Enhancing Cybersecurity in Smart Grids: False Data Injection and Its Mitigation

Abstract

Integration of information technologies with power systems has unlocked unprecedented opportunities in optimization and control fields. Increased data collection and monitoring enable control systems to have a better understanding of the pseudo-real-time condition of power systems. In this fashion, more accurate and effective decisions can be made. This is the key towards mitigating negative impacts of novel technologies such as renewables and electric vehicles and increasing their share in the overall generation portfolio. However, such extensive information exchange has created cybersecurity vulnerabilities in power systems that were not encountered before. It is imperative that these vulnerabilities are understood well, and proper mitigation techniques are implemented. This paper presents an extensive study of cybersecurity concerns in Smart grids in line with latest developments. Relevant standardization and mitigation efforts are discussed in detail and then the classification of different cyber-attacks in smart grid domain with special focus on false data injection (FDI) attack, due to its high impact on different operations. Different uses of this attack as well as developed detection models and methods are analysed. Finally, impacts on smart grid operation and current challenges are presented for future research directions.

1. Introduction

The traditional electricity grid system of the 20th century is insufficient to meet today’s needs. Novel technologies such as Electric Vehicles (EVs), smart inverters and renewable energy-based generators are continually being deployed [1]. They change power system operation paradigms, introduce bi-lateral power flow and create a dynamic operation structure which was not originally envisioned [2]. To tackle these issues, power systems are equipped with more measurement, communication, and control capabilities. More accurate information about the grid’s current state can be obtained in this fashion, and a decision can be made in pseudo-real time [3]. This modern power system structure is collectively called the Smart Grid (SG). There are many definitions of SG concept, such as “A network where all consumers can reach efficient, cheap, accessible, and reliable energy by using control and communication technologies” [4]. Alternatively, SG is a system that is adaptive, reliable, interactive and allows for renewable energy sources integration and optimization [5,6]. In addition to these definitions, the National Institute of Standards and Technology (NIST) gives a high-level perspective and classifies SGs. Moreover, application characteristics and requirements of SG infrastructure are divided into different layers [7]:

• Application;
• Security;
• Communication;
• Control of Power;
• Power system.

As shown in Figure 1, SGs are divided into generation, transmission, distribution, service providers, and consumers. According to fields of study, control of power and communication technologies should solve possible problems encountered in the SG [7]. The working principles of all power electronics elements integrated into the network should be well analysed to achieve effective SG system [8]. Stable and efficient transmission of energy to the end customer is crucial for a reliable network implementation. If it is made, energy efficiency and local renewable energy usage will increase, and the ideal grid system will be realised by reducing the transmission losses [9].

Considering the vast geographical span of SGs and the number of devices they host, it is inevitable that the cybersecurity vulnerabilities become more prevalent than the other. Furthermore, the consequences of security breaches in such critical infrastructure will have significant ramifications, as all organizations with energy-providing authorities agree [10]. According to [11], SG can be considered an electrical system that uses cyber secure information and communication technologies. The system works to obtain a safe, reliable, and efficient computational intelligence system integrated with electricity transmission, generation, and distribution substations. It is possible to classify cybersecurity into three systems, as shown below in Figure 2: Smart energy, information, and communication systems listed under smart infrastructure system. They must work simultaneously with the smart management system and support its protection system [12]. Existing cybersecurity solutions have difficulties in meeting the needs of SG communication systems. When recent research is examined, it can be understood that traditional cybersecurity methods and algorithms have usually studied, and there are separate studies on power and communication regarding cyber risks. If critical systems such as the power system communication infrastructure have cybersecurity risks, that can have severe consequences and traditional risks are now included in risk assessments. However, SG communication systems security is a relatively new topic; few academic and experimental studies have been found [13].

A general assessment of the vulnerabilities can split into five categories:

• Interaction control framework security;
• Smart meter measurement security;
• Assessment of power system status security;
• Intelligent network communication convention security;
• Security analysis with SG simulation.

Cybersecurity in SGs is an emerging field [14]. Therefore, they need cybersecurity protection studies for each security component because traditional techniques are applied for the first time. Because the SG system is a cyber-physical and communication system, the power is also exchanged [15]. A thorough review that studies components of the SG system security is required. Several reviews focus only on bad data detection and state estimation attacks [16,17]. Moreover, both attacks’ effects may be different, and all processes should terminate within a certain period. The aims and objectives of the research focus on this point. This paper presents a comprehensive review of security concerns in different system parts of smart grids, different types of attacks, standards, and available mitigation techniques to fill this gap. Due to its enormous impact, False Data Injection (FDI) attack and detection methods are discussed in detail. The rest of the paper is organized as follows: Section 2 introduces the cybersecurity concerns in SGs and discusses the mitigation requirements. Section 3 reviews different types of cyber-attacks and discusses the impacts of attacks on SG. Section 4 introduces false data detection methods and proposed efficiency analysis, and Section 5 concludes the paper. See Appendix A for abbreviations and meanings. Main contributions of this survey paper are as follows:

• A thorough discussion on changing paradigms in power systems is presented. Different levels of communication and information exchange are discussed so that readers can grasp why smart grid cybersecurity became important in recent times.
• Different communication standards used in power system communication are studied. Issues that are unique to each standard and the protocols it uses are presented. Benefits and drawbacks of using single or multiple standards in a system are presented.
• A thorough review of SG attacks is performed so that readers can understand the types of attacks and their impacts on the system. Among these attacks, FDI attacks have significant potential to disrupt power system operation or cause damages. For this reason, a survey is performed on techniques developed to detect FDI attacks.
• Based on the discussions and insights of this work, future research directions are provided.

2. Cybersecurity Vulnerabilities in Smart Grids and Mitigation Requirements

Secure and safe operation of SG is critical for ensuring its effective operation [18]. Cybersecurity for the SG promotes both the grid’s reliability and the stability of the information transmitted [19]. SG automatically modifies electrical power and communication systems to optimize their operation. For example, SG is defined as “The transition from today’s power systems to future systems based on information, transmission and communication technologies” and it monitors all components to prevent its attacks because cybersecurity holds a special place in it [19]. The vital information can be understood in a way that all the security risks in the system can be protected with measures. In this context, it will be useful to examine some studies to understand mitigation requirements. Cybersecurity challenges and existing solutions within the SG environment are reviewed in [13] and [20]. This is classified as the SG communication security studies into software and hardware simulations [21,22,23]. Risk definition within the scope of information security can express the loss of integrity, privacy, or continuity in the data by using vulnerabilities in information data by malicious threats [24]. The security aspects, especially the Internet of Things (IoT) and the types of cyber threats facing the SG, are examined in [25], and the environmental conditions related to cybersecurity of the SG are split into three categories:

• Power grid vulnerabilities at the time of the cyber-attack;
• The facilitate of infraction to the control system;
• Describe the ease of earning control over the management system.

Cyber-attacks are dissociated into three steps: First step is the attacker has in mind to control the management and communication system. Once the management access is acquired, the attacker should identify the system to initiate a smart and effective malicious attack. In the third step, the attacker launches the control of SG component or tries to influence its operation. These attacks may be directed at power systems equipment [26] or auxiliary systems such as Advanced Metering Infrastructures (AMI) [27,28]. Security vulnerabilities in power and communication protocols can cause dangerous attacks on the SG system. When the content of the applied standards is examined to prevent this, it can be seen that they are based on authentication, encryption, and confidentiality technologies to ensure SG security. Malicious people may be interested in launching large-scale attacks on the smart grid with potentially unpredictable consequences. In light of these concerns, security is one of the most important issues in the SG’s current development and future deployment [14,29]. Figure 3 illustrates the importance of cyber security in SGs.

2.1. Cyber Security Requirements in SGs

The term “Cyber-Physical systems” (CPS) relates to the currently prevalent terms Industry 4.0, Internet of Things (IoT), Machine-to-Machine (M2M), the Internet of Everything, TSensors (Trillion Sensors), and the Fog. These reflect a view of a technology that profoundly engages the physical world with the information world [30].

Cyber means computed, communicated, and controlled but discrete, logical, and switched. On the other hand, physical means that systems are bound by physics laws and operating continuously. Cyber-Physical (CP) means the systems in which the cyber and physical systems are closely integrated at all environmental conditions and levels.

Therefore, SG is a typical CP System which integrates a physical energy transmission and distribution system with the cyber process of communication and control [31]. As SGs grow, millions of smart assets with two-way communication ability will be integrated. This situation causes new security problems in a large geographical area [32]. More complex system security can be obtained using real-time communication standards to modify the control system between generation, transmission, distribution, and consumers in the network structure [33].

In electrical infrastructures, various organizations have established some security standards to regulate issues such as the system’s proper operation, protection of information and against attacks. Various standards are established by the organizations working within the scope of cybersecurity in SGs. Some of the organizations that constitute these standards can be listed as follows.

International Society of Automation (ISA) [34], National Infrastructure Protection Plan (NIPP/CISA) within the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, being a shareholder with the National Institute for Hometown Security (NIHS) [35], National Institute of Standards and Technology (NIST) [36], Institute of Electrical and Electronics Engineers (IEEE), Computer Security Division (CSD), Computer Security Resource Center (CSRC), Organization for Standardization/International Electrotechnical Commission (ISO/IEC), Federal Energy Regulatory Commission (FERC), and The North American Electric Reliability Corporation (NERC) [37].

In addition to these organizations, ISO 17,799 (27,000 series) security standard is fundamental in establishing more secure, consistent, and scalable systems [38].

In this study, security standards are researched about all the SG parts, which is shown in Figure 4, and divided into three sections and then examined detail in the following section:

• Examining the firewalls of communication systems and the vulnerabilities in the protocols;
• Based on attacks on energy transmission and distribution systems;
• Applied for remote control security of the devices connected to the system.

2.2. Security Standards of Communication Systems Mitigation

Substation communication of SG plays a critical role in intelligent power energy system management. Therefore, communication security and related causes are crucial to power system security and should be carefully studied. Communication problems concerning information can be classified into five general categories for their objectives, availability, integrity, confidentiality, authenticity, and non-repudiation [6]. SG systems have too many interconnected devices. It is also highly susceptible to cyber-attacks due to security vulnerabilities found in devices connected to the network. The defence and security layers of SG protect the network against cyber-attacks, unwanted changes, and data theft. For reasons such as efficiency, cost, and integration to big data, SGs depend on comprehensive internet networks where common information is shared. Due to the internet networks to which SGs are connected, they are vulnerable to many attacks that cause interruption of power supplies [39,40]. This increase in security attacks has created a more demanding control requirement to ensure a smooth SG communication system. Therefore, it is exposed to the general problems and threats of internet networks.

As power systems become more secure and complex, SGs also need more connections to highly external networks, especially the internet. However, this commitment to the said external networks causes cybersecurity vulnerabilities and violations [41,42,43,44]. Therefore, all communication links in SG networks must have access to high security. When choosing encryption technologies and standards, the criticality and risks of the communication system that needs to be protected should be evaluated.

• The ISO 27,001 standard is vital in providing communication security. It defines the functions that must be performed within the scope of living information security. Information security management system (ISMS) standard defines the organizations’ needs to establish an ISMS. ISO/IEC 27,001 consists of twelve parts. These are risk operation, security of human resources, security policy, physical security, environmental security, communication and operation management, asset management, entry control, development and reparation, information security management, acquisition and business permanence management submission [33].
• The NIST standard started with the priorities determined by for SGs and added the subjects it determined. The eight priorities identified are: Meeting the demands and consumer energy adequacy, Large area application awareness, Energy storage, Electricity transport, Advanced measurement infrastructure, Distribution network management, Cybersecurity, and Network communication [41,42].
• The FERC SSEMP standard sets the standards that must be followed in communication networks connected to power systems [42].
• The Common Criteria (CC) that can be evaluated among the standards is internationally accepted SC evaluation criteria for information technology products. They were created as a result of the merger of The Information Technology Security Evaluation Criteria (ITSEC) in Europe, Trusted Computing Security Evaluation Criteria (TCSEC) in the USA, and Canadian Trusted Computer Product Evaluation Criteria (CTCPEC) [44] in Canada, which are accepted as information security evaluation criteria. CC are defined in the ISO/IEC 15,408 standard. It also defines the Evaluation Assurance Level (EAL) levels [44,45].
• AGA Report No. 12 Part 3 includes protection of SCADA Communications Networked Systems. It is focused on high-speed communication systems, including the Internet [44,45]. It is notable that AGA series are voluntary standards and do not mandate any companies to install encryption technology as recommended in the standards.
• Virtual Private Networks (VPNs) and Internet Protocol Security (IPSec) technologies provide the security of wired grids. A VPN system can make on top of existing CP networks, providing a safe communications contraption for message and information transmitted among two addresses. The data exchange in the middle of the web browser and the VPN device is encrypted with the Secure Sockets Layer (SSL), Transport Layer Security (TLS), SSL/TLS [46] or Secure Shell (SSH), which are high layer security mechanisms, can also be used [46,47].
• ISO/IEC 62,351 standard covers communication security issues for energy systems management and information sharing. It deals with communication protocols and network and operating systems [48]. IEC Standards provide communication and information security, security for profiles containing TCP/IP, Quality of service (QoS), mobility, multi-homing, and other enhancements essential for SG applications to be efficiently secured and well-controlled if TCP/IP is to be adopted [36].
• IEC S63 report generally includes status and advisory standards for smart grid cybersecurity requirements. It covers industrial security standards, access controls, identity management, secure network, wired and wireless connection standards [48].
• Security for profiles with Manufacturing Messaging Specifications (MMS) [49], Security for IEC 60870-5, and its derivatives (DNP) [50] Security for IEC 61,850 profiles, Elements (targets) to grid security can be counted [43].
• The level of security provided by the different degrees of wireless communication protocols is also varied. IEEE 802.11i [50] and IEEE 802.16e [51] standards can be used to safety wireless grids.
• IEC 61,850 structure provides digital fast communication and use Internet Protocol (IP) based addresses [52].
• Federal Information Processing Standard (FIPS) certifies the Advanced Encryption Standard (AES) [53].
• Triple Data Encryption Standard (3DES) [54] for robust security and high performance.

SG communication system has an architecture in which data collection and control can be performed [13]. Distributed control centre (DCC) supports metering and metering systems, power system stability, data management, power system activities, and data exchange control. Transformer centre includes Remote Management Units (RTU) and fuses, Human Machine Interfaces (HMI), Control and communication assets (equipment of switchers or routers), log servers, data collectors, and protocol gateways. Intelligent Electronic Devices (IED) are field equipment which includes a set of converter tools, tap changers, circuit terminators, phase measuring units (PMUs), and protection relays. It is defined in the IEC 61,850, when data transmitted with the IED contains the MAC (Media access control) address. When this address determines which device or equipment will receive this message, they allow data transmission with DCS securely. Accessibility means that data can be used to open, close, hold, and allow the system; they work in compliance with communication protocols. Therefore, this authentication allows authorization.

The purpose of security in the SG is to protect the user’s integrity [6]. The advanced smart grid system should prevent sensitive data from being exposed to unauthorized persons or harmed by others. The security definition should ensure that the smart grid system’s use does not endanger the individual’s privacy. Different stakeholders’ combined efforts, including government, consumers, industry, and academia, are needed [29].

Table 1. Classification of communication technologies in Smart Grid.

SG Structure	Category			Reference
Communication Technologies	Wireless	IEEE 802.15		[52,53]
		Wireless Mesh Network		[4,54]
		Cellular Communication		[55]
		Cognitive Radio		[56]
		Bluetooth, ZigBee, Microwave and Free Space Optical Communication		[4,6,11]
		Satellite Communication		[57]
	Wired	Fibre Optic Communication		[58]
		Powerline Communication	Broadband PLC Technology (BPLC)	[8,59,60]
			Narrowband PLC Technology (NBPLC)	[8,60,61]

summarizes communication technologies which have to work simultaneously with standards and protocols.

2.3. Security Standards of Generation, Distribution, and Transmission Systems Mitigation

Cybersecurity in the generation, transmission, and distribution of electrical energy should be considered together with all the power system components integrated on SG. Cauterizing the protection of the produced energy until it reaches the consumer is one of the main tasks of the SG. In this section, standards that will ensure the safe transmission of power to the user are examined.

• IEEE 2030-2011 Standard provides a guide for SGs electrical power systems, and energy technologies can be used together. It is the first combined application that includes IEEE 2030 standards in smart grids. Three additional standards complement in [62].
• IEEE P2030.1, Guidelines for Electrically Based Transport Infrastructures.
• IEEE P2030.2, Guidelines on the Interoperability of Energy Storage Systems Integrated in Electric Power Infrastructures.
• IEEE P2030.3, Guide to Test Practices for Electrical Energy Storage Equipment and Systems [62].
• IEC 1686-2007 is an informative document about the standards on cybersecurity features, capabilities, and functions for Smart Electronic Devices used in the substation and the security of critical infrastructures [47,48].
• NIST has proposed a 3-phase plan to fulfil the requirements of the Energy Independence and Security Treaty (EISA) and to set the standards initially required for the installation of smart grids [41]:
  • To engage with stakeholders to identify applicable standards and requirements, gaps and priorities in existing standards in the open process;
  • To create mutual usability of smart grids to ensure long-term operability;
  • To develop and implement a framework for compliance testing and certification.
• NERC 1200 standard covers energy transmission and distribution units, and studies in NERC 1200 CIP 002-1 and CIP 009-2 series have been extended to include production facilities [42].
• Federal Energy Regulatory Commission (FERC) compliance with standards has become an obligation for the energy industry [42]. Electricity transportation and distribution network management, one of the leading departments of NIST FERC, establishes the necessary safety standards for energy transmission and distribution.
• In the IEEE 1402-2000 (R2008) standard, the security of electrical power generation and distribution stations is mostly subject to the physical level, and leakages from the electronic environment are also included [63].
• Another standard aimed at controlling data is NISTIR 7628, which includes the three following topics on risk assessment and security analysis [36,64]:
  • The security architecture section: includes Cybersecurity strategy; Logical architecture, including high-level security requirements; Cryptography, and key management topics.
  • Requirements section: includes privacy and smart grid issues.
  • Supporting analysis and references section: concerning Vulnerability classification, Security in bottom-up smart networks analysis, Research and development on cybersecurity in smart networks, Overview of standard controls, Solutions used by switch power systems for security topics.

2.4. Security Standards of Control Systems Mitigation

Control systems in SGs are generally used in a distributed or centralized manner to manage power generation facilities. DCS can be thought of as a process control architecture that controls, in particular, more than one region’s integrated subsystem. The DCS is designed to oversee a smaller group of supervisors who share responsibilities in order to run the entire production operation [65].

Control is often used in conjunction with bilateral communication systems. During the process, parameters that should be controlled should be provided with high security through communication and control systems. Distributed Network Protocol 3 (DNP3) and Generic Object Oriented Substations Events (GOOSE), IEC 61,850 and IEC 608750-5 standards have been developed for control systems [14] to use the implementation of consistent security solutions, but adequate standardization has not been achieved yet [66]. Isolated industrial and distributed control systems are safely accepted, and cybersecurity dimension is substantially negligible in the first years of its installation. However, over time, the industrial control system and communication protocol standards have shifted to open international standards to control and monitor a geographically dispersed structure far apart from each other to increase productivity and efficiency and the need for internet or intranet connectivity [67].

Transportation, energy, medical, security, and logistical control systems are used for different purposes, such as using other protocols and services despite sharing similar characteristics [68]. For this reason, the additional control systems are used similar methods against cybersecurity threats. Control systems used for different purposes can be found in the SG as follows [53]: AMI, Building Automation Systems (BAS), Building Management Control Systems (BMCS), Closed-Circuit Television (CCTV) Surveillance Systems, CO2 Monitoring, Digital Signage Systems (DSS), Digital Video Management Systems (DVMS), Electronic Security Systems (ESS), Emergency Management Systems (EMMS), Energy Management Systems (EMS), Intrusion Detection Systems (IDS), Physical Access Control Systems (PACS), Public Safety/Land Mobile Radios, Renewable Energy Geothermal Systems (REGS), Renewable Energy Photovoltaic Systems (PVS), etc.

With these various purposes, the changes of paradigm, digitalization, standardization, and their impacts on the smart grids are summarized in

Table 2. Paradigm changes in power systems.

	Paradigm Change	Digitalization	Standardization
Impact On	Operation	Easy maintenance	Interoperability and Interchangeability
		Serves Scalability	Addition of new equipment is easy
		More and High-Quality	Paves the way for Plug and Play (PnP)
		Data Collection
	Cyber Security	Physical Security is compromised	Security by obscurity is lost
		Easier Access to Networks	Hackers can use legitimate models to identify
		Connectivity is disadvantageous	All the data objects are known

.

As shown in Table 2, standardization is needed for easy connection, integration, and operation. The digitalization has advantages as serving scalability, easy operation, and access to the communication networks and this connection can be used for malicious aims. However, this means attackers can model themselves as a legal device as a relay or circuit breaker, exchange information with other entities as the parameters and messages are well-known [13]. In order to ensure the stability, especially in Supervisory Control and Data Acquisition systems, Modbus: Master/Slave—Port 502, BACnet2: Master/Slave—Port 47,808, LonWorks/LonTalk3: Peer to Peer—Port 1679, DNP3: Master/Slave—Port 19,999, IEEE 802.x, ZigBee, and Bluetooth—Master/Slave Protocols [53] and standards in the following should be used.

• NIST SP 800-53, Standard titled security and privacy management for Federal Information Systems and Organizations (FISO), includes selecting a security control center, adapting the power lines to security control, recording control selection process, new methods and legal systems [36].
• ISA-SP99 production and control systems safety standard has been published in 2 technical report parts. The standard covers improving the accessibility, integrity and confidentiality of the elements and systems used in control. It aims to establish security control systems. It includes technical reports, specifically data to control systems, safety standards and publications [43].
• SA-99 contains advice and guidance on many security technology products for industrial automation and control systems. It deals with risk analysis, countermeasures, and cybersecurity management systems [48].
• NIST 800-82 provides a direct security checklist and provides security requirements and solutions for risk assessment studies. The standard examines the hardware and software components used in the cybersecurity infrastructure, makes recommendations for more secure network and application services, and provides examples [62]. NIST 800-82 control systems security guideline is listed under the following four sub-headings [59]:
  • An overview of the reasons for security needs as well as physical measures take in control systems;
  • Differences between control and communication systems within the scope of openness, threats, and events;
  • Suggestions for assembling security solutions into typical grid structures found in control systems, with decompression point on network distinction implementations;
  • Summary of managerial, operational, and technical controls.
• NERC 1300 standards are developed for the identification and certification of procedures. The standards can be applied to entities performing the specified activities such as control regions and generation company owners [43]. It contains comprehensive information on critical issues under the following headings [69]:
  • 1301 Security Management Issues;
  • 1302 Critical Cyber Assets;
  • 1303 Personnel Subjects and Training;
  • 1304 Electronic Security;
  • 1305 Physical Security;
  • 1306 System Security Management;
  • 1307 Incident Response Plans;
  • 1308 Recovery Plans.

Different species of control systems (CS) holding imitative behaviours and many of the suggestions from [53] are practicable and could be used as a sample to protec systems in the face of cyber-secure assaults. Even though numerous different systems such as construction, medical, transportation, defence, and logistics use different procedures and standards, they all run in similar modes and have similar characteristics to conventional CS [53].

3. Classifications of Cyber-Attacks in SGs

According to EPRI, all the parts of SGs must work in simultaneously in a secure way [48]. Thus, complete security cannot be provided without cybersecurity technologies, policies, and risk assessments and one of the most critical dimensions: education and awareness. This is because security vulnerabilities are also seen in the studies as mostly occurring depending on the human factor [29,55]. By overcoming the people in control of the system, it is much easier to circumvent antivirus software, systems reporting attacks, or bypass firewalls. Even if all technical regulations and security policies are developed and determined, users with lack of awareness will disable these technical solutions. Although information security gaps can never be eliminated, they can be reduced to an acceptable level by developing information security awareness among employees and transforming this awareness into behaviour [39]. All the attacks are critically dangerous for the infrastructure sector, but there is a great danger if they originate from a disgruntled insider who knows the system’s features. Institutions generally rely on existing SCADA systems’ tight physical security and consider that they are safe from such an attack. Therefore, when faced with an attack, they are exposed to severe losses and damages. When the attacker gains control over the system, the management and activation of the attack have begun. In this process, after the malware is loaded on computers, a connection is opened with the command-and-control systems that allows attackers to access infected systems remotely. After remote access was achieved, the attackers upgraded the privileged accounts, obtaining user credentials [70]. The SG works with advanced technologies such as big data, IoT, and cloud computing to preserve complex CPS security [71]. CPS refers to a system that monitors and controls people and their physical processes in the cyber world using advanced computing and communication technologies [72]. Since CPS security is important at all levels, attacks can have an effect on both cyber and physical infrastructure [73]. Due to its own physical and logical regulations, CPS is a crucial part of the SG. It regulates the infrastructures of communication, information technology (IT), security, automated control, protocols, standards, and features [74,75]. Moreover, the threat of cyber physical attack is a critical issue in human society, where an attacker can exploit and leverage vulnerabilities in the SG for personal advantage or to advance political goals [76]. Because of attacks challenge, NIST is working on the future power grid, which includes components for connectivity, electricity, and information [77], and it is considered the light shed between the physical and cyber worlds. SGs architecture and infrastructure are faced with cybersecurity attacks and challenges ranging from thefts, terrorism, natural disasters, etc. In the event of SG’s breakdown due to any of the threats, potential consequences include power system blackouts (small and large outages), IT infrastructure failures, false visualization of the actual system’s condition, damaged consumer devices, energy market chaos, endangered human safety, etc. [78].

It can be seen in Figure 5 [79] that CPS is an essential part of control systems architecture which is related to the field of integrated sensor and actuator networks [80]. Significant disruptions to critical infrastructures due to deliberate attacks on SG Control systems or unintentional attacks such as slammer worms can cause far more national economic damage than the infrastructure itself. For example, an attack [81] includes the examination, loading, and execution. The attackers used a virtual private network (VPN) to gain access to the control system. Then, workstations, servers, and some HMIs and logs are deleted with KillDisk software and other machines’ events to avoid leaving traces. It was stated that at least 27 transformers and 225,000 customers were affected due to the attack [81]. Results of an attack is provided in [82]:

• By stopping or delaying the flow of information between the control networks, the fulfilment of critical-time functions can be prevented;
• Threshold values that can damage or deactivate or turn off the hardware by unauthorized changes in instructions, commands, or alarm;
• It may create negative environmental consequences;
• Wrong information can be sent to system operators;
• Software or configuration settings can be changed;
• Operation of security systems that may endanger human life can be intervened.

The criticality and sensitivity of the infrastructures managed by CS have made it one of the primary targets of cyber terrorism and cyber warfare. Therefore, it is vital to analyse it in depth to reveal gaps in control systems’ protocols and components [81]. Only in this way it will be possible to take precautions against the detected gaps and prevent them from being re-exploited by the attackers [82,83]. As discussed in the study [84], vulnerabilities in control systems can cause attackers to infiltrate the network, access control software, and cause unwanted damage by changing the systems’ operating conditions. All connections used that only belong to the relevant institution and organization can be very useful in preventing unauthorized access and keeping the network confidential. However, it is impossible to manage systems with such an “isolated” network today, which is almost mandatory to use interconnected networks [85]. A significant part of the communication or control system attacks is not disclosed to the public by many countries due to bad reputation. However, most of the research work in CPS security focused on transmission or control systems.

Accordingly, a great deal of the assumptions made for attacks formulation and detection algorithms do not hold for both systems [81]. The renewal and integration of SG communication sheets in the power grids have authorized significant improvements and have composed new issues and challenges. In this way, the communication architecture is operated to receive real-time (RT) data between control and digital centres. This combination has allowed a few challenges like incorporating high DER’s [82] and sufficient microgrids coupling [83]. Besides, integrating the AMI has authorized two-way communication between customers and utilities and the constitutional ingredient of demand side management [84]. However, when communication architecture includes a large geographic area, power and control systems become vulnerable to CPS attacks, which was recently assumed as one of the most crucial issues for SG [85,86,87,88,89,90].

The most threats and hazardous attacks in the world are examined in detail with a timeline in Figure 6 for the last two decades. It can be seen different countries were affected and miscellaneous systems have been damaged for years since 1982. Moreover, the impacts of these malicious attacks are summarized.

Unwanted events that may be encountered in smart grids can be summarized as follows:

• Disruption of control and monitoring operations as a result of blocking or delay of information carried on the network;
• Endangering the lives of the environment, employees, and other people as a result of the system components being shut down, disabled, or damaged by unauthorized modification of commands, instructions, and alarm thresholds;
• The adverse effects of situations that cause operators to send inappropriate commands by sending incorrect information to system operators or hiding unauthorized changes risk people’s lives by intervening in secure systems.

Malicious CPS attacks can have severe impacts ranging from economic effects to partial malfunctioning of equipment, all the way to cascading failures and shut-down of entire power systems [54,86].

These attacks can target both the cyber part, which consists of the software and communication layer, and the physical part, which consists of the electrical power devices [91]. Common attack templates include, but are not limited to, man in the middle attacks [92], rogue devices attacks [81], denial of service attacks [86], false data injection (FDI) [16] attacks, etc. While a variety of hazardous attacks that can be classified according to the purpose, target, or effects generally can be expressed as follows.

3.1. Denial of Service (Dos) Attacks

DoS (Denial of Service) means disrupting the service or destroying the function of the service. It does not allow users to access or offer prolonged service. The purpose of the DoS attack type is to exceed the limit of resources and disable the system. The attack usually occurs over a single Internet Protocol (IP), and in this case, it can be prevented by using a Firewall [86,93].

3.2. Distributed Denial of Service (DDos) Attacks

DDoS aimed to disrupt the service or make it unable to provide any service like DoS. The attacker created it before the target’s attack with the machine or computer community. However, the attacker can easily be concealed without revealing their identity. Unlike the DoS attack, many machines are used in a DDoS attack, and IP detection is more complicated than others. A firewall may not be sufficient, making DDoS more dangerous and effective than DoS attack. Moreover, Distributed Reflective Denial of Service (DRDoS) is similar to DDoS and uses additional networks to attack more frequently. Attacks on the protocol, grid operation control, communication infrastructure, bandwidth, consistency observation, and billing mechanisms are all possible forms of DDoS attacks in the SG environment [86,93].

3.3. Packet Sniffing Attacks

This type of attacks is designed to capture information packets in the network and read their content. The term of sniffing is to listen to data traffic. An attacker aims to capture and store all data between two entities by monitoring the network traffic. It is one of the most used methods, and connections must be encrypted for protection [81].

3.4. Man in the Middle (MitM) Attacks

MitM attack consists of three systems, one attacker and two victim computers. The attack starts when the attacker sending signals to the first victim system claims that it is the second victim system while sending other signals to the second victim system, indicating that it is the first victim system. The first victim sends all packages to the attacker, transmitted to the second victim via himself with the MitM effect. When the fake connection is established, the victim thinks they are using the usual network connection. MitM attacks are most commonly carried out by taking advantage of the Address Resolution Protocol (ARP) and changing the MAC address information expressed as ARP poisoning. In parallel with the proliferation of internet networks, security vulnerabilities have increased [94]. Approximately 30 years have passed since the vulnerability in the ARP protocol was detected. However, damaging systems is still one of the widely used methods. This result shows that the security measures taken were insufficient [95,96,97]. Especially considering how easy it is to join and leave the mobile network, which is widespread today; the difficulty of preventing ARP poisoning and MitM attack is clearly understood.

3.5. Ip Spoofing Attacks

Internet Protocol (IP) connection between computers is provided through various protocols. When connected to another computer through these protocols, the connected computer introduces its identity to the other party. The real IP address of a connected computer not shown is the concealment of the actual identity called IP spoofing. The computer receiving the fake IP packet cannot detect whether the packet came from the address from which it was sent. Although this is possible in theory, in practice, it will not be possible to connect to someone else’s computer from a different IP unless the system on the other side is seized. Deception is generally used to hide the source during an attack [98,99].

3.6. SQL Injection Attacks

Today, numerous databases are designed to comply with codes written in Structured Query Language (SQL), then many websites that receive information from users receive this data to SQL databases. Attackers take control of victims’ databases by exploiting SQL vulnerabilities. For example, in a SQL injection attack, a hacker writes some SQL codes into a web form which requests identification information. If the website and database are not checked correctly, the database may experiment to run these codes [95].

3.7. Command Manipulation Attacks

Usually, these types of attacks are directly targeted the servers unlike SQL injection. It targets access to information on the operating system, database management system, and server remotely using the web application’s command line. There are applications such as Code manipulation or Database manipulation attacks depending on the usage [24,99].

3.8. Chameleon Attacks

Working like a typical program, the “chameleon” actually applies several tricks and deceptions, saving usernames and passwords in multi-user systems thanks to its ability to mimic a secret file, warning that the system will be shut down temporarily for maintenance. Using the chameleon program seizes the usernames and passwords by accessing this secret file [97].

3.9. Keylogger Attacks

Key loggers are spy programs that record keyboard operations. Unaware of the user, they record every key touched on the keyboard and send them to previously determined addresses when they find the opportunity. Due to such software recording keyboard operations, it can be understood how dangerous is the information containing the users’ private information [98].

3.10. Back Door Attacks

The attacks methods provide remote access. It can pass without found by the normal authentication processes on the computer. Hackers who make a laborious effort to infiltrate a system want to add an easier way to access the same system. The most common backdoor method is to keep a port on the target system with an attached listening agent open. Backdoor attacks are mostly malicious software that can infiltrate the target system. When many viruses infect a computer, they always try to open a backdoor. Malicious people who are aware of this situation can use these structures. One of the most famous claims about the backdoor is that Microsoft has installed a backdoor for the NSA (American National Security Agency, Fort Meade, MD, USA) in all versions of the Windows operating system. This claim is an additional input key in the name of NSAKey in the CryptoAPI structure found in all versions of Microsoft [99].

3.11. Supply Chain Attacks

An attack could contain any methods which come to an agreement with system’s accuracy prior to it being delivered. When the supply chain needs high sophistication attacking, current statements propose that of plenty foreign network devices may include back door attacks that ensure unauthorized users access [100]. Supply chain attacks do not need any hacker person to access the physical system. Supply chain matters are also associated to the need to have confidence in system updates and pieces utilized in improved cyberattacks [101].

3.12. Spywares and Malware Attacks

The primary purpose of these software, which cannot be called viruses in the full sense, is to collect information from the computer where they are installed and send it to the people who created these programs. The danger of this software to the computer or control systems may differ in their degree of spying, and they can be considered more innocent than other malicious software. On the other hand, the most dangerous derivatives can access user information by changing the data.

Software is intended to implement an unauthorized process that will harm the confidentiality, knowledge system’s credibility, or functionality in the following terms: a virus or other command based asset contaminates a host. Some forms of Spyware are also examples of Malware attacks with malicious code [36].

3.13. Trojan Horses

It can be defined as computer software that appears to have a useful function and contains hidden and potentially harmful functions that can bypass security mechanisms and sometimes exploit the legitimate authority of a control and communication system unit [71,102]. Since they are confusing terms, it is useful to highlight the feature that distinguish viruses from Trojans, Worms, and Stuxnet here:

• Trojans appear to be harmless software that do not interfere with the system. However, when a situation arises, they will come into play and exploit times for other malicious applications.
• Worms are programs on their own that can spread themselves in the net. On the contrary, a virus is not a self-sufficient program to infect. It spreads by attaching itself to other files, but if the infected file is not opened, the virus cannot spread to other environments [36,102].
• Stuxnet is using spread USB devices and changing the Ladder logic code of PLCs [70]. This attack involves human factors as well as technology and process management.

3.14. Rogue Devices Attacks

These attacks give attackers an excellent opportunity to settle with the supply chain attacks and then re-install malicious software into a device before shipment to target location and later use it as a backdoor attack [100].

3.15. False Data Injection Attacks (FDIA)

False Data Injection Attacks aim to inject malicious measurements and modify the results. FDIA could violate data integrity in various regions as transmission, communication, generation, control, etc.

It can be seen in a different part of the SG that contains data. In this section, the FDIA will be evaluated in the grid without categorizing. It will be examined with the same approach for all regions. Figure 7 depicts the diagram of the following formulated system [100].

In terms of common features in systems, basic principles of FDIA can be formulated as follows [102]:

Let $z_d$ represent the measurements vector which contains false and malicious data, and $z_d$ can be formulated as; $z_d=z+d$, where z is the original vector measurements $z={(z_1,z_2,\dots ,z_m)}^T,$ and d is false or malicious data $d={(d_1,d_2,\dots ,d_m)}^T$which added to the original measurements. It is referred to d as a false data attack vector. The element of $d_i$ means non-zero, and the attacker conciliates the i_th meter and then displaces its original mensuration $z_{i }$with a false extent $z_i+d_i$. Let ${\widehat{X}}_{false }$ and $\widehat{x}$ specify the forecasts of x using the false mensuration’s $z_d$ and the original values z, respectively. ${\widehat{X}}_{false }$may be written as $\widehat{x}+f$, where f is a non-zero n-dimensional vector. It is worth noting that f states the attacker’s calculation error. The intruder, on the other hand, should choose f as a linear combination of H’s column vectors (i.e., d = H_f). Therefore, FDIA with complete information is following and $z_d$ can pass the detector as long as z is able to pass it [102]. It is assumed that an attacker accesses the H matrix and injects false measurements in [103], m meters provide m measurements $z_1,\dots ,z_m$, and also, it is assumed that there are n state variables $x_1,\dots ,z_n$. The m × n matrix H can be characterized by a relationship between m meter measurements and n state variables. The measurement noise [104] is formulated with W diagonal matrix as

$$\widehat{x}={\left(H^{T}WH\right)}^{-1}{H}^T{W}_Z$$

(1)

In [102], an attack in which the attack vector d equals H_f, where f is an arbitrary non-zero vector, is a false data injection attack. Seeing that z can pass the detection and where τ is the threshold, $\Vert z-H\widehat{X}\Vert \le \mathsf{\tau }$ is had; then, the vector of estimated state variables acquired from $z_d$ can be demonstrated as $\widehat{x}+f$. Described previously if $d=H_f$, the resulting measurement follows:

$$\Vert z-H{\widehat{X}}_{false}\Vert =\Vert z+d-H\left(\widehat{x}+f\right)\Vert$$

$$=\Vert z-H\widehat{x}+\left(d-Hf\right)\Vert$$

$$=\Vert z-H\widehat{x}\Vert \le \mathsf{\tau }$$

(2)

Attackers generate malicious measurements based on the H matrix and then inject it by starting FDIAs; they can manage the injected false data to overcome the bad measurement detection and represent random errors into the state estimation (SE) output. On the contrary, if attackers have no complete information about H matrix, if $d\ne H_f$, φ error matrix is created, then the solution of the state estimation follows:

$${\widehat{x}}_d={\left(H^{T}WH\right)}^{-1}{H}^T{W}_{Zd}$$

$$={\left(H^{T}WH\right)}^{-1}{H}^{T}W\left(z+d\right)$$

$$={\left(H^{T}WH\right)}^{-1}{H}^{T}W\left(z+H_f+{\phi }_f\right)$$

$$=\widehat{x}+f+{\left(H^{T}WH\right)}^{-1}{H}^{T}W{\phi }_f$$

$$=\widehat{x}+\overline{f}$$

(3)

$$\mathrm{where} \overline{f}=f+{\left(H^{T}WH\right)}^{-1}{H}^{T}W{\phi }_f$$

(4)

The attacker aims to hack the multiple sensors and phasor measurement units (PMUs) readings to mislead the smart grid’s decision-making process in FDIA [103,104]. False Data Injection is one of the most dangerous types of attack among cyber-attacks. Therefore, it should be examined most carefully. Due to its high level of importance, FDIAs are currently the most studied cyber-physical SG security attacks [105]. For example; two versions of FDIA scenarios have been found in [56] where in Generalized and Random FDIA, an attacker uses small false data error in measurements and has some necessities for an accomplished attack, like they must comprehend the topology of the energy system to control and manipulate the measurement of the AMI. In random FDIA, attackers direct a wrong estimation. Figure 8 shows various false data injection attacks scenarios on smart grid [106].

In [107], the study is examined with the architectural structure of FDIA and divided into two mains criteria’s: cyber and physical. According to [108], it only focused on the physical criteria and the extensive classification of [107] study and a new control centre model. Authors in [109] finished the work in [108] and their formulation studied the impact of state estimation of FDIAs on electricity market operations.

In the AC power transmission system, FDI attacks on the SE are summarized in [92,110,111] as a stealthy FDI attack with two steps.

The first, “Intrusion into the System” is examined. If the attacker who trying to intervene in the system is on the outside of the system, he attacks the system using one or more of the usual cyber hacks by endangering the wired or wireless communication channel. In addition to this situation, the attacker may be successful in integrating malware. In this case, the attacker may be capable of stealing system information, particularly the bus topology.

The second step is “Carry out stealthy FDI attack” aims to perform a stealthy FDIA by changing the measurement data. The manager supposes that the data are right and also estimates the other values based on this false assumption. It causes the system to reverse and hence an incorrect condition causing malfunctions or substantial deductions.

Another type of FDIA presented in [112] on power system protection suggests two targeted attack scenarios: fake safe and fake vulnerable signal attacks. The first fake protected signal attack attempts to trick the control centre into performing a required corrective acts such as load shedding and neglecting a power line peak demand by switching from an unstable to a secure state. The second fake unstable signal attack attempts to move from a safe to an insecure state in order to deceive the control centre into performing inappropriate corrective steps, thus inflating costs unnecessarily.

Security-constrained economic dispatch (SCED) proposed in [112], and SCED FDIAs can be divided into two types: attack optimizing operating cost and attack causing overload. The first is to boost the cost of generation or load shedding or to make an illegitimate profit [113]. The second group aims to overwhelm power lines in order to inflict physical harm [114].

Contingency analysis (CA) is one of the significant functions of power system security. These kinds of FDIAs are proposed in [115]; an attacker who knows network topology and system parameters can smoothly run the control algorithm to have the contingency list. CA can calculate complexity in real-time power market operations, flow-based SCED with DC assumptions.

The study [115] constructs an attack vector by modifying the contingency list using both analogue and optical dimensions. The problem is modelled as a mixed-integer non-linear programming-based (MINLP) optimization problem, and the physical and economic effects of these attacks on the SG power system have been quantified.

The attackers inject types, and FDIA measurement reports aim to disrupt the smart grid operation through the compromised meters and sensors [116]. FDIA attacks can disrupt the grid system state estimation and cause energy distribution false. Moreover, meters and sensors lacking tamper-resistance hardware increase the possibility to be compromised. The injecting FDIA types of energy systems are [116]:

• Energy-request Deceiving Attack;
• The attacker compromises demand-nodes and injects a forged quantity of demanded energy;
• Energy-supply Deceiving Attack;
• The attacker compromises supply nodes and injects a forged quantity of energy that it could provide to the grid.

Different FDIAs classifications divided into three-level classifications proposed in [117]. The FDIAs are categorized concerning the targeted systems at the first level, second is targeted subsystems and can be divided into subsystems and the attack’s impact, which can be physical and economic attacks targeting the subsystems at the third level. According to [116], another FDIA attack assumes that the hacker can only reach specific measurements due to the meters’ different physical protections. With this study "building a valid FDIA by minimizing the number of attached meters", research started, and several attacks with various conclusions and aims have been suggested on the basis of this analysis.

FDI attacks are divided into random and target FDI attacks in [118,119]. In random FDI, attackers aim to inject any false data to cause bad state estimation in the state variables. The target FDI is injecting an attack vector that causes an error into certain state variables. Other types of FDI attacks, such as scaling, ramp, and pulse are proposed in [120]. Previous studies have mostly focused on the FDIA issue in the transmission network. Unlike them, [110] proposes attack models in transmission, storage, and micro-grid networks, with a focus on determining the effect of FDIA on the power grid’s economic and stable activity.

FDI attacks are described into three major categories as Bad Data Injection Attacks, Replay Attacks (RA), and Zero Dynamics Attacks (ZDA), and many end devices that enable the smooth functionalities of energy systems even from a remote area are proposed in [85]. The RAs are challenging to detect due to cryptography operations’ limited capability [96,109]. ZDAs indicate a cluster of attacks using unstable zeros as the bug to attack smart meters [121,122]. Then, they will inject the false output through the communication channel. In the end, the real state increases as the time passes, while nearing close to the output-nulling space. In this way, the corresponding outcome is referred to as a stealthy attack and too close to zero [82].

FDI attacks aim to mislead the service providers, disable the sensor nodes to cause service failure between physical systems and the networks, or hijack the communication channels [123]. There are two points to consider in order to understand the success of an attack target:

• The first is to access data by infiltrating the current energy system. This way, data in sandboxes can also be manipulated.
• Second, they control data without being detected [24,25,42,78,124,125]. A successful attack can reduce the actual flow of power to destabilize energy systems [126]. As a result, FDI Attacks pose major threats to both energy systems and communication and other physical systems and are difficult to detect in real-time [100,117,127,128].

The FDIA and all its derivatives aim to damage transmitted data; this may cause a chain reaction between different systems in SG, when an attack is accessed in the communication system can affect the transmission or generation system [17,114,119,129,130].

According to the general nature of all FDI, attacks have the same goal [126]. The objectives are to use physical systems or malicious packets to deceive service providers, capture communication channels, or disable sensor nodes and create an attack that bypasses the traditional bad data detector [71,127,131]. By the way, Detection methods are examined in the following section.

4. False Data Injection Attacks Detection Modelling and Methods

The mathematical formulation for modelling false data injection attack (FDIA) for both power and communication system and how stealthy FDIAs are carried out on SG describes in this section.

4.1. Mathematical Modelling of False Data Injection Attacks Detection

An attacker can inject a malicious attack in a vectorial form with perfect knowledge of the Jacobian matrix and FDIA calculation described previously. So, the mathematical formulation of FDIA detection should be understood clearly. It is aimed to make sure that the FDIA vector elements are the same in the sense of energy, so the comparison stage and simulations are current and significant.

The classic FDIA detector $J\left(\widehat{x}\right)$ is created first in [132] with hypothesis test in to detect FDIA, H₀ and H₁. H₀ is the null hypothesis, where the measurement is valid; and H₁ is the alternative hypothesis, where the measurement is under attack. So, $J\left(\widehat{x}\right)$ as follows:

$$r^{T}W{r}_{H_1}^{H_0 }\gtrless \gamma$$

(5)

Meanwhile in [133], if ${\epsilon }_0=Trace\left({\Sigma }_x-KH{\Sigma }_x\right)$offers minimum mean square error (MMSE), when it is in the asset of the attack would be ${\epsilon }_0+\Vert Ka{\Vert }_2^2$ which refers MMSE can be controlled by energy. In the MMSE, an optimum attack is produced with the minimum residue to limit the probability of detection that can be formed: $min\Vert Ga{\Vert }_2^2$ subject to $\Vert Ka{\Vert }_2^2 \ge \mathrm{C}$where $G\triangleq I-HK$ and C is attack’s minimum energy value. The sparsity pattern presented in [134] and assumed the full measurement assumption.

4.2. Detection Methods of FDIA

The detection part of cyber-security in SG is vital for resisting cyberattacks in its large-volume data-driven architecture. In this architecture, cybersecurity has become more complicated than before, and traditional manual and signature-based approaches are no longer useful have revealed the need for a new approach [99]. Thus, it has been heavily investigated in contemporary literature. The signature-based detection approaches for FDIAs have not prepared for data challenges caused by the large-scale deployment of PMU in the CPS on SG. Real-time big data produced by PMU causes storage and computational issues [133,134,135].

However, there is a remarkable fact that this issue becomes an opportunity for data analytics techniques such as Machine Learning (ML) to detect and block FDIAs. ML has excellent non-linear analysis capabilities to detect FDIA in more complex systems when more data is obtained from the system; it can be solving the challenges easier [133]. Thus, it is applied very beneficially in the smart grid’s cybersecurity areas with complex sensor networks.

For detecting FDIA, general ML techniques artificial neural network (ANN) and support vector machines (SVM) were the most recent works and used previously, while implementation of other techniques in such detection was also conducted. Different methods for detecting and identifying FDIA on SG have been proposed to in this section. Classify of different FDIA detection methods are depicted in

Table 3. Overview of FDIA detection methods in the SGs.

Detection Methods	References	Year	Datasets
MGD Based	[16]	2017	Synthetic Datasets in Matpower
KPCA	[17]	2020	Synthetic Datasets in Matpower
FFNN	[111]	2020	Random Data simulated in Matpower
RF, Adaboost	[128]	2019	Synthetic Datasets in Matpower
CDBN	[131]	2017	Synthetic Datasets in Matpower
Perceptron, k-NN, SLR	[137]	2016	Synthetic Datasets in Matpower
XGBoost	[138]	2019	Provided by Endsea
KF, DKF, EKF	[141,142,143,144]	2017, 2018	Simulated
DSVM	[145]	2017	Synthetic Datasets in Matpower
MSA	[146]	2017	Synthetic Datasets in Simulink
UIO	[147]	2019	Random Data for each grid subarea
OCSVM	[155]	2018	Synthetic Datasets in Matpower
DT and SVM	[156]	2016	Real Dataset in USA
SVM Based	[157]	2016	Smart Energy Datasets from Ireland
S3VM Based	[158]	2019	Irish Smart Energy Trial Data
ANN	[159]	2013	Real Datasets in Brazil
PARX	[160]	2016	Synthetic Datasets in Matpower
ARIMA and ANN	[161]	2015	Real Datasets in Amsterdam
GBTD	[162]	2019	Irish Smart Energy Trial Data
RNN	[163]	2018	Synthetic Datasets in Matpower
CNN and Encryption	[164]	2019	Released by SGCC
MFEFD	[165]	2019	Irish Smart Energy Trial Data
KLD Based	[166]	2015	Synthetic Datasets in Matpower
SARSA	[167]	2018	Synthetic Datasets in Matpower
ISOF	[168]	2019	Synthetic Datasets in Matpower
Deep autoencoder	[169]	2019	Real PMU data
GAN	[170]	2019	IoT-based smart home data
RNN and CNN	[171]	2019	Released by SGCC
MLR and NN	[172]	2019	CEFcom 2012
NNS and Game Theory	[173]	2019	Synthetic Datasets in Matpower
NB	[174]	2019	ISO New England
POMDP	[167]	2018	Synthetic Datasets in Matpower
LR and DBSCAN	[175]	2018	Real PMU Data
DRE	[176]	2016	Synthetic Datasets in Matpower
SVM & ANN	[177]	2019	Nigerian Power Grid
C-Vine Copulas Based	[178]	2016	Low carbon London load dataset
DNN and LRC	[179]	2019	Released by SGCC
GoDec	[180]	2011	Simulated
ALM-based, LMaFit, GoDec	[181]	2018	Simulated
D-FACTS	[182]	2012	Synthetic Datasets in Matpower
D-FACTS	[183]	2014	Random Data simulated in Matpower
NARX	[184]	2019	Synthetic Datasets in Matpower
RPCA	[185]	2011	Released by SGCC
LMP	[186]	2011	Real Time Marketing Data
Subspace Methods	[187]	2015	Simulated Probability Detections

. The attack to data integrity is a significant threat to energy consumption and the state estimation process. It becomes possible for attackers to make control centres and wrong decisions through manipulations of various SG measurements [136]. Remarkable methods are used for data integrity aim are particle swarm optimization (PSO), Bayesian framework (BF), Adaboost, Random Forests (RF), and Common Path Mining Method [128,137,138,139,140]. In [119], data analytical approaches are analysed, and the Margin-setting algorithm (MSA) is a novel data analytical approach applied to the system based on ML and MSA; it reaches better results than the ANN and SWM methods. It is the first work to use MSA to detect FDIAs. Kalman Filter (KF) is one of the primary detection methods for power state estimation process on online operation [141]. In [142], KF was utilized to detect FDIA in automatic generation control (AGC) systems. Extended Kalman filter (EKF) proposed in [143], and Distributed Kalman Filter (DKF) can be found in [144]. The benefit of EKF provides to reach more precise estimate and detection of FDIA. According to [145] distributed support vector machine (DSVM) algorithm is studied for training and principal component analysis (PCA) on an IEEE 118-bus system simulated by MATPOWER. In [146], a detection method on phasor measurement unit (PMU) using MSA for spherical classification with data from an IEEE 6 bus system simulated in MATLAB. The result is that FDIAs are stealth attacks that can overcome the existing detection scheme [146]. In [137] the methods used were perceptron, kernels nearest neighbours (k-NN), SVM with Gaussian and linear kernels, sparse logistic regression (SLR), and the semi-supervised SVM (S3VM) studied on the models with using IEEE 9, 57, and 118 bus systems. In [131] conditional deep belief network (CDBN) which have one of the various deep neural network infrastructures, so catching is proposed to the high-dimensional temporal characteristics of the stealthy FDI attacks. Unknown input observation (UIO) was used in FDIA detection in [147]. The method which used supervised learning to classify measurement data is proposed in [137], and it was capable of identifying unobservable attacks and predict attacks using observation sets. Euclidean distance-based approach is proposed in [148] to detect FDIAs. They have also investigated on feature selection schemes with less complexity with improved accuracy that studied genetic algorithm for BDD. In [149] FDIA and stealth attack detections in wide area measurement in SG monitoring system is examined.

ML and Deep Learning methods for intrusion detection examined in detail for different categories in [150]. Detection of electricity theft is discussed in [151]. ML techniques such as PCA [125,145,152,153], game theory approaches [113], and the Stackelberg game [154] can be used for detecting energy theft. Five ML models k-NN, SVM, ANN, NB, and DT, and tested all proposed approaches on MATPOWER are used in [146].

Furthermore, [155] is used one-class SVM (OCSVM), robust covariance (RC), isolation forest (ISOF), and local outlier factor (LOF) as individual classifiers for detection FDIA.

A feed-forward neural network (FFNN) is proposed in [111] for stealthy FDIA detection with used random forest for feature selection and compared the deep learning scheme with three methods as gradient boosting machines (GBM), generalized linear models (GLM), and the distributed random forests (DRF). Isolation forest (ISOF) is used in [155] to detect FDI attacks with simulated data; it reduces the data’s dimensionality using PCA, to show that ISOF outperforms their findings using four ML methods: SVM, k-NN, NB, and MLP. It does not say how long it took to train the models, but the fact that ISOF outperformed the other models is surprising. On the same sample, supervised models do better than unsupervised models in terms of precision.

Another FDIA detection method is presented in [171], a framework with anomaly and FDIA detectors. LSTM-based CNN are used for time series anomalies of attacks formulation. RNN with an LSTM cell is delivered to get the dynamic behaviour of cyber activities on IEEE 39 bus system.

SAE, one of the DNN architectures with advanced feature extractor and LRC, used to detect anomalies caused by stealthy FDI attacks, is proposed in [179]. A classification scheme which is based on ERT algorithm and KPCA is presented in [17] and used for dimensionality degradation. A sparse PCA approximation-based method used sparse data sets to aim recovery functions which precision is inversely proportional to the sparsity of available data presented in [153]. A detection method using a semi-supervised ML technique known as the DRE is proposed [176]. It aims to validate a semi-supervised approach by comparing its performance with SVM and MLP; and four-phase classification is proposed in [16]:

• Dimension degradation using PCA;
• Mixed Gaussian model structure using a positively labelled set;
• Collection of classification thresholds using a mixed dataset;
• An unlabelled dataset was used for testing.

Another detection mechanism using SARSA(λ) is proposed in [167]: reinforcement learning algorithm with formulated problem of stealthy FDIA detection as a POMDP.

In FDIA detection as matrix separation problem, it is difficult to get global optimum [180]. To address that, four algorithms are proposed in [181], the traditional ALM, double-noise-dual-problem ALM (DNDP-ALM), the LMaFit, and “Bilateral random projections (BRP) with Go Decomposition (GoDec)”. GoDec achieves higher efficiency than others. Another new detection approach using D-FACTS (Distributed Flexible AC Transmission System) is analysed in [182,183].

ANN-based State estimation method NARX in [184] and Robust Principal Component Analysis (RPCA) are examined in [185]. LMP method for FDIA detection is used in [186]. Different subspace methods and examined [187] Bayesian or another dynamic state approaches might be more appropriate to detection FDIA.

An attacker can increase his current attack’s privacy with an alternative attack password, turning it into an undetectable FDI attack. It can be named “Blind FDIA” [188]. PCA based attacks can occur if there is a significant error in the measurement data and ALM-based stealth FDI attacks can be successfully injected [188]. MTD to detect blind FDIA is implemented in [189]. Moreover, [190] is used PCA to Blind False Data Injection Attack.

Data Driven [191] and Geometric Approach are used to detect blind false data injection in [192].

Observations can be made from the review of the studies above and the works listed in Table 3:

• The researchers had attempted various approaches. However, no attempts to use general SG-based learning approach have been undertaken up to now.
• Almost all the studies used simulated datasets for validating their methods. Power flow data from the Ireland power grid is used in [162], but it seeded synthetic attacks into the dataset later or [177] used data from the Nigerian power grid, but it seeded synthetic attacks into the dataset.
• A few works mentioned here used classifiers as individual methods for communication or power but none used any ensemble fields method.

All the mentioned attacks are caused by the security vulnerabilities used with the standards examined in the table below. In this sense, the mitigations of the protocols most preferred by the standards are summarized in

Table 4. Vulnerabilities of protocols.

	Standards	Protocols	General Issues
Communication	NIST, FERC	Structured Query Language (SQL) or Hypertext Transfer Protocol (HTTP), TCP and User Datagram Protocol (UDP) Internet Control Message Protocol (ICMP), Path Maximum Transmission Unit (PMTU) and Internet Protocol Security (IpSec)	IPv4 and IPv6 discussions [41,42,193].
	ISO/IEC 15,408/EAL, ITSEC, TCSEC, CTCPEC	IoT and Internet Protocols such as REST, CoAP, MQTT, MQTT-SN, AMQP…etc.	Insufficient for complex infrastructures [43,194].
	ISO/IEC 27,000 Series	Security Management System Protocols, ISMS, SSL/TLS/SSH, VPN, IPSec	Unauthorized Access [193].
	ISO/IEC 62,351, IEC 60870-5 and DNP, IEC 563	TCP/IP and specify security requirements for communication protocols as QoS, MMS, DNP, GOOSE defined by IEC Technical Committee 57, specifically the IEC 60870-5, the IEC 60870-6, the IEC 61,850, the IEC 61,970, and the IEC 61,968 families.	Vulnerabilities about protocol-based attack such as IP spoofing and DoS [48,194].
	IEEE 802.11.i and IEEE 802.16.e, IEEE 61,850	Wireless Communication protocols (Bluetooth, Zigbee, WiMax…etc), Internet Protocol (IP), Information and Communication Technologies (ICT), Dynamic Host Configuration Protocol (DHCP), SMTP (Simple Mail Transfer Protocol) with Communication Technology-Interoperability architectural perspective (CT-IAP)	Setting security level and protecting to MitM [194,195]
	AES	Structured Query Language (SQL) or Hypertext Transfer Protocol (HTTP), TCP, UDP, Internet Control Message Protocol (ICMP), Path Maximum Transmission Unit (PMTU) and IpSec with AES-128, AES-192, AES-256 Algorithms for cryptography.	Despite being approved by many organizations, selection of encryption techniques is not trivial [196].
	3DES	Public key-based protocols may also be used (e.g., ANSI X9.42).	Expected to be rolled out by 2030 due to insufficient security, as stated by NIST [197].
Power	IEEE 2030-2011, IEEE 1686-2007, IEEE 1402-2000	IPSec, VPN, TCP/IP, Smart Energy Profile Protocol version 2.0 (SEP 2.0), IETF with Power Systems Interoperability architectural perspective (PS-IAP)	Non-homogenous protocol structure of IEEE standards is a cause of vulnerability [62,63,195,198]. Bilateral information and power flow is targeted with IEEE 2030 [199].
	EISA, NIST, NISTIR 7628, FERC	Structured Query Language (SQL) or Hypertext Transfer Protocol (HTTP), TCP and User Datagram Protocol (UDP) port filtering and Internet Control Message Protocol (ICMP), Path Maximum Transmission Unit (PMTU) and Internet Protocol Security (IpSec)	NIST and FERC should coordinate the development and adoption of smart grid guidelines and standards [41].
	NERC, CIP	SCADA, for dial-up accessible Critical Cyber Assets that use non-routable protocols	Unauthorized access issues [42,200].
Control	IEC 61,850, IEC 608750-5, IEEE 802.x	DNP3, GOOSE, Supervisory Control and Data Acquisition systems, Modbus, BACnet, LonWorks, Wireless (ZigBee, Bluetooth) Protocols, Information Technology Interoperability architectural perspective (IT-IAP) protocols	SCADA needs holistic security solutions as it combines monitoring and control which creates significant vulnerabilities in the system [59,66,88,195]
	NIST SP 800-41, NIST 800-82 and 53	Structured Query Language (SQL) or Hypertext Transfer Protocol (HTTP), TCP and User Datagram Protocol (UDP) port filtering and Internet Control Message Protocol (ICMP)	Used in corporate networks behind a firewall. However, it is weak against MitM, Trojan or Ddos launched within the network [59].
	ANSI/ISA-SP99, SA-99	SCADA, DNP-3, Ethernet/IP and Modbus/TCP.	Heterogeneous protocol use inherently secures the system such as “push for productivity” and “Son-of-Stuxnet”. Needs mitigation of MitM and Ddos for all protocol types [43,48,201].
	NERC 1300	NERC Cyber Security Standards	Needs constant updates in parallel with experiences in the field [43,69].

.

• NIST and FERC standards’ discussions about IPv4 and IPv6 continue. When it is needed to install or change the equipment, usage of two protocols can cause more issues and require more complex infrastructure. Furthermore, against upper-layer protocols attacks such as SQL injection and FDIA, IPv4 or IPv6 stack can be used to communicate with the client. Organizations will need time to achieve solutions for IPv6, since they have been working on IPv4 over the years [41,42,193].
• FERC does not indicate the adoption of standards or how effective they are, but given the increasing use of communication and information technology in the field of electricity and energy and the evolving nature of cyber threats, it tries to offer solutions that will help reduce the risk posed by these threats on the electricity grid, which require constant attention [41,42].
• ISO/IEC 15,408/EAL, ITSEC, TCSEC, CTCPEC Standards are built to be used as the reference for evaluation of Internet security, but they are insufficient for complex infrastructures. Mainly, ISO/IEC 30,111 Standard describes processes for potential vulnerabilities in IoT services [43,194].
• In the Information Security Management System (ISMS) with ISO/IEC 27,000 Series, following requirements can be used to provide access to facilitate organization’s data. When the ISMS allow to access the information security requirements of customers and other stakeholders, meet the data and manage information assets to facilitate improvement and adjustment to current organizational goals [193].
• ISO/IEC 62,351, IEC 60870-5 and DNP, IEC 563’s IP usage causes devices to be vulnerable to IP-based network attacks such as IP spoofing, DoS, and others. In the usage of TCP/IP, Adequate standardization has not been achieved for the implementation of consistent security solutions. Since the security level of different wireless protocols also changes, it becomes difficult to adjust the security level of IEEE 802.11.i and IEEE 802.16.e, IEEE 61,850 standards, and it can be concluded that IEEE standards working with different protocols are more vulnerable to MitM attacks [194,195].
• AES is confirmed from many organizations because of its strong security and high performance. However, encryption technologies’ choice depends on the criticality and risks of the communication system that needs to be protected [196].
• Traditional physical access approach in NERC-CIP standard needs to be revised to address unauthorized access issues [42,200]. NERC1300 is dedicated to identification and mitigation of cybersecurity vulnerabilities of critical assets [43,69].

5. Conclusions

This paper presents a review of cybersecurity vulnerabilities in smart grids. It discusses how information technologies are integrated with power systems, creating novel issues that were previously unknown. Then, mitigation requirements are documented as discussed in different standards and research outputs. It also includes an overview of possible cyberattacks in smart grids, focusing on false data injection attacks. These attacks are handled separately as their possible impact on the power system operation is much larger. A thorough review of the literature is given on research dedicated to detecting false data injection in the smart grid domain.

When using synthetic datasets, SVM-based methods (e.g., KF, EKF, DKF, RBF kernel, and Gaussian and linear kernels) were used dominantly and performed better than the classical attacks detection methods (PCA, BDD, etc.) that employ the state estimation (SE) approach for the FDIA. The studies also showed that the semi-supervised learning approaches (supervised learning over labelled data and trained SVM) are stronger to deal with the different data sparsity degrees than the fully supervised learning approaches. PCA does not require to train data to detect the deviation of the measurements. However, in real-time data, another method of detecting FDIA against a complex system using deep autoencoders offers better detection performance than SVM-based methods. Besides, deep autoencoders are more comfortable to train since they do not require labelled data for training and can detect different attacks because they can learn hidden, complicated correlation structures in the data.

In this study, cyber-attacks that can be encountered in grids have been examined, with a particular focus on false data injection attacks. Future deep learning and deep autoencoders approach such as SARSA and POMDP can be investigated as it can work on different systems.

(1)

Machine learning/AI integrated cybersecurity systems are required since hackers are getting smarter, and attacks are getting diverse.

(2)

More holistic cybersecurity designs are required instead of solutions that only focus on 1 aspect of security such as access control or encryption.