit for simulating cyber attacks on energy facilities. The paper
examines models of typical attacks on energy systems, specifically accounting for an attackerโs ability to
distort control system signals, manipulate control measurements, and alter measurement signals related to
the state of the facility. A threats model for a critical infrastructure energy facility is proposed that refers to
attack techniques. The approach considers integrity-breaking attacks expression as a function dependent on
unknown parameters. Criteria are introduced to enable parametric identification of integrity compromising
attack parameters, based on measurement data and constraints on process behavior. Stability conditions for
a typical automatic gain control system under cyber attack are analyzed. An algorithm for identifying attack
parameters is proposed. Computer simulations of facility processes under various attack types were
conducted, appropriate software was developed, and conclusions were drawn regarding the impact of attacks
on facility resilience.
Keywords
energy facilities, cybersecurity attacks, FDI attacks, models, resilience 1
1. Introduction
The AGC system is highly dependent on open communication infrastructure, such as the SCADA
system, which increases its operational efficiency and responsiveness, but at the same time makes it
more vulnerable to cyber attacks. Network technologies have many advantages, but all their defects
โ insufficient security, outdated protocols and software, and weak authentication mechanisms โ
create new opportunities for attackers. Therefore, the vulnerable points of the system are the inputs
and outputs of the control center, that is, the communication channels through which data is
transmitted [1].
Due to the need for rapid operation, the system does not employ complex algorithms for verifying
and evaluating measurement data. Attackers can exploit this to manipulate data without sophisticated
calculations. By knowing certain characteristics, an adversary can identify other unknown
parameters of the system. In this paper, we demonstrate how this can be done, based on principles
described in [2, 3].
Moreover, high coordination between interconnected control zones enhances productivity but
also means that a sufficiently powerful cyberattack on one zone can adversely impact the entire
power system.
Cyber attacks on energy supply facilities amplify and deepen the effects of physical attacks for
maximum destructive impact. Understanding the limits of resilience to cyber influences is crucial in
developing effective protective mechanisms and preventive measures. However, existing research [4-
7] provides insufficient attention to the assessment of attack features or parameters.
The cyber vulnerabilities of AGC systems stem from data transfer mechanisms and protocol
weaknesses. A taxonomy of these attacks was proposed in [8-10]. The paper [11] provides a detailed
description of existing attack types on the advanced measurement infrastructure of smart grids,
focusing on both IT (Information Technology) and OT (Operational Technology) systems. We
ITS-2023: Information Technologies and Security, November 30, 2023, Kyiv, Ukraine
o.novikov@kpi.ua (O. Novikov); marshr-ipt23@lll.kpi.ua (M.Shreider);
i.stopochkina@kpi.ua (I.Stopochkina); m.ilin@kpi.ua (M.Ilin)
0000-0001-5988-3352 (O. Novikov); 0009-0006-8621-5521 (M. Shreider);
0000-0002-0346-0390 (I. Stopochkina); 0000-0002-1065-6500 (M. Ilin)
ยฉ 2023 Copyright for this paper by its authors.
Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0).
CEUR
ceur-ws.org
Workshop ISSN 1613-0073
Proceedings
35
�consider the entire AGC cyber-physical system, with particular emphasis on its OT features, and
consider these attacks in terms of the necessary knowledge about cyber-physical system parameters.
The main classes of cyber threats for AGC system of energy facility are:
1. DoS (Denial of Service), DDoS (Distributed Denial of Service), and time delay attacks
(targeting availability) [4, 5].
2. Replay attacks (targeting integrity) [6].
3. FDI (false data injection) and covert attacks (targeting integrity) [6,7].
In wartime, these cyber attacks are often combined with physical attacks on critical infrastructure
facilities [12]. Developing algorithms for calculating attack parameters remains a crucial task for
understanding the resilience limits of the facility and for investigating cyber incidents.
The findings of this work will contribute to more accurately fulfilling the guidelines of document
[13] regarding the identification of adversary tactics, techniques, and procedures used to circumvent
controls, along with other cybersecurity objectives.
2. Cyber attack models in AGC systems
Paper [1] examines a two-area power system and its dynamic model equations, demonstrating system
behavior under abnormal conditions and analyzing the types of attacks that can disrupt the power
system.
In paper [4], a dynamic model of a single-area load-frequency control (LFC) system is presented,
focusing on the principles of sustainable operation. The study addresses time-delay attacks and DoS
(Denial of Service) attacks, providing equations for the main system components under DoS attack
conditions.
Paper [5] expands on DoS attacks by exploring data integrity attacks as well. It proposes a multi-
area scheme with a control center, presenting detailed LFC equations and describing the main types
of attacks.
Paper [6] discusses power grid control strategies, with particular emphasis on time-delay threats
and replay attacks. The authors derive stability bounds for systems subjected to these attacks.
In paper [7], a different class of cyber attacks is explored: robust stealth covert attacks. The study
includes a simulation example and uses a mathematical approach to calculate attack parameters for
adversaries.
Paper [8] addresses cyber-physical reliability using game theory, incorporating probability factors
into the calculations.
Paper [9] focuses on technical aspects of cyber attacks, reviewing examples, countermeasures, and
a taxonomy of attack types. A section is dedicated to the use of machine learning algorithms for attack
detection.
In paper [11], a detailed taxonomy of IT (Information Technology), OT (Operational Technology),
and AMI (Advanced Metering Infrastructure) attacks is provided, along with an overview of papers
that propose approaches to counter these attacks.
Paper [12] examines DoS and DDoS models, emphasizing that these attacks may have different
impacts when combined with physical attacks by adversaries during wartime.
Simulation models of cascading effects in power grids under cyber attack are discussed in paper
[14].
Paper [15] investigates various attack strategies, mathematical models, and methods for assessing
system vulnerabilities.
The authors of paper [16] delve into the interconnected AGC systems and existing frequency
deviations, advancing the study in this area.
Existing research reveals a gap in deterministic mathematical approaches, based on control theory
methods, for not only identifying stability bounds but also uncovering unknown attack parameters.
The current work aims to address this gap by developing relevant algorithm.
36
� Paper [13] provides guidelines and compliance directions for reporting cyber incidents in critical
infrastructure. This document offers guidance that could be reinforced by mathematical analyses and
studies, particularly in the field of restoring attack parameters. The findings of the current study could
provide the necessary numerical data for addressing these challenges.
3. Cyber threats to the AGC system
Let us examine the structural features of the AGC (Automatic Gain Control) system that make it
susceptible to attacks. The AGC system operates within a communications infrastructure, facilitating
data transmission between control centers and control zones. Sensor measurement data is sent to the
control center, where an error signal is generated and then transmitted back to the control area. The
local controller subsequently calculates the power control signal.
Real-time data collection can be achieved through remote terminal units (RTUs) or intelligent
electronic devices (IEDs) positioned at critical locations (such as power stations and substations)
within the control zone.
The SCADA (Supervisory Control and Data Acquisition) system collects and aggregates this data
and relays it to the control center via communication channels using various protocols, such as DNP3
(Distributed Network Protocol), IEC 61850, and IEC 60870-5-104. Similarly, signals from the control
center are transmitted back to the control zone. A general diagram of a single-area power zone under
DDoS attack conditions is presented in [15], with specific points highlighted where other types of
attacks (particularly FDI attacks) could be applied (Fig. 1).
Figure 1: AGC System with External Communications. Arrows (1), (2), (3), (4), and (5) indicate points
where a cyberattack can be applied. Potential targets include the communication network (1) and
(3), internal communication lines (5), the AGC control center (2), and the programmable logic
controller (4). An adversary could impact measurements (5), control signals ๐ข(๐ก), and the system state
๐ฅ(๐ก).
Let us compile a list of common attacks on the AGC system, linking specific attack types to
technique classes from the MITRE ATT&CKยฎ Matrix for ICS, as shown in Table 1. In Table 1, CIA
refers to confidentiality, integrity, and availability, respectively.
Table 1
Energetic facility cyber attacks
Attack, Affect Description Attack pre- Information Target Sub-
technique ed conditions gathering system
ID (CIA)
DoS A Data flood of Partial โ Channels for IT, OT,
(T0814) the internal knowledge measurement AMI
about s and
37
� Attack, Affect Description Attack pre- Information Target Sub-
technique ed conditions gathering system
ID (CIA)
network and software, commands,
services hardware system
versions, services
open
interfaces
DDoS A DoS from Partial โ Channels for IT,
(T0814) multiple knowledge measurement AMI,
sources about s and OT
software, commands,
hardware system
versions, services
open
interfaces
FDI IA False data Normal System Measurement OT, IT,
(T0836, injection mode reactions and transmission AMI
T0868, features and measurements channels
T0830) anomaly
ranges
knowledge
Replay CIA Replaying real Partial Sensors and Measurement OT,
(T0856, data knowledge signals data and control AMI
T0830) about signals
protocol transmission
timelines channels
Covert IA Hidden attack System full Sensors and Channels for OT
(T0836, knowledge actuators data measure-
T0868, ments and
T0830) commands
Time A Introducing Partial โ Channels for OT,
Delays time delays knowledge measurement AMI
(T0814, about s, control
T0830) protocol signals, and
timelines commands
Physical CIA Destroying Partial Gathering all Physical parts OT, IT,
attacks infrastructure, knowledge the data using of critical AMI
(T0879) intercepting about system social infrastructure
control under engineering, facility
biometrical geolocation
features, detection
controlling the
locks and
other physical
objects
Spoofing CI Identity Network โ IoT devices, IT, OT,
(T0856, spoofing due protocols PLCs, control AMI
T0830) to lack of knowledge, center,
authentication access to network
transmitted objects
data
38
� Attack, Affect Description Attack pre- Information Target Sub-
technique ed conditions gathering system
ID (CIA)
Sniffing C Access to data Access to the Obtaining any Network IT, AMI
(T0842, transfer nodes network usable data for channels
T0887, to sniff channels further
T0801, intrusion
T0830)
TSA (time IA Synchronizing Knowledge Obtaining local Channels of OT
synchroni signal delay about time on target signals
zation (replaying protocol object transmission
attack) signals) peculiarities
(T0868)
Malware CIA Taking control Full Keylogging Software and IT, OT,
(TA0108, under knowledge and gathering hardware of AMI
TA0104, controllers of object all accessible critical
TA0110, and other architecture, data infrastructure
TA0111, cyber-physical and partial facility
TA0103, elements, or knowledge
TA0102, software of of system
TA0109, critical vulnerabili-
TA0100, infrastructure ties
TA0101, facility. Can
TA0107, realize all
TA0106, types of
TA0105) possible
techniques
4. AGC mathematical models
In this section, we present generalized mathematical models in state space, building on previous
works [5,6]. The primary vectors under consideration include malicious intrusion into the system
state via control parameters and measurement parameters (see Fig. 1). We then focus on the FDI (False
Data Injection) class of attacks and develop an algorithm to identify attack parameters under certain
assumptions. Additionally, we discuss the adversary's potential extended knowledge of the system.
1.1. Initial undisturbed system model
We consider an initial undisturbed system with control, which is described by equations system
in state space:
๐ฅ (๐ก) = ๐ด๐ฅ(๐ก) + ๐๐ต๐ข(๐ก) + ๐น, (1)
where ๐ฅ is system state; ๐ข is control; F is source function (energy supply from/to neighboring zones);
k is a parameter of control influence intensity.
We have to notice, that in the general description, state vector ๐ฅ(๐ก) can contain the components
of frequency deviation ฮ๐ , regulator, turbine, and tie-line power deviations as it was proposed in
[6]. But we consider the scalar values.
If the control depends on ๐ฆ measurements:
๐ข(๐ก) = โ๐ถ ๐ฆ(๐ก),
where measurements depend on the state:
๐ฆ(๐ก) = ๐ถ ๐ฅ(๐ก).
39
� Then:
๐ฅ (๐ก) = (๐ด โ ๐๐ต )๐ฅ(๐ก) + ๐น, (2)
where ๐ต = ๐ต๐ถ ๐ถ .
๐ต = ๐ต๐ถ ๐ถ .
For stability, the matrix ๐ด โ ๐๐ต has to be negatively defined or at least, non-positively defined.
This depends on eigenvalues ๐ of this matrix that can be defined from equation det(๐ด โ ๐๐ต โ ๐๐ผ) =
0. Suppose that ๐ด โ ๐๐ต is negatively defined for a sufficiently large ๐. Then the necessary condition
that this property becomes invalid at some ๐ , i. e. , the largest eigenvalue changes its sign ๐(๐ ) =
0 is
det(๐ด โ ๐๐ต ) = 0. (3)
That can be used to find a critical value ๐ .
1.2. Attack on system measurements and instability conditions
determining
Let ๐(๐ก) be the distortion introduced to the measurements by an attacker. The measurements are
given by
๐ฆ(๐ก) = ๐ถ ๐ฅ(๐ก) + ๐(๐ก),
then
๐ข(๐ก) = โ๐ถ ๐ฆ(๐ก) = โ๐ถ ๐ถ ๐ฅ(๐ก) + ๐(๐ก) = โ๐ถ ๐ถ ๐ฅ(๐ก) โ ๐ถ ๐(๐ก).
Thus, equation (1) takes the form
๐ฅ (๐ก) = ๐ด โ ๐๐ต โ ๐๐ต ๐(๐ก) ๐ฅ(๐ก) + ๐น, (4)
where
๐ต = ๐ต๐ถ.
If ๐ฅ(๐ก) is known, identifying the attackerโs intervention ๐(๐ก) becomes a standard fitting problem.
Otherwise, it is necessary to determine ๐ฅ(๐ก) simultaneously with ๐(๐ก) when ๐ฆ(๐ก) is known.
The problem can be simplified if we know etalon values ๐ฅ โ , ๐ฆ โ , which allow us to eliminate ๐น:
๐ง(๐ก) โก ๐ฅ(๐ก) โ ๐ฅ โ (๐ก);
๐ง (๐ก) = ๐ท๐ง(๐ก) + ๐ท ๐(๐ก)๐ฅ(๐ก);
๐(๐ก) = ๐ฆ(๐ก) โ ๐ถ ๐ฅ โ (๐ก) + ๐ง(๐ก) . (5)
From here:
๐ง (๐ก) = ๐ท๐ง(๐ก) + ๐ท {๐ฆ(๐ก) โ ๐ถ [๐ฅ โ (๐ก) + ๐ง(๐ก)]}[๐ฅ โ (๐ก) + ๐ง(๐ก)], (6)
or
๐ง (๐ก) = ๐ท๐ง(๐ก) + ๐(๐ก) + ๐ท {๐ฆ(๐ก) โ ๐ถ [๐ฅ โ (๐ก) + ๐ง(๐ก)]}๐ง(๐ก), (7)
where
๐(๐ก) = ๐ท {๐ฆ(๐ก) โ ๐ถ [๐ฅ โ (๐ก)]}๐ฅ โ (๐ก).
Assuming the effect of disturbances is small, successive approximations can be considered for
equation (6). For the zero approximation, we set
๐(๐ก) = 0;
๐ง(๐ก) = 0.
In the first approximation, we neglect the quadratic term by ๐ง :
๐ง (๐ก) = ๐ท๐ง(๐ก) + ๐(๐ก) + ๐ท {๐ฆ(๐ก) โ ๐ถ ๐ฅ โ (๐ก)}๐ง(๐ก),
๐ง (๐ก) = ๐ท ๐ง(๐ก) + ๐(๐ก), (8)
where
๐ท = ๐ท + ๐ท {๐ฆ(๐ก) โ ๐ถ ๐ฅ โ (๐ก)}.
Assuming
40
� ๐ง(0) = 0,
we can find ๐ง (๐ก) by numerically solving the linear equation.
Given a set of measurements:
๐ฆ โ (๐ก) = ๐ถ ๐ฅ โ (๐ก),
which characterizes normal process flow (solution of equation (2) or (4) when ๐(๐ก) โก 0), we assume
the adversary aims to maximize damage, causing ๐ฅ โ (๐ก) becomes unstable. The control problem for
critical infrastructure systems is to prevent such scenarios through control measures and by
comparing ๐ฆ(๐ก) and ๐ฆ โ (๐ก).
To detect intrusions caused by additional adversarial distortions, an additional criterion can be
added to the measurement system to identify deviations from the normal process flow (e.g., electricity
supply):
๐ฝ(๐ฆ) = (๐ฆ(๐ก) โ ๐ฆ โ (๐ก)) ๐๐ก โ ๐๐๐.
Let โฐ be threshold such that
๐ฝ(๐ฆ) โฅ โฐ ,
signals abnormal system behavior. For discrete measurements:
(9)
๐ฝ= (๐ฆ(๐ก ) โ ๐ฆ โ (๐ก )) โถ ๐๐๐.
Next, let us determine ๐(๐ก) that leads to system instability. Such a problem can arise in cyber
incident investigation, especially when trying to uncover adversarial actions aimed at destabilizing
the system. We can use
det(๐ท + ๐ท ๐(๐ก)) = 0 (10)
where
๐ท โก ๐ด โ ๐๐ต ,
๐ท โก โ๐๐ต๐ถ .
This allows us to define ๐(๐ก).
In equation (8), the addition of
๐ฆ(๐ก) โ ๐ถ ๐ฅ โ (๐ก)
is small because the distortions introduced by the adversary are minor and can be neglected in the
first approximation.
Thus, from (8) we can write:
๐ง ( ) (๐ก) โ ๐ ๐ ๐๐ก ;
๐(๐ก) โ ๐ฆ(๐ก) โ ๐ถ ๐ฅ โ (๐ก) + ๐ ๐ ๐(๐ก )๐๐ก .
In the next approximation, we substitute ๐ง ( ) (๐ก) in the last term of (7).
As Table 1 shows, some attacks require knowledge of system functioning and parameters. Using
the principles of parametric identification outlined above, and having access to measurement data, an
adversary can infer unknown parameters (e.g., ๐ด, ๐, or ๐ต from (1)). Thus, intercepting measurement
information may enable more dangerous attacks, such as covert attacks.
1.3. Attack on system state and parameter identification
Let us consider a typical attack on the system state that involves false data injection (FDI) by
manipulating system control parameters.
41
� In FDI attacks, a scaling parameter ๐ is used to alter control [5], allowing the adversary to influence
system requlation.
Under attack, system (1) takes the form:
๐ฅ (๐ก) = ๐ด๐ฅ(๐ก) + ๐๐ต๐ข(๐ก) + ๐๐ข(๐ก) + ๐น, (11)
๐ข(๐ก) = โ๐ถ ๐ฆ(๐ก),
๐ฆ(๐ก) = ๐ถ ๐ฅ(๐ก).
Rewriting the state equation, we have:
๐ฅ (๐ก) = ๐ด โ ๐๐ด ๐ฅ(๐ก) + ๐๐ข(๐ก) + ๐น,
where
๐ด โก ๐ต๐ถ ๐ถ .
Let us rewrite the state equation in the form
๐ฅ (๐ก) = ๐๐ฅ(๐ก) + ๐น,
where
๐ โก ๐ด โ ๐๐ด โ ๐๐ถ ๐ถ .
From the condition
det ๐ = 0 , (12)
we can obtain the critical value of ๐ that leads to system instability.
To illustrate the process of restoring attack parameters of the cyber incident, let us consider the
generalized case of the system (11):
๐ฅ (๐ก) = A๐ฅ(๐ก) + B(๐)๐ข(๐ก) + ๐น; (13)
๐ฅ(0) = ๐ฅ , (14)
where ๐ฅ represents the system state, ๐ข is the control function, ๐น is the source function, and ๐
describes the intensity of adversaryโs intrusion. The dependency ๐ต on ๐ is assumed to be known.
Suppose the adversaryโs goal is defined by the criterion under conditions (13), where
๐(๐ก), ๐(๐ก) are given functions, ๐ฅ (๐ก) represents the process state boundaries, and ๐ข (๐ก) is the
desired control target of the adversary. We assume that ๐ฅ (๐ก) and ๐ข (๐ก) are known:
(15)
๐ฝ(๐ข) = [๐(๐ก) ๐ฅ(๐ก) โ ๐ฅ (๐ก) + ๐(๐ก)(๐ข(๐ก) โ ๐ข (๐ก)) ]๐๐ก โ ๐๐๐.
Setting ๐ง(๐ก) = ๐ฅ(๐ก) โ ๐ฅ (๐ก); ๐ฃ(๐ก) = ๐ข(๐ก) โ ๐ข (๐ก), equation (1) can be reformulated as:
๐ง (๐ก) = ๐ด๐ง(๐ก) + ๐ต(๐)๐ฃ(๐ก), (16)
๐ง(0) = ๐ง , (17)
where ๐ง = ๐ฅ โ ๐ฅ (0) and ideally
๐น(๐ก) + ๐ด๐ฅ (๐ก) + ๐ต(๐)๐ข (๐ก) โ ๐ฅ (๐ก) = 0. (18)
Then, expression (15) is transformed to
(19)
๐ฝ= [๐(๐ก) ๐ง(๐ก) + ๐(๐ก)(๐ฃ(๐ก)) ]๐๐ก.
The objective is to determine the feedback between ๐ง(๐ก) and ๐ฃ(๐ก) that the attacker introduces
into the system to achieve the goal (15). This enables: 1) predicting the magnitude of adversary actions
to train anomaly detection systems, and 2) recovering details of adversary actions from known
incident characteristics (๐ฅ (๐ก), ๐ข (๐ก)).
Introducing Lagrange multiplier, we have:
(20)
๐ฟ๐ฝ = {2๐(๐ก)๐ง(๐ก)๐ฟ๐ง(๐ก) + 2๐(๐ก)๐ฃ(๐ก)๐ฟ๐ฃ(๐ก)
+ ๐(๐ก)[๐ฟ๐ง (๐ก) โ ๐ด๐ฟ๐ง(๐ก) โ ๐ต(๐)๐ฟ๐ฃ(๐ก)]}๐๐ก =
= {[2๐(๐ก)๐ง(๐ก) โ ๐ (๐ก) โ ๐(๐ก)๐ด]๐ฟ๐ง(๐ก) + [2๐(๐ก)๐ฃ(๐ก) โ ๐(๐ก)๐ต(๐)]๐ฟ๐ฃ(๐ก)}๐๐ก +
+๐(๐)๐ฟ๐ง(๐ก).
From the condition ๐ฟ๐ฝ = 0, we select ๐(๐ก) so that:
42
� ๐ (๐ก) = 2๐(๐ก)๐ง(๐ก) โ ๐(๐ก)๐ด, (21)
๐(๐) = 0 (22)
and
2๐๐ฃ = ๐๐ต, (23)
๐ฃ = ๐ ๐๐ต. (24)
Equation (16) then becomes:
๐ง = ๐ด๐ง + ๐ต๐ ๐๐ต, ๐ง(0) = ๐ง .
This problem is reduced to equations (21) and (25). However, this system is inconvenient because
the conditions apply for ๐ก = ๐ and ๐ก = 0, respectively. To simplify it, substitute ๐ = ๐ฟ๐ง, where
๐ฟ(๐) = 0:
๐ง = ๐ด๐ง + ๐ต๐ ๐ฟ๐ต๐ง, ๐ง(0) = ๐ง . (25)
๐ฟ ๐ง = 2๐๐ง โ ๐ด๐ฟ๐ง โ ๐ฟ ๐ด๐ง + ๐ต๐ ๐ฟ๐ต๐ง .
1 (26)
๐ฟ = 2๐ โ ๐ด๐ฟ โ ๐ฟ ๐ด + ๐ต๐ ๐ฟ๐ต , ๐ฟ(๐) = 0
2
Thus, we can solve (26) for ๐ฟ numerically with the condition at ๐ก = ๐ and then, with the known
๐ฟ, solve equation (25) to find ๐ฃ = ๐ ๐ฟ๐ต๐ง. This solution minimizes the expression (19).
Given ๐ฃ and ๐ง, we can investigate the minimal values of J with respect to the attack parameter ฮพ
using equations (15) and (16).
Applying the gradient method allows for a more efficient parameter identification process
compared to a โbrute forceโ calculation approach. The convergence ratio for the gradient procedure
is estimated in [17]. Additionally, the conjugate gradient method [18] can be used as an alternative in
step 6 of the algorithm.
The algorithm steps are as follows:
1. Set an initial arbitrary value ๐ .
2. Find ๐ฟ from equation (26).
3. Determine z using equation (25).
4. Calculate ๐ฃ from equation (24), with ๐ = ๐ฟ๐ง.
5. Calculate ๐ฝ(๐ ) using equation (19), with ๐ฃ = ๐ ๐ฟ๐ต(๐ )๐ง.
6. Update ๐ :๐ =๐ +๐ .
7. If โค โฐ , proceed to step 8. Otherwise, return to step 2 for the next iteration.
8. The parameter value ๐ will then satisfy (15) with precision โฐ.
A similar algorithm can also be used by a malicious actor to identify unknown parameters of the
system. For this, only system state measurements are needed.
5. Computer simulation results
Using the presented models, we generated dynamics graphs of FDI attacks. For the simulations,
we developed a Python software package.
1.4. Stability violation features
In Fig. 2, we illustrate the normal situation for the AGC. Here, we consider a one-component state
x, representing frequency deviation ฮf, and constant values of ฮพ, which could generally time-
dependent. For a two-component state, see the example in Fig. 3.
43
�Figure 2: Undisturbed system, ๐ = 0
Figure 3: Undisturbed system, two-component state, ๐ = 0
To identify the parameter ฮพ that meets a certain criterion J (see Fig.4), the proposed algorithm can
be applied. In certain cases, some J samples may not contribute to the rapid convergence of the
algorithm. However, in a significant number of cases, the proposed algorithm proves to be
numerically efficient.
44
�Figure 4: Criterion J sample with a minimum at ๐ = 1
Fig. 5 shows that with small values of attack parameter, malicious influence may be subtle, making
these attacks difficult for anomaly detection systems to detect. Such attacks typically target the
software components of cyber-physical systems, aiming to insert false data into monitoring systems.
Figure 5: Malicious influence with ๐ = 1
45
�Figure 6: Malicious influence with ๐ = 5
Attacks with larger values of scaling attack parameter can be detected effectively by monitoring
systems due to noticeable changes in state pattern. For such attacks, cyber defenders should not only
detect but also react quickly to mitigate potential damage. High values of the scaling parameter can
pose risks to hardware components by threatening system stability. As shown in Figs. 7-9, with
certain values of ๐, system state becomes unstable. The threshold value ๐ = 9.4 (corresponding to the
Fig. 8) can be calculated with necessary accuracy from (12). In the case of measurement intrusion, the
stability boundary is determined by (10).
Figure 7: System state remains stable
46
�Figure 8: Attack with threshold value of the parameter
Figure 9: System state loses stability
1.5. Illustration of malicious activity at a specific time
Figures 10 and 11 illustrate scenarios where malicious influence "activates" at a specific time rather
than initially. We observe a minor spike with low scaling parameter values (Fig. 10) and a clear change
in the pattern with more significant influence intensity (Fig. 11).
Depending on the attacker's goal, small impacts can also lead to serious consequences as a result
of tampering, affecting intrusion detection systems.
47
�Figure 10: Frequency deviation pattern under attack parameter ๐ = 1
Figure 11: Frequency deviation pattern under attack parameter ๐ = 7
6. Conclusions
Computer simulation results indicated that attacks with low values of the scaling parameter are
not a threat to system stability but are challenging for anomaly detection systems to detect. Such
attacks could be used by malicious actors to incrementally falsify historical data or poison machine-
learning-based modules.
We derived the conditions for stable system operation based on the values of the attack parameter.
Additionally, an algorithm was proposed for estimating the control intensity of FDI attacks, enabling
the collection of quantitative data on malicious strategies to support system resilience.
An analysis of typical attack patterns in modern energy facilities showed that certain classes of
attacks require full knowledge of the system. This information (e.g., system parameters) can be
indirectly recovered using control theory principles, similar to the algorithm proposed in this paper
for identifying unknown attack parameters. This highlights the risks posed by "sniffing" as a method
for gathering measurement data, underscoring the need for preventive measures to prevent sniffing.
Most data transfer protocols in AGC systems lack confidentiality by default, making them vulnerable.
The proposed approach and algorithm can be used for numerical incident investigations, providing
solid foundations for response strategies. Future research could focus on studying combined attack
types and enhancing detection methods.
48
�References
[1] M. Vrakopoulou, P.M. Esfahani, K. Margellos, J. Lygeros, G. Andersson. Cyber-Attacks in the
Automatic Generation Control. In: Khaitan, S., McCalley, J., Liu, C. (eds) Cyber Physical Systems
Approach to Smart Electric Power Grid. Power Systems (2015). Springer, Berlin, Heidelberg. doi:
10.1007/978-3-662-45928-7_11.
[2] P. S. Kundur, O. P. Malik, Power system stability and control, 2-nd ed., McGraw Hill Education,
New York, 2022. URL: https://lccn.loc.gov/2021062400.
[3] P. L. Goethals, N, M. Scala, D. T. Bennett, Mathematics in Cyber Research, 2022. doi:
10.1201/9780429354649
[4] Y. Shen, M. Fei, D. Du, Cyber security study for power systems under denial of service attacks,
2017, SageJournals, Volume 41, Issue 6. doi: 10.1177/0142331217709528.
[5] A.M Mohan, N. Meskin, H. Mehrjerdi, A Comprehensive Review of the Cyber-Attacks and
Cyber-Security on Load Frequency Control of Power Systems, 2020, Energies, 13(15), 3860. doi:
10.3390/en13153860.
[6] C. Moya, On Cyber-Attacks against Modern Power Grids, Ph.D. Thesis, The Ohio State
University, 2020. URL: https://dl.acm.org/doi/10.5555/AAI28890224.
[7] ะฅ.Li, P.Zhang, H.Dong, Robust Stealthy Covert Attacks on Cyber-Physical Systems, 2022, IFAC-
PapersOnLine, Volume 55, Issue 6, P. 520-525. doi: 10.1016/j.ifacol.2022.07.181.
[8] A. Ashok, A. Hahn, M. Govindarasu, Cyber-Physical Security of Wide-Area Monitoring,
Protection and Control in a Smart Grid Environment, Journal of Advanced Research (2013), doi:
http://dx.doi.org/10.1016/j.jare.2013.12.005.
[9] J. Ding, A. Qammar, Z. Zhang, A. Karim, H. Ning, CyberThreats to Smart Grids: Review,
Taxonomy, Potential Solutions, and Future Directions. Energies, 2022, 15, 6799. doi:
10.3390/en15186799.
[10] P. S. Kundur, O. P. Malik, Power system stability and control, 2-nd ed., McGraw Hill Education,
New York, 2022. URL: https://lccn.loc.gov/2021062400.
[11] Kim, Yoonjib & Hakak, Saqib & Ghorbani, Ali. (2022). Smart grid security: Attacks and defense
techniques, IET Smart Grid, 6. doi: 10.1049/stg2.12090.
[12] M. Ovcharuk, M. Ilin, Models of Denial of Service Attacks on Cyber-Physical Systems, 2023,
Theoretical and Applied Cybersecurity, Vol. 5, No2 (2023). doi: 10.20535/tacs.2664-
29132023.2.289459.
[13] Cyber Incident Reporting For Critical Infrastructure Act of 2022, Subtitle D โ Cyber Incident
reporting. URL: https://www.cisa.gov/sites/default/files/2023-01/Cyber-Incident-Reporting-
ForCriticalInfrastructure-Act-o-f2022_508.pdf .
[14] G. Vedmedenko, I. Stopochkina, O. Novikov, M. Ilin, Cascading effects simulation for cyber
attacks on the power supply network // XXI International Scientific and Practical Conference
"Information Technologies and Security" (ITS-2021), 09.12.2021. URL: http://ceur-ws.org/Vol-
3241/.
[15] S. Saxena, S. Bhatia, R. Gupta, Cybersecurity analysis of load frequency control in power systems:
A survey. Designs, 2021, 5(3), 52. doi: 10.3390/designs5030052.
[16] G. S. Kamboj, R. Dhiman, R. Choudhary, 2015, Automatic Generation Control of Two Areas in
Interconnected Power System, International Journal of Engineering Research & Technology,
(IJERT) NCETEMS โ 2015, Vol.3, Issue 10. URL: https://www.ijert.org/automatic-generation-
control-of-two-areas-in-interconnected-power-system.
[17] Boyd, S., & Vandenberghe, L. (2004). Convex Optimization. Cambridge: Cambridge University
Press. URL: https://web.stanford.edu/~boyd/cvxbook/bv_cvxbook.pdf .
[18] M.R. Hestenes, E. Stiefel, Methods of Conjugate Gradients for Solving Linear Systems. Journal of
Research of the National Bureau of Standards, 1952. 49 (6): 409. doi:10.6028/jres.049.044.
49
�