Cyberattack detection methods for battery energy storage systems

Battery energy storage systems (BESSs) play a key role in the renewable energy transition. Meanwhile, BESSs along with other electric grid components are leveraging the Internet-of-things paradigm. As a downside, they become vulnerable to cyberattacks. The detection of cyberattacks against BESSs is becoming crucial for system redundancy. We identified a gap in the existing BESS defense research and formulated new types of attacks against a BESS and their detection methods. The attack detection is divided into a forecast-based approach and long-term pattern analysis. We perform a main factor analysis of machine-learning-based methods to forecast the behavior of a BESS. In addition, we observe approaches that can be adapted for the BESS cyber secure design. To provide a thorough investigation, the attacks are classified based on a targeted battery service along with data features that the attack targets.


Introduction
The integration of renewable energy sources (RES) in the electric grid is complicated due to the high RES dependency on the availability of natural resources (e.g., wind, solar irradiance, etc.).To mitigate the intermittency of the RES, and to ensure a reliable green energy supply, the battery energy storage system (BESS) is introduced into power systems [1].The BESS' importance as a smart grid component is increasing as the share of utility-scale BESSs is growing every year [2].BESSs are providing security-critical functions, e.g., ancillary services and backup [45].These services have an impact on system stability and energy availability [3].At the same time, BESSs share data with many external parties through the Internet, which opens up cybersecurity vulnerabilities.For these reasons, the detection of cyberattacks against BESS is becoming a crucial and urgent problem.
There is a solid body of knowledge developed around the cybersecurity of electric vehicles (EVs) [4,5].However, BESS's vulnerability to cyber threats has not yet been widely discussed.Meanwhile, the European Union Agency for Cybersecurity (ENISA) has highlighted the importance of considering the cybersecurity of utility-scale BESSs in the report, "Smart grid security" [6].
In this paper, we analyze the reviews related to cybersecurity in the energy sector which are summarized in Table 1.The reviews can be classified based on three distinguishing features: specific area, application, or approach.Area-specific reviews observe cyber security concerns for a particular area or domain.For instance, types of attacks against the particular BESS component and the methods for their detection and mitigation were studied (e.g.battery management system (BMS) [7][8][9], communication channels [7,10], attack vectors [11], etc.).Applicationspecific reviews include the practices that can be potentially applied to the cyber defense of a battery in a particular domain.For example, battery cybersecurity was widely discussed in the EV domain to detect an attack on the BMS in the EV [12][13][14][15].However, the defense methods were limited to the state of charge (SOC) forecast [16][17][18][19].In [20], the cyberattack detection in zero-energy buildings that utilize renewable energy sources, BESS and AC and DC buses is carried out.Thirdly, the reviews can be approach-specific, which implies that the paper concentrates on the particular approach.One of the widespread approaches is to adapt defense methods from the internet of things (IoT) domain [21].For instance, blockchain technology was suggested by multiple authors to be applied on design stage to ensure the safety of communication channels [7,9].Yet, both in the electrical grid and EV cybersecurity domain it was highlighted that cybersecure system design does not eliminate the possibility of a successful cyberattack.Therefore, the cyberattack detection system is required even in the presence of a cybersecure system design [13,22].The report [23] also shows that attack detection methods are necessary to ensure BESS cybersecurity.
Cyberattacks can be classified by data feature, component, or service affected.When cyberattacks against a BESS are classified based on the data feature they compromise, we consider data integrity, confidentiality, and availability of data features [24][25][26].Integrity attacks can potentially have a longer and more significant impact on an operation of

Research methodology
The survey summarizes a significant contribution to state-of-the-art cybersecurity for various battery applications.To provide a comprehensive survey of cyberattack and defense strategies for a BESS, we applied the review style of [1].The research protocol that we have followed is divided into the steps described below.
1) Search strategy: A paper survey using Scopus, applying relevant queries.2) Inclusion criteria: Detection of the relevant articles.
3) Selection process: Shortlisting articles to include in the survey.
Regarding the search strategy, firstly, we formulated the query terms that would fetch the related research papers from the Scopus database.The Scopus database includes several databases, and it covers most of the research related to the cybersecurity domain.Since the topic of BESS cybersecurity has not yet been discussed in detail in the literature, to provide a comprehensive review, we considered query terms that belonged to three groups.1) Cybersecurity of the electric grid.2) Cybersecurity for various battery applications (e.g., EV). 3) Forecasting methods of the BESS components behavior (SOC, state of health (SOH), frequency, etc.).The scope of the works includes articles from the last 24 years (i.e., from 1997 to 2021).
Concerning the inclusion criteria, the criteria for the paper to be included in the review are listed below: 1) A publication is written in English.2) It must be a conference or journal paper, or a book chapter.
3) A publication has to belong to one of the topics mentioned above.As for the selection process, as soon as we fetched the publications, we reviewed the abstract and introduction sections of the papers to find out if they belonged to any of the defined groups.In the next stage, the full texts of the selected publications were read, to remove non-relevant papers, and to analyze relevant ones.The list of publications was complemented with related papers from the references.

Attacks against a BESS, and their detection
In this section, the attacks against a BESS and their detection methods are overviewed.Cyberattacks are divided based on the affected BESS service.After we defined the vulnerabilities of a BESS from the cybersecurity viewpoint, we proceeded with investigating the attack detection methods.We observed various attack detection methods that included residual-based and clustering methods.

Cyberattacks against a BESS
Cyberattacks were first discussed in the computer science domain where they are classified based on three data features they can

Communication channel Electrical connection
Fig. 1.The scheme of a BESS, its components and its connection to the grid.N. Kharlamova et al. compromise: data integrity, confidentiality, and availability.Integrity attacks imply the injection of false data in the system.Confidentiality attacks consist of recording system data without being noticed [46].This can result in a replay attack in which stolen data are injected into the system instead of the real one [47].Availability attacks are typically related to denial of service.Confidentiality and availability attacks cannot be prevented using cyberattack detection methods, and therefore, require cybersecure BESS design.Cybersecure system design tools are discussed in [25].

Cyberattacks
In the smart grid domain, the main focus is placed on integrity attacks which are referred to as FDIA.FDIAs cannot be fully eliminated by cybersecure BESS design, and, therefore, their detection was extensively studied in the smart grid domain.Cyberattacks against a BESS differ from those against a smart grid due to the aim the attacker attempts to achieve.Furthermore, the state-of-the-art FDIA detection method from the smart grid cannot be utilized in BESS cyberattack detection due to the different physical nature of the systems.In this paper, we limit the scope of our research with integrity attacks against a BESS, because we believe they are the most critical for the secure functioning of a BESS.
We divided integrity attacks against a BESS into random and targeted ones.The attack classification is presented in Fig. 3.

Random attack
The first type of attack is adopted from cyberattacks against the electric grid domain.It is an attack in which an attack vector has been generated randomly.The attack vector is injected into the system to make system data not representable.The attack can be represented as (1).
where a is a randomly generated attack vector, and P A and P M are spoiled and real measurements respectively.

Targeted attacks
The second type of cyberattack is a targeted attack.It aims to cause a particular kind of damage, such as preventing a BESS from providing a predefined service or accelerating battery degradation.These attacks can be considered long-term since they might require hours to days of data modification.The initial modification that they introduce is within a range of errors and cannot be detected.However, consistency of the modification allows for achieving an attacker's goal.In this section, we overview potential cyberattacks against BESS services.

3.1.2.1.
An attack against a BESS as a source of energy.The attack against a particular battery service is another type of attack that can be introduced into the energy grid.This attack is aimed to prevent a control unit from having realistic data regarding battery SOC.This might result in the failure of a battery to fulfill a control command.This type of cyberattack against a battery was first introduced in the EV domain [13].The measurement without an attack looks like the following (2): Authentical SOC measurements are substituted with higher values so that a control unit expects more energy from the battery than it can provide as is presented in (3).

max ( P (i)
where P M is a vector of the measurements, P A -corrupted vector of measurements, N-a length of the attack vector, a-an attack vector.
The attack aims to bring a SOC to the lowest possible value without the attack being detected.The attack vector cannot be too high without increasing the risk of detection; however, this limitation slows down an attack.
3.1.2.2.An attack against a BESS for frequency regulation.The next type of attack is to prevent a BESS from participating in frequency regulation.This can be achieved by manipulating the SOC.For example, the attack can be achieved by bringing a battery to high (90 % to 100 %) or low (0 to 20 %) SOC, so that a BESS cannot fulfill the requirements.The desired range of a SOC within which a BESS should operate while providing frequency regulations is between P min and P max .This range should be maintained so that a BESS can provide a frequency service.
The attack mathematical formulation is presented in (4) and (5).There are two possible attacks during charging (4) and discharging (5).The goal of the attacker is to substitute the real SOC value with the spoiled one.In this way, a BESS is charged faster in reality, rather than according to measurements.In this way, a BESS can be brought outside of its operational limits, which actively limits the availability of a BESS for frequency control.
while P (N) The attack for discharging BESS is aimed at bringing the SOC to a minimum so that the battery cannot be utilized for frequency control.As a result, the real SOC will be below the desired limit for a frequency regulation service.
while P (N)  M > 0%  increase the speed of battery degradation was introduced in the EV domain.Depending on the type of BESS, different behaviors are associated with faster battery degradation.In [48], the degradation of a lithium-ion BESS is slowed down by restricting a SOC operation range.By that, we aim at avoiding too low or too high a change (with a new range from approximately 20 % to 80 %).This operation range depends on the battery type and can be roughly estimated from the publicly available information.Furthermore, it can be accurately defined based on the confidentiality attack, using SOC measurements.Since this range is advisable (not mandatory), it is chosen by the BESS owner and differs from the safety limit in BMS.Thus, the internal safety algorithm will not be activated in case the attacker manages to modify the SOC data.Therefore, the attacker may successfully keep a battery outside of the advised range.This attack is similar to one against a frequency regulations service.The main difference is that the attack value should be smaller because the attack can be successful only if it is not detected for a long time.

Online attack detection
To ensure the reliable operation of a BESS, it is important to not limit the cybersecurity of a BESS to the system design.The method to perform secure software validation without interrupting the system operation [10] is critical for system safety.We show BESS components that are vulnerable to cyberattacks in Fig. 4. As we observe, all of the components are interconnected on a physical and an electronic level.In this section, the approaches that can be used for cyberattack detection are overviewed.
There are multiple approaches to detecting cyberattacks.One of them is a residual-based approach, in which the measurement data are compared to the forecast.The residual-based approach is based on the state-of-the-art integrity cyberattack detection method [49].The method is based on calculating the difference between the forecast and the sensing data [30], ensuring that the variation does not exceed a given threshold.Thus, a reliable forecasting method is required to apply the residual-based approach.The residual-based approach is formulated as the following (6): where P N m -measured value for a sample N, P N f -forecasted value for a sample N, and r is an allowed deviation between a measurement and a forecast.The value of r is defined using domain knowledge, as well as an estimated accuracy of the forecast approach.The statistical-based approach can be based on a decentralized consensus.It includes a distributed average consensus algorithm and a distributed recedinghorizon control [50].
Furthermore, there are control-related cyberattack detection techniques.In [51], the deception cyberattack against a battery SOC that is also referred to as FDIA is detected using a second-order RC-ECM-based nonlinear observer.The cyberattack is detected and mitigated on the step of measurement transmission between a sensor and an estimator.Lyapunov stability theory was used to derive the conditions for ensuring the security of the estimation error dynamics.The estimator gain matrix was expressed as a solution to finite linear matrix inequalities.Furthermore, neural network-based observers can be used to reduce the error in SOC estimation [52].The authors use sparse data observers to define faulty batteries in the early stage [53].In [54], the converterbased moving target defense (MTD) detection mechanism is presented.MTD was first adopted in the cybersecurity of the electric grid [55].In the framework of MTD, the physical characteristics of the system such as topology are modified.If this modification is not reflected in the measurements, the system is considered to be under attack.The authors suggest applying MTD for cyberattack detection in DC microgrids by proactively perturbing the primary control gains.Furthermore, in [56] the hidden MTD is proposed for an application in the electric grid.Hidden MTD is aimed to keep an attacker unaware of system modifications triggered by MTD using the attacker's unawareness of the system's features.

Cybersecure system design
The attacks against a BESS can compromise three data features, such as integrity, confidentiality, and availability.The probability of cyberattacks damaging a BESS cannot be eliminated at the design stage, because there are always vulnerabilities in the system.However, the possibility of a successful cyberattack and the possible damage from it can be minimized through secure design and online attack detection.Cybersecure design is the only way to minimize the possibility of confidentiality and availability attacks.In this section, the methods to diminish the change of an attack are discussed.
The security of the system depends on the type of control algorithm architecture that is implemented.If the distributed control algorithm is used, it does not depend on the centralized control center, and consequently, does not have a single point of failure.However, the issue of detecting the malicious node in a decentralized system is more complicated to solve.The lack of supervised detection methods complicates the attack detection process [57].The reputation-based algorithm is applied to detect a cyberattack in a distributed control system [57].This challenge was first mentioned in [58] to detect unreliable nodes in the system.In [59], a distributed system for attack detection and isolation is proposed.
An example of a distributed control algorithm on the secondary control level is the cooperative control framework.It supplements the voltage reference with two voltage correction terms for each converter.The function of the voltage observer is to estimate the average voltage across the line.This voltage is later compared with the global reference voltage [60,61].
Moreover, the data that are exchanged for system functioning, including system parameters and control commands, are to be secured.For that reason, all of the parties that have access to system data should first be authorized.Authorization can be made using a password, IP address, biometric data, or a combination of those.Furthermore, as we observe from Fig. 4, communication layers are vulnerable to cyberattacks.In case the data were stolen or recorded on a communication layer, it can be preserved from being used via encryption techniques, e. g., symmetric and asymmetric keys applications [62,63].Nevertheless, this does not eliminate the possibility of an attack [64].More detailed information regarding the methods of design for a BESS that is prone to cyberattacks is presented in [29].

Residual-based cyberattack detection
The residual-based approach is a state-of-the-art method for cyberattack detection.The core idea behind a residual based-approach is to compare the measurements in question with a forecast.In case the difference which is called residual exceeds a predefined threshold, the algorithm marks the measurement as unreliable.In the case of an application for the energy storage domain, BESS performance characteristics should be compared to a BESS behavior forecast.The quality of residual-based detector performance heavily relies on the forecast quality.Therefore, it is important to choose a forecasting technique with very high accuracy for a BESS-related dataset.
We shortlisted SOC, system frequency, and voltage at the connection point as the three main parameters that reflect BESS operation.Some core parameters of a BESS, such as SOC, cannot be measured directly.Consequently, it is necessary to define the methodology of forecasting SOC.In this section, we overview the methods that can be potentially used for forecasting the behavior of a BESS.Special emphasis is placed on data-driven methods since they are more robust than model-based methods.

State-of-charge forecast
Model-based methods were state-of-the-art due to their high accuracy and low requirements for a dataset.However, data-driven methods started to gain popularity due to their adaptability and robustness.In this section, we overview various methods for SOC forecasting and analyze their strengths and weaknesses.

Model-based methods
The methods implemented for SOC forecast are depicted in Fig. 5.One of the most widely used methods of SOC estimation is coulomb counting.Additionally, equivalent circuit models (ECM) are implemented for this task.However, these methods have significant drawbacks.Coulomb counting requires accurate data regarding the initial state of the cell.The estimated accuracy is deteriorated due to meter errors and model inaccuracy.ECMs do not consider physiochemical processes that take place in the cell, and they require comprehensive empirical parameterization [65].
Studies from similar domains such as EV can be used while choosing the method of BESS SOC forecasting.Nevertheless, the working cycle of EVs is different from the working cycle of utility-scale batteries.Therefore, we cannot fully adapt the experience from the EV domain while choosing the most efficient approach for the defense strategy of utility-scale BESS.Nevertheless, the methods for data preprocessing previously applied for EV datasets can be adjusted for the utility-scale batteries domain.
A Kalman filter was originally implemented for experimental data processing, and it was later adapted for implementation in Li-ion cell modeling by Plett [8].Plett showed that the extended Kalman filter (EKF), together with the model of cell dynamics can be used to dynamically estimate SOC.The typical estimation error remains within a few percent.The drawback of this method is the complexity of implementation compared with coulomb counting.Nevertheless, it allows for the avoidance of the accumulative error appearing while using the state-of-the-art method.The absence of the accumulative error was proven by comparing EKF with state-of-the-art battery test equipment (an Aerovironment ABC-150).EKF showed better results, even on short tests with a duration of several hours.The drawback is a higher estimation error appearing for low temperatures (below 0 • C) [8].
In [69], Liu et al. suggested an extended fractional Kalman filter (EFKF) and the least squares identification method to estimate SOC.The validation of the method in two operating conditions (constant discharge and dynamic discharge) showed a high degree of accuracy and robustness toward rejecting noise.However, the additional improvement of computational speed and the quality of forecast stability against various initial conditions is required.Battery fractional order (FOM) models were adapted from frequency modeling, and they have shown significant potential in SOC modeling.The comparison showed that R (RQ) [70] is the simplest model that shows the best accuracy, both in normal conditions and in the case of voltage drift [38].In recent years, new methods such as Luenberger observer, H-infinity observer, and sliding mode observer have been introduced [17].

Data-driven forecast methods
ML-based algorithms for SOC estimation can be divided into multiple groups [37].A similar review with a classification was provided in [42].Nonetheless, we utilize [37] as a reference, since it is more recent.Fig. 6 depicts data-driven methods that can be used for SOC forecasting, highlighting the main advantages and disadvantages.In the literature, various types of classifiers are used for the SOC forecast.Firstly, artificial neural networks (ANNs): feed-forward neural networks (NNs), and their descendants-recurrent NNs can be used for sequential data processing.Furthermore, [42], as well as deep NN (e.g., deep belief NN) can be applied for forecasting.Fuzzy logic and its combination with NN (an adaptive neuro-fuzzy inference system) can be applied for this purpose.Additionally, support vector machine (SVM), Gaussian Process Regression (GPR), random forest (RF), and hybrid algorithms are implemented for tackling this problem.The simplest type of ANN which is feedforward NN is mentioned as being efficient for solving the problem.Moreover, ML-based methods can be combined with model-based ones forming the class of hybrid methods [37,67].
There is a wide range of research related to ANN utilization for SOC forecasting.The maximum SOC error obtained in the literature is between 2 % and 8 %.RF shows the lowest maximum SOC forecast error.Since methods were compared on different datasets, the results of the comparison are not directly applicable without additional numerical studies.We point out that most methods were tested on EV datasets, while this article is focused on utility-scale BESS cybersecurity [37].Thus, in future work, additional tests are to be carried out.Support vector regression (SVR) and gradient boosting techniques (also referred to as XGBoost) are suggested for implementation in the SOC forecast [68].The authors applied the radial basis function kernel with SVR.Here, the forecast was compared with the results of XGBoost on the cylindrical Li-ion cell measurements.The former approach was recommended for use, due to its low root mean square error (RMSE) and the shorter duration of the calculations.Tuning the parameters of SVR did not lead to a significant improvement in the above-mentioned characteristics.Hasan et al. [43] compared ridge and lasso regression, SVM, and ANN-based, on both conventional and nonconventional features.
The authors [71] applied a convolutional gated recurrent unit-recurrent NN (CNN-GRU) to forecast SOC.They proved that the method is applicable to the given dataset.They claim that CNN-GRU maps measurements such as voltage, current, and temperature, which allows us to avoid complex models.Moreover, the method is capable of learning the NN parameters independently, which prevents the researcher from manual engineering.The method shows sufficient efficiency under various temperature conditions and outperforms alternative deep learning algorithms.
In [72], the deep learning algorithm is successfully used for local cyberattack detection in the IoT system.Cyberattack detection can be performed, utilizing deep learning [39].Unsupervised learning has a high potential for implementation in cyberattack detection since it is capable of finding hidden interdependencies and detecting novel attacks.Additionally, it can work in real-time.The main weakness of the approach is that the detection rate of the cyberattack with a normal power consumption curve is low.
In [73], the authors apply the backpropagation artificial neural network (BANN) for the hybrid energy storage system SOC estimation.The algorithm is a validated dataset with an obtained RMSE of 0.33 % and 0.84 %.According to the results of the test, the performance of the BANN is better than that of the commercially available BMS.The backpropagation NN was trained based on five drive cycles.The 3 % bias was introduced to the dataset to check its influence on the resulting forecast.In [74], a long short-term memory (LSTM) network that is a type of NN is used to estimate SOC.The method was tested on the dataset with a fixed temperature with a mean absolute error (MAE) equal to 0.573 %.In the case of the ambient temperature changing between 10 and 25 • C, the MAE was equal to 1.606 %.According to the authors, the method allows for defining the characteristic behaviors for various temperatures with high accuracy.
Wang [66] suggested a fusion model for SOC forecasting that claims to be more accurate than the SVR, AdaBoost, and RF models on the given dataset.The fusion model is based on merging these three models to form a basic model, with linear regression implemented as a metamodel.The training and testing data are processed by SVR, AdaBoost, and RF.The output serves as the input data for the linear regression model, which forms a resulting prediction.The RMSEs of SVR (3.75 %), AdaBoost (1.89 %), and RF (2.37 %) are higher than the fusion model RMSE (1.08 %).Sidhu et al. [67] combined RF with a Gaussian filter to increase the accuracy of EV SOC estimation.The method is texted on the federal test-driving schedules.The results are compared with the SVR and NN-based estimation results.For the US06 dataset, the RF has the MAE calculated for three temperatures: 0 • C, 25  C) among the competitors for all of the temperature levels.ML-based approaches proved to provide more accurate and robust forecasts compared to the model-based approaches.Data preprocessing issues and high requirements for initial data quality, as well as complications in model adjustment make the attack detection process less accurate.The failure to use proper adjustments: hyper-parameters, activation function, and the inability of the model to work under uncertainties might result in the failure to detect a cyberattack.
The methods for SOC forecast are summarized in Fig. 6.The features of each method are presented.We observe that while all data-driven methods are referred to as robust, AdaBoost, RF, and fusion models show very high accuracy on multiple datasets.AdaBoost and RF are also mentioned as computationally heavy, while the fusion model is complex to utilize.Gaussian process regression and recurrent NN (RNN) are referred to as methods with high accuracy.RNN is reported as being computationally heavy and both methods require a large dataset.The support vector regression method is claimed to be of sufficient accuracy while providing fast computation.While one can consider these features in the process of choosing a forecasting technique for a BESS SOC, it is important to compare the methods on a real dataset to evaluate their performance for a BESS behavior pattern.Furthermore, an additional numerical evaluation has to be carried out to define the size of the training dataset that would result in an accurate forecast for each method.
While these recommendations shall be considered for shortlisting a SOC forecasting tool for a BESS, one should keep in mind that the techniques were not tested on BESS-providing frequency regulations.The performance of forecasting techniques might differ based on whether a SOC estimation of a BESS has a clear pattern or trend.Therefore, the features of a dataset differ from other generation and consumption units, even EVs and energy storage used for power supply with a daily cycle.A BESS providing frequency regulations performs with regard to both system commands and charging cycle which makes its pattern less clear.

Frequency forecast
There are multiple methods for frequency forecasting that include NN [75,76].In [75], the cerebellar model articulation controller ANN was applied for the power system frequency forecast.The results of using ANN were more stable and accurate than the results of the genetic algorithm [77] and the classic NN model [78].On the dataset considered in the paper, the accuracy of a self-learning ANN-based algorithm prediction reached 10e-5.
In [76], two neural approaches for time-varying frequency were suggested.The utilization of Adaline NN with an optimized sampling period allowed the authors to achieve a good performance and robustness for the proposed approaches.The first method was based on the pseudo-square Adaline and used the product of the instantaneous signal with a delayed value.The second approach is MAdaline.It used 30 Adalines to estimate the frequency with different values of sampling time.The very short-term frequency forecast approach [79] was introduced with the recurrent NN in use.In the paper, the authors defined key factors that influence the system frequency which are system load and its diurnal, weekly, and seasonal variations.Based on these features, the methodology for the frequency forecast was defined.The LSTM model was implemented with the dataset that contains the historical frequency measurements in Great Britain's electric grid.The forecast result was compared to the benchmark which was the simple RNN in Keras and TensorFlow.It provided a good performance on the given grid and scalability for implementation in other grids.
In [80], the ANN was applied to forecast system frequency with a mean absolute percentage error (MAPE) of 0.0878 %, an MAE of 4.39 %, and an MSE equal to 0.28 %.The grid was generalized to form a grid frequency forecast vector for the ANN algorithm.The benefit of the approach is its simplicity.The authors in [81] applied the ANN in combination with the Hilbert-Huang transform to forecast electric grid parameters, including the frequency and the voltage.For the given dataset (a 10-bus distribution system), the MAPE for frequency prediction was 0.011 %, the MAE was 0.0057 %, and the RMSE was 0.0069 %.
The alternative method for cyberattack detection is based on an unknown input observer.This method was applied to the load frequency control system [82].
The methods for frequency forecast are shown in Fig. 7 and are compared in Fig. 8.We observe that RNN and Adaline NN (ANN) are showing high accuracy but self-learning ANN shows the best performance according to the literature review.Therefore, self-learning ANN shall be adopted in case there are high requirements to forecast accuracy in combination with sufficient resources for heavy computations and a big dataset available.ANN in combination with the Hilbert-Huang transform is not recommended to be used since it did not show good performance on different datasets unless a moderately accurate forecast with limited resources is sufficient.

Voltage forecast
The voltage control is one of the primary functions of the BESS that is necessary for reliable system functioning [83].One of the possible defense strategies is ML implementation for measurement prediction.This strategy is discussed in Chapter III.The methods for voltage forecast are shown in Fig. 9.
Despite it being feasible to derive the voltage forecast based on the historical data from system measurements, the issue arises due to instability events that appear in the electric grid.Such events are rare compared to the cases in which the system operates in normal conditions.It is, however, important to take them into account while creating a forecast.This causes an imbalance of a dataset and complicates shortterm feature extraction from the limited datasets for the conventional ML techniques [84].To tackle this problem, Zhu et al. [84] suggested applying a systematic imbalance learning machine for an online shortterm voltage stability assessment.The forecasting-based nonlinear synthetic minority oversampling technique is utilized to compensate for the meager dataset's influence on forecast accuracy.The algorithm was tested on the Nordic dataset and showed sufficient accuracy with an imbalanced dataset in use [84].
In [85], the authors applied a quadratic line voltage stability index and auditory machine intelligence techniques to forecast a voltage collapse point.Auditory machine intelligence was used in comparison with the state-of-the-art method for voltage collapse prediction, which is a group method for data handling.It proved to be competitive, despite some datasets having a.
MAPE where the state-of-the-art method was lower.Yang et al. [86] described a novel OPF based on short-term state forecasting for the voltage regulation of a distributed system.The authors applied an extreme learning machine to predict the voltage magnitude and angle.The approach was tested on the 12-bus IEEE system and provided an accurate forecast 5 min ahead.In [93], the voltage in the DC network was estimated using NN and a reference in a reference tracking application for the PI controller.The estimation is compared to the PI controller input, and in case it does not match the reference, the attack is detected.In the case of the proper work of NN, the PI controller output is converging to the attack vector value to exclude false data from the system.The forecast of terminal voltage [87] was performed based on historical measurements and boosted tree models.The simulation within the EV domain showed the high performance of the XgBoost method.
Habibi et al. [94] used a nonlinear autoregressive exogenous model (NARX) NN to forecast the voltage and current in a multi-DER DC microgrid.DC voltages and DC output currents were estimated, utilizing NARX NN with one hidden layer, including 10 neurons with sigmoid activation function for all units in the microgrid.The dataset was divided into training (70 %), validation (15 %), and testing (15 %).In the case of a cyberattack, the estimation was significantly different from the measurement data, and therefore, the attack was successfully detected.In [95], the distributed attack detection mechanism was presented.The algorithm avoids the necessity of data exchange between nodes.Guan and Ge divided cyberattack detection methods into groups that apply statistics, data time-stamps, and estimation residuals [49].Deep-reinforcement learning showed a good detection performance.It is more robust, adaptable, and transferable than the competitive approaches.The cons of reinforcement learning are the higher memory space required, the necessity of extensive training, and the vulnerability to adversarial attacks.Deep learning is implemented for cyberattack detection to automatic voltage control [88], detecting energy theft on the consumer side [89], load forecasting [90], and sparse cyberattacks [91].Moreover, deep learning is used for recovering spoiled measurements [92].The features of voltage forecast methods were summarized in Fig. 10.We observed that boosted tree models show the highest accuracy while requiring the most resources.

Long-term pattern-based detection
A residual-based algorithm is one of the most widely implemented state-of-the-art approaches.However, its main limitation is an inaccuracy of the forecast that the value is compared with.To detect a targeted cyberattack, we have to generalize system data and draw large-scale patterns for a period between an hour and a month.In addition, the typical period of charging and discharging cycles, as well as the speed of a battery charge and discharge have to be estimated.These values might be evaluated periodically to detect a targeted attack.Furthermore, a  typical reaction of the control unit on the particular system behavior is to be detected and considered while developing an anomaly detection algorithm.
There is no state-of-the-art approach to detecting targeted attacks.However, we elaborated on the review using the methods that might be applied for tackling this problem.The methods that can be potentially implemented to detect cyberattacks in the long term are presented in Fig. 11.

Behavior patterns in cyberattack detection
To cause significant damage, the cyberattack has to last for a long period.Therefore, such a long-term cyberattack may result in influencing a pattern of BESS operation.Thus, we can potentially detect longterm cyberattack that lasts for hours to days by analyzing a BESS profile through its evaluation and forecast.The cyberattack can be detected though a significant change in the daily or monthly operation pattern.Since there are no papers that would consider analyzing a BESS behavior pattern, we analyzed the approach for typical behavior analysis of other systems' components.One of the spread approaches for typical behavior forecast in the electric grid domain is forecasting the consumption by clustering typical load profiles [96,97].In [97], probabilistic neural networks (PNNs) are applied for consumer clustering.To obtain a typical load profile, consumers are divided into clusters based on the load profiles.The "knee" criterion defines the number of clusters.In [97], frequency-based clustering is used to make a forecast of consumers that are not equipped with smart meters, based on the measurements obtained from consumers with smart meters.
To detect suspicious BESS behavior, one should have tools to analyze a forecasted pattern.The literature suggests clustering can be applied not only to define patterns but also to detect a cyberattack.There are two major approaches to applying clustering for cyberattack detection.Firstly, a clustering algorithm can be applied to detect a cyberattack based on a comparison of measurements and forecasts, without a strictly defined residual value r.The algorithm behind this approach is the Kmean clustering algorithm, as presented by Eq. (7).It assigns a measurement with a cluster "attack" or "no attack".
where dist is the Euclidean distance, P m -vector of measurements, and P f -vector of forecasted values.The goal is to find a cluster with the shortest distance away from the values of a particular cluster.The main challenge of applying clustering approaches to cyberattack detection is the requirement of a big balanced dataset to train the algorithm.The balanced dataset has to contain a similar amount of data samples with and without attack.Since there is a lack of real corrupted datasets for training, these datasets are to be generated.Therefore, the quality of intrusion detection using this method is limited by the quality of the dataset and the creativity of an attack designer.
Secondly, clustering can be used as a tool to detect changes in BESS performance.The main focus of the method is not on the clustering for each period but on the dynamics of clustering results after each evaluation period.For example, in [98], the K shape-based hierarchical anomaly detection method was proposed to detect voltage anomalies in the long run for data centers.The method clusters the first-month voltage data which is set as a reference.The same clustering is performed monthly, and if the battery changes its clustering compared with the default month, the anomaly is detected.The method showed a better performance than the median absolute deviation method.Despite the method being suggested for rarely used back-up batteries in data centers, the approach might be further adapted for other purposes, such as BESSs.

Responsiveness forecast
One of the approaches to forecasting a BESS behavior is to focus on the forecast of the ability of a BESS to respond to a system command instead of forecasting physical parameters such as SOC.Snijders et al. [99] studied the prediction of cyber-physical system responsiveness, based on a temporal convolution NN-based digital twin.The target is to predict whether the BESS will respond to the negative power set point or not.The authors stated that this task resembled the task of condition and system health monitoring.The major difference is that for the given purpose, real-time data are analyzed.The authors define a digital twin as a fit-for-purpose model that is synchronized with the physical system.The input data are the power set point, power that is produced or consumed by the battery, the current, voltage, and SOC.The output of the model is binary, and it shows whether the BESS is likely or unlikely to respond to the negative power set point.The model was tested on the dataset of 8 months for 10 different batteries, and proven to forecast the system behavior with a sufficient accuracy exceeding 90 %.This method can be potentially implemented for control commands forecasting to detect spoiled control commands.

State-of-health forecast
The SOH is a parameter that shows the change in the battery's capacity due to degradation.There might be a lot-to-lot variation between battery cells, as well as the damaged battery.These factors make the detection of a cyberattack against SOH more challenging.Fig. 12 summarizes the methods implemented for the SOH forecast.In Fig. 13, a main factor analysis of data-driven methods that can be used for SOH

State of health forecast
Long-term forecasting  forecast is presented.The fact that SOH might influence the SOC forecast adds additional complexity to the problem.The challenge is to detect both short-term and long-term anomalies e.g., anomalous degradation [100] since some cyberattacks are targeted to disturb the BESS operation in the long run.
In [100], anomalous degradation is discussed.A regression model with a prediction-bound, one-class SVM, a local outlier factor, Mahalanobis distance, and a sequential probability ratio (SPR) test are compared for evaluating the performance deviations of Li-ion batteries.As a result, SVM shows better results for a dataset with a smaller standard deviation, while SPR gives an earlier warning in the case of the opposite.The authors suggest using an ensemble algorithm to increase the speed of anomaly detection.
Feng et al. [101] also applied SVM to perform online battery SOH estimation.The authors tested and validated the algorithm with two commercial Li-ion batteries.As a result, the algorithm compares the charging curve with the stored SVM.Support vectors represent the intrinsic characteristics of the battery, and are defined from the new cell charging data.The algorithm predicts an SOH with <2 % error in 80 % of cases and <3 % for 95 % of cases.Li and Tao [103] performed the SOH forecast based on the convolutional NN and transfer learning.The method considers both the accelerated aging and normal-speed aging modes.The estimated RMSE is <0.4 %.In [102], the LSTM is implemented, utilizing that voltage profile during the charging and discharging process.The estimation error does not exceed 5.99 %.The method was compared with Elman NN, SVM, and GPR, and it proved to be more accurate and robust.
Vidal et al. [44] applied ML for battery SOC and SOH estimation.The SOH can be predicted by hamming networks, Bayesian network (0.28 %), recurrent NN (0.96 %), feed-forward NN (0.81 %), RBF, and SVM (0.63 %).The lowest RMSE of each method for the particular dataset is specified in brackets.The authors concluded that the abovementioned ML approaches can be implemented for SOH and SOC estimation.Nevertheless, most of the papers that the authors reviewed used unrealistic datasets that do not take into account a negative ambient temperature.On average, the prediction can be made with an accuracy of around 1 %.The authors also highlight the importance of data preprocessing, and the high quality of the preliminary dataset to provide an accurate forecast.

Discussion of cybersecure BESS operation
Albeit preventive measures are necessary to diminish the possibility of cyberattacks, they are not exhaustive for eliminating the possibility of cyberattacks, which is reflected in cybersecurity guides [23,104].Intrusion detection for utility-scale batteries is an emerging topic that lacks a versatile methodology.Due to differences in the work cycle and security requirements, the intrusion detection methods used for other battery applications (e.g., EVs) cannot be directly adopted for BESSs.Therefore, as a direction for future research, a methodology for BESS intrusion detection shall be defined.
We recommend using a residual-based cyberattack detector leveraging data-driven techniques for a BESS performance forecast.Data-driven forecast methods are recommended in the literature due to their robustness, applicability for various BESS services, and handle complex patterns.For example, as discussed above ML approaches from neighboring domains, can be applied and modified based on the needs of a BESS application.The opportunity for using an ML-based battery behavior forecast for cyberattack detection must be tested on a real BESS dataset.
Clustering methods might be considered, to define typical BESS behavior profiles and general features.While applying ML-based methods for cyberattack detection, it is critical to understand the reasoning behind a decision-making process, and therefore, explainable AI tools are to be used.Furthermore, the standards for utility-scale battery cybersecurity should be updated with explicit examples of intrusion detection techniques that can be used.In this paper, we raise a concern regarding two new concepts of cyberattacks.Firstly, the attack may affect the ability of the BESSs to provide services that are system stability critical.Furthermore, a cyberattack against a BESS can potentially speed up battery degradation.In future research, the potential impact of these attacks is to be evaluated numerically.This evaluation will allow for the determination of the sensitivity of a cyber defense algorithm.

Conclusion and future works
Identification and assessment of the cyber threats affecting the smart grid is crucial.The definition of cybersecurity mechanisms to ensure safe and reliable operations is thus an urgent issue.In this paper, we provide a comprehensive summary of the concerns related to BESS cybersecurity, including attacks and detection methods.We classified attacks based on data features and the BESS services that they may affect, and we provided a corresponding mathematical formulation.
Based on the review, we recommend using the residual-based method for online cyberattack detection.The residual-based approach leverages a BESS behavior forecast and requires a reliable forecast to obtain sufficient detection accuracy.We explored data-driven forecasting methods examined in previous research, to forecast the identifying parameters of BESSs: voltage, frequency, SOC, and SOH.One of the main values to be affected by a cyberattack is SOC.Therefore, we investigated ML-based methods, including ANN, fuzzy logic, and SVR, with a focus on their applicability to SOC forecasting.The maximum absolute error for these methods was estimated at between 2 % and 8 %, which is an acceptable range.However, an additional comparison on the same dataset is required to conclude which method is the most suitable for the SOC forecast of grid-integrated BESSs.To ensure a BESS redundancy, we recommend combining forecast-based detection methods with long-term pattern evaluation.To mitigate the imperfection of a residual-based approach, we suggest combining it with long-term pattern analysis, e.g., studying behavioral patterns and comparing features periodically.
As a result of a comprehensive investigation, we identified a need for additional research to ensure the safe and cybersecure operation of gridintegrated BESSs.The extent of potential damage from cyberattacks affecting different battery services should be evaluated, to tweak the sensitivity of a cyberattack detector.In addition, the area of dealing with potentially spoiled historical data is yet to be investigated.

Declaration of competing interest
The authors declare the following financial interests/personal relationships which may be considered as potential competing interests: Seyedmostafa Hasemi reports financial support was provided by Danish N. Kharlamova et al.

Fig. 3 .
Fig. 3. Classification of cyberattacks based on the data feature and targeted service.

Fig. 4 .
Fig. 4. The scheme of the BESS vulnerabilities with data exchange flow and physical connection.

N
.Kharlamova et al.

Table 1
Literature reviews in sub-domains of Cyber security in the electricity sector.