Oleksii Novikov1, Mariia Shreider1, Iryna Stopochkina1 and Mykola Ilin1 1 National Technical University of Ukraine "Igor Sikorsky KPI", Beresteiskyi Ave, 37, Kyiv, 03056, Ukraine Abstract This work focuses on enhancing the toolkit for simulating cyber attacks on energy facilities. The paper examines models of typical attacks on energy systems, specifically accounting for an attackerโ€™s ability to distort control system signals, manipulate control measurements, and alter measurement signals related to the state of the facility. A threats model for a critical infrastructure energy facility is proposed that refers to attack techniques. The approach considers integrity-breaking attacks expression as a function dependent on unknown parameters. Criteria are introduced to enable parametric identification of integrity compromising attack parameters, based on measurement data and constraints on process behavior. Stability conditions for a typical automatic gain control system under cyber attack are analyzed. An algorithm for identifying attack parameters is proposed. Computer simulations of facility processes under various attack types were conducted, appropriate software was developed, and conclusions were drawn regarding the impact of attacks on facility resilience. Keywords energy facilities, cybersecurity attacks, FDI attacks, models, resilience 1 1. Introduction The AGC system is highly dependent on open communication infrastructure, such as the SCADA system, which increases its operational efficiency and responsiveness, but at the same time makes it more vulnerable to cyber attacks. Network technologies have many advantages, but all their defects โ€“ insufficient security, outdated protocols and software, and weak authentication mechanisms โ€“ create new opportunities for attackers. Therefore, the vulnerable points of the system are the inputs and outputs of the control center, that is, the communication channels through which data is transmitted [1]. Due to the need for rapid operation, the system does not employ complex algorithms for verifying and evaluating measurement data. Attackers can exploit this to manipulate data without sophisticated calculations. By knowing certain characteristics, an adversary can identify other unknown parameters of the system. In this paper, we demonstrate how this can be done, based on principles described in [2, 3]. Moreover, high coordination between interconnected control zones enhances productivity but also means that a sufficiently powerful cyberattack on one zone can adversely impact the entire power system. Cyber attacks on energy supply facilities amplify and deepen the effects of physical attacks for maximum destructive impact. Understanding the limits of resilience to cyber influences is crucial in developing effective protective mechanisms and preventive measures. However, existing research [4- 7] provides insufficient attention to the assessment of attack features or parameters. The cyber vulnerabilities of AGC systems stem from data transfer mechanisms and protocol weaknesses. A taxonomy of these attacks was proposed in [8-10]. The paper [11] provides a detailed description of existing attack types on the advanced measurement infrastructure of smart grids, focusing on both IT (Information Technology) and OT (Operational Technology) systems. We ITS-2023: Information Technologies and Security, November 30, 2023, Kyiv, Ukraine o.novikov@kpi.ua (O. Novikov); marshr-ipt23@lll.kpi.ua (M.Shreider); i.stopochkina@kpi.ua (I.Stopochkina); m.ilin@kpi.ua (M.Ilin) 0000-0001-5988-3352 (O. Novikov); 0009-0006-8621-5521 (M. Shreider); 0000-0002-0346-0390 (I. Stopochkina); 0000-0002-1065-6500 (M. Ilin) ยฉ 2023 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0). CEUR ceur-ws.org Workshop ISSN 1613-0073 Proceedings 35 consider the entire AGC cyber-physical system, with particular emphasis on its OT features, and consider these attacks in terms of the necessary knowledge about cyber-physical system parameters. The main classes of cyber threats for AGC system of energy facility are: 1. DoS (Denial of Service), DDoS (Distributed Denial of Service), and time delay attacks (targeting availability) [4, 5]. 2. Replay attacks (targeting integrity) [6]. 3. FDI (false data injection) and covert attacks (targeting integrity) [6,7]. In wartime, these cyber attacks are often combined with physical attacks on critical infrastructure facilities [12]. Developing algorithms for calculating attack parameters remains a crucial task for understanding the resilience limits of the facility and for investigating cyber incidents. The findings of this work will contribute to more accurately fulfilling the guidelines of document [13] regarding the identification of adversary tactics, techniques, and procedures used to circumvent controls, along with other cybersecurity objectives. 2. Cyber attack models in AGC systems Paper [1] examines a two-area power system and its dynamic model equations, demonstrating system behavior under abnormal conditions and analyzing the types of attacks that can disrupt the power system. In paper [4], a dynamic model of a single-area load-frequency control (LFC) system is presented, focusing on the principles of sustainable operation. The study addresses time-delay attacks and DoS (Denial of Service) attacks, providing equations for the main system components under DoS attack conditions. Paper [5] expands on DoS attacks by exploring data integrity attacks as well. It proposes a multi- area scheme with a control center, presenting detailed LFC equations and describing the main types of attacks. Paper [6] discusses power grid control strategies, with particular emphasis on time-delay threats and replay attacks. The authors derive stability bounds for systems subjected to these attacks. In paper [7], a different class of cyber attacks is explored: robust stealth covert attacks. The study includes a simulation example and uses a mathematical approach to calculate attack parameters for adversaries. Paper [8] addresses cyber-physical reliability using game theory, incorporating probability factors into the calculations. Paper [9] focuses on technical aspects of cyber attacks, reviewing examples, countermeasures, and a taxonomy of attack types. A section is dedicated to the use of machine learning algorithms for attack detection. In paper [11], a detailed taxonomy of IT (Information Technology), OT (Operational Technology), and AMI (Advanced Metering Infrastructure) attacks is provided, along with an overview of papers that propose approaches to counter these attacks. Paper [12] examines DoS and DDoS models, emphasizing that these attacks may have different impacts when combined with physical attacks by adversaries during wartime. Simulation models of cascading effects in power grids under cyber attack are discussed in paper [14]. Paper [15] investigates various attack strategies, mathematical models, and methods for assessing system vulnerabilities. The authors of paper [16] delve into the interconnected AGC systems and existing frequency deviations, advancing the study in this area. Existing research reveals a gap in deterministic mathematical approaches, based on control theory methods, for not only identifying stability bounds but also uncovering unknown attack parameters. The current work aims to address this gap by developing relevant algorithm. 36 Paper [13] provides guidelines and compliance directions for reporting cyber incidents in critical infrastructure. This document offers guidance that could be reinforced by mathematical analyses and studies, particularly in the field of restoring attack parameters. The findings of the current study could provide the necessary numerical data for addressing these challenges. 3. Cyber threats to the AGC system Let us examine the structural features of the AGC (Automatic Gain Control) system that make it susceptible to attacks. The AGC system operates within a communications infrastructure, facilitating data transmission between control centers and control zones. Sensor measurement data is sent to the control center, where an error signal is generated and then transmitted back to the control area. The local controller subsequently calculates the power control signal. Real-time data collection can be achieved through remote terminal units (RTUs) or intelligent electronic devices (IEDs) positioned at critical locations (such as power stations and substations) within the control zone. The SCADA (Supervisory Control and Data Acquisition) system collects and aggregates this data and relays it to the control center via communication channels using various protocols, such as DNP3 (Distributed Network Protocol), IEC 61850, and IEC 60870-5-104. Similarly, signals from the control center are transmitted back to the control zone. A general diagram of a single-area power zone under DDoS attack conditions is presented in [15], with specific points highlighted where other types of attacks (particularly FDI attacks) could be applied (Fig. 1). Figure 1: AGC System with External Communications. Arrows (1), (2), (3), (4), and (5) indicate points where a cyberattack can be applied. Potential targets include the communication network (1) and (3), internal communication lines (5), the AGC control center (2), and the programmable logic controller (4). An adversary could impact measurements (5), control signals ๐‘ข(๐‘ก), and the system state ๐‘ฅ(๐‘ก). Let us compile a list of common attacks on the AGC system, linking specific attack types to technique classes from the MITRE ATT&CKยฎ Matrix for ICS, as shown in Table 1. In Table 1, CIA refers to confidentiality, integrity, and availability, respectively. Table 1 Energetic facility cyber attacks Attack, Affect Description Attack pre- Information Target Sub- technique ed conditions gathering system ID (CIA) DoS A Data flood of Partial โ€” Channels for IT, OT, (T0814) the internal knowledge measurement AMI about s and 37 Attack, Affect Description Attack pre- Information Target Sub- technique ed conditions gathering system ID (CIA) network and software, commands, services hardware system versions, services open interfaces DDoS A DoS from Partial โ€” Channels for IT, (T0814) multiple knowledge measurement AMI, sources about s and OT software, commands, hardware system versions, services open interfaces FDI IA False data Normal System Measurement OT, IT, (T0836, injection mode reactions and transmission AMI T0868, features and measurements channels T0830) anomaly ranges knowledge Replay CIA Replaying real Partial Sensors and Measurement OT, (T0856, data knowledge signals data and control AMI T0830) about signals protocol transmission timelines channels Covert IA Hidden attack System full Sensors and Channels for OT (T0836, knowledge actuators data measure- T0868, ments and T0830) commands Time A Introducing Partial โ€” Channels for OT, Delays time delays knowledge measurement AMI (T0814, about s, control T0830) protocol signals, and timelines commands Physical CIA Destroying Partial Gathering all Physical parts OT, IT, attacks infrastructure, knowledge the data using of critical AMI (T0879) intercepting about system social infrastructure control under engineering, facility biometrical geolocation features, detection controlling the locks and other physical objects Spoofing CI Identity Network โ€” IoT devices, IT, OT, (T0856, spoofing due protocols PLCs, control AMI T0830) to lack of knowledge, center, authentication access to network transmitted objects data 38 Attack, Affect Description Attack pre- Information Target Sub- technique ed conditions gathering system ID (CIA) Sniffing C Access to data Access to the Obtaining any Network IT, AMI (T0842, transfer nodes network usable data for channels T0887, to sniff channels further T0801, intrusion T0830) TSA (time IA Synchronizing Knowledge Obtaining local Channels of OT synchroni signal delay about time on target signals zation (replaying protocol object transmission attack) signals) peculiarities (T0868) Malware CIA Taking control Full Keylogging Software and IT, OT, (TA0108, under knowledge and gathering hardware of AMI TA0104, controllers of object all accessible critical TA0110, and other architecture, data infrastructure TA0111, cyber-physical and partial facility TA0103, elements, or knowledge TA0102, software of of system TA0109, critical vulnerabili- TA0100, infrastructure ties TA0101, facility. Can TA0107, realize all TA0106, types of TA0105) possible techniques 4. AGC mathematical models In this section, we present generalized mathematical models in state space, building on previous works [5,6]. The primary vectors under consideration include malicious intrusion into the system state via control parameters and measurement parameters (see Fig. 1). We then focus on the FDI (False Data Injection) class of attacks and develop an algorithm to identify attack parameters under certain assumptions. Additionally, we discuss the adversary's potential extended knowledge of the system. 1.1. Initial undisturbed system model We consider an initial undisturbed system with control, which is described by equations system in state space: ๐‘ฅ (๐‘ก) = ๐ด๐‘ฅ(๐‘ก) + ๐‘˜๐ต๐‘ข(๐‘ก) + ๐น, (1) where ๐‘ฅ is system state; ๐‘ข is control; F is source function (energy supply from/to neighboring zones); k is a parameter of control influence intensity. We have to notice, that in the general description, state vector ๐‘ฅ(๐‘ก) can contain the components of frequency deviation ฮ”๐‘“ , regulator, turbine, and tie-line power deviations as it was proposed in [6]. But we consider the scalar values. If the control depends on ๐‘ฆ measurements: ๐‘ข(๐‘ก) = โˆ’๐ถ ๐‘ฆ(๐‘ก), where measurements depend on the state: ๐‘ฆ(๐‘ก) = ๐ถ ๐‘ฅ(๐‘ก). 39 Then: ๐‘ฅ (๐‘ก) = (๐ด โˆ’ ๐‘˜๐ต )๐‘ฅ(๐‘ก) + ๐น, (2) where ๐ต = ๐ต๐ถ ๐ถ . ๐ต = ๐ต๐ถ ๐ถ . For stability, the matrix ๐ด โˆ’ ๐‘˜๐ต has to be negatively defined or at least, non-positively defined. This depends on eigenvalues ๐œ† of this matrix that can be defined from equation det(๐ด โˆ’ ๐‘˜๐ต โˆ’ ๐œ†๐ผ) = 0. Suppose that ๐ด โˆ’ ๐‘˜๐ต is negatively defined for a sufficiently large ๐‘˜. Then the necessary condition that this property becomes invalid at some ๐‘˜ , i. e. , the largest eigenvalue changes its sign ๐œ†(๐‘˜ ) = 0 is det(๐ด โˆ’ ๐‘˜๐ต ) = 0. (3) That can be used to find a critical value ๐‘˜ . 1.2. Attack on system measurements and instability conditions determining Let ๐œ‰(๐‘ก) be the distortion introduced to the measurements by an attacker. The measurements are given by ๐‘ฆ(๐‘ก) = ๐ถ ๐‘ฅ(๐‘ก) + ๐œ‰(๐‘ก), then ๐‘ข(๐‘ก) = โˆ’๐ถ ๐‘ฆ(๐‘ก) = โˆ’๐ถ ๐ถ ๐‘ฅ(๐‘ก) + ๐œ‰(๐‘ก) = โˆ’๐ถ ๐ถ ๐‘ฅ(๐‘ก) โˆ’ ๐ถ ๐œ‰(๐‘ก). Thus, equation (1) takes the form ๐‘ฅ (๐‘ก) = ๐ด โˆ’ ๐‘˜๐ต โˆ’ ๐‘˜๐ต ๐œ‰(๐‘ก) ๐‘ฅ(๐‘ก) + ๐น, (4) where ๐ต = ๐ต๐ถ. If ๐‘ฅ(๐‘ก) is known, identifying the attackerโ€™s intervention ๐œ‰(๐‘ก) becomes a standard fitting problem. Otherwise, it is necessary to determine ๐‘ฅ(๐‘ก) simultaneously with ๐œ‰(๐‘ก) when ๐‘ฆ(๐‘ก) is known. The problem can be simplified if we know etalon values ๐‘ฅ โˆ— , ๐‘ฆ โˆ— , which allow us to eliminate ๐น: ๐‘ง(๐‘ก) โ‰ก ๐‘ฅ(๐‘ก) โˆ’ ๐‘ฅ โˆ— (๐‘ก); ๐‘ง (๐‘ก) = ๐ท๐‘ง(๐‘ก) + ๐ท ๐œ‰(๐‘ก)๐‘ฅ(๐‘ก); ๐œ‰(๐‘ก) = ๐‘ฆ(๐‘ก) โˆ’ ๐ถ ๐‘ฅ โˆ— (๐‘ก) + ๐‘ง(๐‘ก) . (5) From here: ๐‘ง (๐‘ก) = ๐ท๐‘ง(๐‘ก) + ๐ท {๐‘ฆ(๐‘ก) โˆ’ ๐ถ [๐‘ฅ โˆ— (๐‘ก) + ๐‘ง(๐‘ก)]}[๐‘ฅ โˆ— (๐‘ก) + ๐‘ง(๐‘ก)], (6) or ๐‘ง (๐‘ก) = ๐ท๐‘ง(๐‘ก) + ๐‘“(๐‘ก) + ๐ท {๐‘ฆ(๐‘ก) โˆ’ ๐ถ [๐‘ฅ โˆ— (๐‘ก) + ๐‘ง(๐‘ก)]}๐‘ง(๐‘ก), (7) where ๐‘“(๐‘ก) = ๐ท {๐‘ฆ(๐‘ก) โˆ’ ๐ถ [๐‘ฅ โˆ— (๐‘ก)]}๐‘ฅ โˆ— (๐‘ก). Assuming the effect of disturbances is small, successive approximations can be considered for equation (6). For the zero approximation, we set ๐œ‰(๐‘ก) = 0; ๐‘ง(๐‘ก) = 0. In the first approximation, we neglect the quadratic term by ๐‘ง : ๐‘ง (๐‘ก) = ๐ท๐‘ง(๐‘ก) + ๐‘“(๐‘ก) + ๐ท {๐‘ฆ(๐‘ก) โˆ’ ๐ถ ๐‘ฅ โˆ— (๐‘ก)}๐‘ง(๐‘ก), ๐‘ง (๐‘ก) = ๐ท ๐‘ง(๐‘ก) + ๐‘“(๐‘ก), (8) where ๐ท = ๐ท + ๐ท {๐‘ฆ(๐‘ก) โˆ’ ๐ถ ๐‘ฅ โˆ— (๐‘ก)}. Assuming 40 ๐‘ง(0) = 0, we can find ๐‘ง (๐‘ก) by numerically solving the linear equation. Given a set of measurements: ๐‘ฆ โˆ— (๐‘ก) = ๐ถ ๐‘ฅ โˆ— (๐‘ก), which characterizes normal process flow (solution of equation (2) or (4) when ๐œ‰(๐‘ก) โ‰ก 0), we assume the adversary aims to maximize damage, causing ๐‘ฅ โˆ— (๐‘ก) becomes unstable. The control problem for critical infrastructure systems is to prevent such scenarios through control measures and by comparing ๐‘ฆ(๐‘ก) and ๐‘ฆ โˆ— (๐‘ก). To detect intrusions caused by additional adversarial distortions, an additional criterion can be added to the measurement system to identify deviations from the normal process flow (e.g., electricity supply): ๐ฝ(๐‘ฆ) = (๐‘ฆ(๐‘ก) โˆ’ ๐‘ฆ โˆ— (๐‘ก)) ๐‘‘๐‘ก โ†’ ๐‘š๐‘–๐‘›. Let โ„ฐ be threshold such that ๐ฝ(๐‘ฆ) โ‰ฅ โ„ฐ , signals abnormal system behavior. For discrete measurements: (9) ๐ฝ= (๐‘ฆ(๐‘ก ) โˆ’ ๐‘ฆ โˆ— (๐‘ก )) โŸถ ๐‘š๐‘–๐‘›. Next, let us determine ๐œ‰(๐‘ก) that leads to system instability. Such a problem can arise in cyber incident investigation, especially when trying to uncover adversarial actions aimed at destabilizing the system. We can use det(๐ท + ๐ท ๐œ‰(๐‘ก)) = 0 (10) where ๐ท โ‰ก ๐ด โˆ’ ๐‘˜๐ต , ๐ท โ‰ก โˆ’๐‘˜๐ต๐ถ . This allows us to define ๐œ‰(๐‘ก). In equation (8), the addition of ๐‘ฆ(๐‘ก) โˆ’ ๐ถ ๐‘ฅ โˆ— (๐‘ก) is small because the distortions introduced by the adversary are minor and can be neglected in the first approximation. Thus, from (8) we can write: ๐‘ง ( ) (๐‘ก) โ‰ˆ ๐‘’ ๐‘’ ๐‘‘๐‘ก ; ๐œ‰(๐‘ก) โ‰ˆ ๐‘ฆ(๐‘ก) โˆ’ ๐ถ ๐‘ฅ โˆ— (๐‘ก) + ๐‘’ ๐‘’ ๐‘“(๐‘ก )๐‘‘๐‘ก . In the next approximation, we substitute ๐‘ง ( ) (๐‘ก) in the last term of (7). As Table 1 shows, some attacks require knowledge of system functioning and parameters. Using the principles of parametric identification outlined above, and having access to measurement data, an adversary can infer unknown parameters (e.g., ๐ด, ๐‘˜, or ๐ต from (1)). Thus, intercepting measurement information may enable more dangerous attacks, such as covert attacks. 1.3. Attack on system state and parameter identification Let us consider a typical attack on the system state that involves false data injection (FDI) by manipulating system control parameters. 41 In FDI attacks, a scaling parameter ๐œ‰ is used to alter control [5], allowing the adversary to influence system requlation. Under attack, system (1) takes the form: ๐‘ฅ (๐‘ก) = ๐ด๐‘ฅ(๐‘ก) + ๐‘˜๐ต๐‘ข(๐‘ก) + ๐œ‰๐‘ข(๐‘ก) + ๐น, (11) ๐‘ข(๐‘ก) = โˆ’๐ถ ๐‘ฆ(๐‘ก), ๐‘ฆ(๐‘ก) = ๐ถ ๐‘ฅ(๐‘ก). Rewriting the state equation, we have: ๐‘ฅ (๐‘ก) = ๐ด โˆ’ ๐‘˜๐ด ๐‘ฅ(๐‘ก) + ๐œ‰๐‘ข(๐‘ก) + ๐น, where ๐ด โ‰ก ๐ต๐ถ ๐ถ . Let us rewrite the state equation in the form ๐‘ฅ (๐‘ก) = ๐‘€๐‘ฅ(๐‘ก) + ๐น, where ๐‘€ โ‰ก ๐ด โˆ’ ๐‘˜๐ด โˆ’ ๐œ‰๐ถ ๐ถ . From the condition det ๐‘€ = 0 , (12) we can obtain the critical value of ๐œ‰ that leads to system instability. To illustrate the process of restoring attack parameters of the cyber incident, let us consider the generalized case of the system (11): ๐‘ฅ (๐‘ก) = A๐‘ฅ(๐‘ก) + B(๐œ‰)๐‘ข(๐‘ก) + ๐น; (13) ๐‘ฅ(0) = ๐‘ฅ , (14) where ๐‘ฅ represents the system state, ๐‘ข is the control function, ๐น is the source function, and ๐œ‰ describes the intensity of adversaryโ€™s intrusion. The dependency ๐ต on ๐œ‰ is assumed to be known. Suppose the adversaryโ€™s goal is defined by the criterion under conditions (13), where ๐‘ƒ(๐‘ก), ๐‘„(๐‘ก) are given functions, ๐‘ฅ (๐‘ก) represents the process state boundaries, and ๐‘ข (๐‘ก) is the desired control target of the adversary. We assume that ๐‘ฅ (๐‘ก) and ๐‘ข (๐‘ก) are known: (15) ๐ฝ(๐‘ข) = [๐‘ƒ(๐‘ก) ๐‘ฅ(๐‘ก) โˆ’ ๐‘ฅ (๐‘ก) + ๐‘„(๐‘ก)(๐‘ข(๐‘ก) โˆ’ ๐‘ข (๐‘ก)) ]๐‘‘๐‘ก โ†’ ๐‘š๐‘–๐‘›. Setting ๐‘ง(๐‘ก) = ๐‘ฅ(๐‘ก) โˆ’ ๐‘ฅ (๐‘ก); ๐‘ฃ(๐‘ก) = ๐‘ข(๐‘ก) โˆ’ ๐‘ข (๐‘ก), equation (1) can be reformulated as: ๐‘ง (๐‘ก) = ๐ด๐‘ง(๐‘ก) + ๐ต(๐œ‰)๐‘ฃ(๐‘ก), (16) ๐‘ง(0) = ๐‘ง , (17) where ๐‘ง = ๐‘ฅ โˆ’ ๐‘ฅ (0) and ideally ๐น(๐‘ก) + ๐ด๐‘ฅ (๐‘ก) + ๐ต(๐œ‰)๐‘ข (๐‘ก) โˆ’ ๐‘ฅ (๐‘ก) = 0. (18) Then, expression (15) is transformed to (19) ๐ฝ= [๐‘ƒ(๐‘ก) ๐‘ง(๐‘ก) + ๐‘„(๐‘ก)(๐‘ฃ(๐‘ก)) ]๐‘‘๐‘ก. The objective is to determine the feedback between ๐‘ง(๐‘ก) and ๐‘ฃ(๐‘ก) that the attacker introduces into the system to achieve the goal (15). This enables: 1) predicting the magnitude of adversary actions to train anomaly detection systems, and 2) recovering details of adversary actions from known incident characteristics (๐‘ฅ (๐‘ก), ๐‘ข (๐‘ก)). Introducing Lagrange multiplier, we have: (20) ๐›ฟ๐ฝ = {2๐‘ƒ(๐‘ก)๐‘ง(๐‘ก)๐›ฟ๐‘ง(๐‘ก) + 2๐‘„(๐‘ก)๐‘ฃ(๐‘ก)๐›ฟ๐‘ฃ(๐‘ก) + ๐œ†(๐‘ก)[๐›ฟ๐‘ง (๐‘ก) โˆ’ ๐ด๐›ฟ๐‘ง(๐‘ก) โˆ’ ๐ต(๐œ‰)๐›ฟ๐‘ฃ(๐‘ก)]}๐‘‘๐‘ก = = {[2๐‘ƒ(๐‘ก)๐‘ง(๐‘ก) โˆ’ ๐œ† (๐‘ก) โˆ’ ๐œ†(๐‘ก)๐ด]๐›ฟ๐‘ง(๐‘ก) + [2๐‘„(๐‘ก)๐‘ฃ(๐‘ก) โˆ’ ๐œ†(๐‘ก)๐ต(๐œ‰)]๐›ฟ๐‘ฃ(๐‘ก)}๐‘‘๐‘ก + +๐œ†(๐‘‡)๐›ฟ๐‘ง(๐‘ก). From the condition ๐›ฟ๐ฝ = 0, we select ๐œ†(๐‘ก) so that: 42 ๐œ† (๐‘ก) = 2๐‘ƒ(๐‘ก)๐‘ง(๐‘ก) โˆ’ ๐œ†(๐‘ก)๐ด, (21) ๐œ†(๐‘‡) = 0 (22) and 2๐‘„๐‘ฃ = ๐œ†๐ต, (23) ๐‘ฃ = ๐‘„ ๐œ†๐ต. (24) Equation (16) then becomes: ๐‘ง = ๐ด๐‘ง + ๐ต๐‘„ ๐œ†๐ต, ๐‘ง(0) = ๐‘ง . This problem is reduced to equations (21) and (25). However, this system is inconvenient because the conditions apply for ๐‘ก = ๐‘‡ and ๐‘ก = 0, respectively. To simplify it, substitute ๐œ† = ๐ฟ๐‘ง, where ๐ฟ(๐‘‡) = 0: ๐‘ง = ๐ด๐‘ง + ๐ต๐‘„ ๐ฟ๐ต๐‘ง, ๐‘ง(0) = ๐‘ง . (25) ๐ฟ ๐‘ง = 2๐‘ƒ๐‘ง โˆ’ ๐ด๐ฟ๐‘ง โˆ’ ๐ฟ ๐ด๐‘ง + ๐ต๐‘„ ๐ฟ๐ต๐‘ง . 1 (26) ๐ฟ = 2๐‘ƒ โˆ’ ๐ด๐ฟ โˆ’ ๐ฟ ๐ด + ๐ต๐‘„ ๐ฟ๐ต , ๐ฟ(๐‘‡) = 0 2 Thus, we can solve (26) for ๐ฟ numerically with the condition at ๐‘ก = ๐‘‡ and then, with the known ๐ฟ, solve equation (25) to find ๐‘ฃ = ๐‘„ ๐ฟ๐ต๐‘ง. This solution minimizes the expression (19). Given ๐‘ฃ and ๐‘ง, we can investigate the minimal values of J with respect to the attack parameter ฮพ using equations (15) and (16). Applying the gradient method allows for a more efficient parameter identification process compared to a โ€œbrute forceโ€ calculation approach. The convergence ratio for the gradient procedure is estimated in [17]. Additionally, the conjugate gradient method [18] can be used as an alternative in step 6 of the algorithm. The algorithm steps are as follows: 1. Set an initial arbitrary value ๐œ‰ . 2. Find ๐ฟ from equation (26). 3. Determine z using equation (25). 4. Calculate ๐‘ฃ from equation (24), with ๐œ† = ๐ฟ๐‘ง. 5. Calculate ๐ฝ(๐œ‰ ) using equation (19), with ๐‘ฃ = ๐‘„ ๐ฟ๐ต(๐œ‰ )๐‘ง. 6. Update ๐œ‰ :๐œ‰ =๐œ‰ +๐œ . 7. If โ‰ค โ„ฐ , proceed to step 8. Otherwise, return to step 2 for the next iteration. 8. The parameter value ๐œ‰ will then satisfy (15) with precision โ„ฐ. A similar algorithm can also be used by a malicious actor to identify unknown parameters of the system. For this, only system state measurements are needed. 5. Computer simulation results Using the presented models, we generated dynamics graphs of FDI attacks. For the simulations, we developed a Python software package. 1.4. Stability violation features In Fig. 2, we illustrate the normal situation for the AGC. Here, we consider a one-component state x, representing frequency deviation ฮ”f, and constant values of ฮพ, which could generally time- dependent. For a two-component state, see the example in Fig. 3. 43 Figure 2: Undisturbed system, ๐œ‰ = 0 Figure 3: Undisturbed system, two-component state, ๐œ‰ = 0 To identify the parameter ฮพ that meets a certain criterion J (see Fig.4), the proposed algorithm can be applied. In certain cases, some J samples may not contribute to the rapid convergence of the algorithm. However, in a significant number of cases, the proposed algorithm proves to be numerically efficient. 44 Figure 4: Criterion J sample with a minimum at ๐œ‰ = 1 Fig. 5 shows that with small values of attack parameter, malicious influence may be subtle, making these attacks difficult for anomaly detection systems to detect. Such attacks typically target the software components of cyber-physical systems, aiming to insert false data into monitoring systems. Figure 5: Malicious influence with ๐œ‰ = 1 45 Figure 6: Malicious influence with ๐œ‰ = 5 Attacks with larger values of scaling attack parameter can be detected effectively by monitoring systems due to noticeable changes in state pattern. For such attacks, cyber defenders should not only detect but also react quickly to mitigate potential damage. High values of the scaling parameter can pose risks to hardware components by threatening system stability. As shown in Figs. 7-9, with certain values of ๐œ‰, system state becomes unstable. The threshold value ๐œ‰ = 9.4 (corresponding to the Fig. 8) can be calculated with necessary accuracy from (12). In the case of measurement intrusion, the stability boundary is determined by (10). Figure 7: System state remains stable 46 Figure 8: Attack with threshold value of the parameter Figure 9: System state loses stability 1.5. Illustration of malicious activity at a specific time Figures 10 and 11 illustrate scenarios where malicious influence "activates" at a specific time rather than initially. We observe a minor spike with low scaling parameter values (Fig. 10) and a clear change in the pattern with more significant influence intensity (Fig. 11). Depending on the attacker's goal, small impacts can also lead to serious consequences as a result of tampering, affecting intrusion detection systems. 47 Figure 10: Frequency deviation pattern under attack parameter ๐œ‰ = 1 Figure 11: Frequency deviation pattern under attack parameter ๐œ‰ = 7 6. Conclusions Computer simulation results indicated that attacks with low values of the scaling parameter are not a threat to system stability but are challenging for anomaly detection systems to detect. Such attacks could be used by malicious actors to incrementally falsify historical data or poison machine- learning-based modules. We derived the conditions for stable system operation based on the values of the attack parameter. Additionally, an algorithm was proposed for estimating the control intensity of FDI attacks, enabling the collection of quantitative data on malicious strategies to support system resilience. An analysis of typical attack patterns in modern energy facilities showed that certain classes of attacks require full knowledge of the system. This information (e.g., system parameters) can be indirectly recovered using control theory principles, similar to the algorithm proposed in this paper for identifying unknown attack parameters. This highlights the risks posed by "sniffing" as a method for gathering measurement data, underscoring the need for preventive measures to prevent sniffing. Most data transfer protocols in AGC systems lack confidentiality by default, making them vulnerable. The proposed approach and algorithm can be used for numerical incident investigations, providing solid foundations for response strategies. Future research could focus on studying combined attack types and enhancing detection methods. 48 References [1] M. Vrakopoulou, P.M. Esfahani, K. Margellos, J. Lygeros, G. Andersson. Cyber-Attacks in the Automatic Generation Control. In: Khaitan, S., McCalley, J., Liu, C. (eds) Cyber Physical Systems Approach to Smart Electric Power Grid. Power Systems (2015). Springer, Berlin, Heidelberg. doi: 10.1007/978-3-662-45928-7_11. [2] P. S. Kundur, O. P. Malik, Power system stability and control, 2-nd ed., McGraw Hill Education, New York, 2022. URL: https://lccn.loc.gov/2021062400. [3] P. L. Goethals, N, M. Scala, D. T. Bennett, Mathematics in Cyber Research, 2022. doi: 10.1201/9780429354649 [4] Y. Shen, M. Fei, D. Du, Cyber security study for power systems under denial of service attacks, 2017, SageJournals, Volume 41, Issue 6. doi: 10.1177/0142331217709528. [5] A.M Mohan, N. Meskin, H. Mehrjerdi, A Comprehensive Review of the Cyber-Attacks and Cyber-Security on Load Frequency Control of Power Systems, 2020, Energies, 13(15), 3860. doi: 10.3390/en13153860. [6] C. Moya, On Cyber-Attacks against Modern Power Grids, Ph.D. Thesis, The Ohio State University, 2020. URL: https://dl.acm.org/doi/10.5555/AAI28890224. [7] ะฅ.Li, P.Zhang, H.Dong, Robust Stealthy Covert Attacks on Cyber-Physical Systems, 2022, IFAC- PapersOnLine, Volume 55, Issue 6, P. 520-525. doi: 10.1016/j.ifacol.2022.07.181. [8] A. Ashok, A. Hahn, M. Govindarasu, Cyber-Physical Security of Wide-Area Monitoring, Protection and Control in a Smart Grid Environment, Journal of Advanced Research (2013), doi: http://dx.doi.org/10.1016/j.jare.2013.12.005. [9] J. Ding, A. Qammar, Z. Zhang, A. Karim, H. Ning, CyberThreats to Smart Grids: Review, Taxonomy, Potential Solutions, and Future Directions. Energies, 2022, 15, 6799. doi: 10.3390/en15186799. [10] P. S. Kundur, O. P. Malik, Power system stability and control, 2-nd ed., McGraw Hill Education, New York, 2022. URL: https://lccn.loc.gov/2021062400. [11] Kim, Yoonjib & Hakak, Saqib & Ghorbani, Ali. (2022). Smart grid security: Attacks and defense techniques, IET Smart Grid, 6. doi: 10.1049/stg2.12090. [12] M. Ovcharuk, M. Ilin, Models of Denial of Service Attacks on Cyber-Physical Systems, 2023, Theoretical and Applied Cybersecurity, Vol. 5, No2 (2023). doi: 10.20535/tacs.2664- 29132023.2.289459. [13] Cyber Incident Reporting For Critical Infrastructure Act of 2022, Subtitle D โ€“ Cyber Incident reporting. URL: https://www.cisa.gov/sites/default/files/2023-01/Cyber-Incident-Reporting- ForCriticalInfrastructure-Act-o-f2022_508.pdf . [14] G. Vedmedenko, I. Stopochkina, O. Novikov, M. Ilin, Cascading effects simulation for cyber attacks on the power supply network // XXI International Scientific and Practical Conference "Information Technologies and Security" (ITS-2021), 09.12.2021. URL: http://ceur-ws.org/Vol- 3241/. [15] S. Saxena, S. Bhatia, R. Gupta, Cybersecurity analysis of load frequency control in power systems: A survey. Designs, 2021, 5(3), 52. doi: 10.3390/designs5030052. [16] G. S. Kamboj, R. Dhiman, R. Choudhary, 2015, Automatic Generation Control of Two Areas in Interconnected Power System, International Journal of Engineering Research & Technology, (IJERT) NCETEMS โ€“ 2015, Vol.3, Issue 10. URL: https://www.ijert.org/automatic-generation- control-of-two-areas-in-interconnected-power-system. [17] Boyd, S., & Vandenberghe, L. (2004). Convex Optimization. Cambridge: Cambridge University Press. URL: https://web.stanford.edu/~boyd/cvxbook/bv_cvxbook.pdf . [18] M.R. Hestenes, E. Stiefel, Methods of Conjugate Gradients for Solving Linear Systems. Journal of Research of the National Bureau of Standards, 1952. 49 (6): 409. doi:10.6028/jres.049.044. 49