Cyber-physical attacks and defences in the smart grid: a survey

: The smart grid is arguably one of the most complex cyber-physical systems (CPS). Complex security challenges have been revealed in both the physical and the cyber parts of the smart grid, and an integrative analysis on the cyber-physical (CP) security is emerging. This paper provides a comprehensive and systematic review of the critical attack threats and defence strategies in the smart grid. We start this survey with an overview of the smart grid security from the CP perspective, and then focuses on prominent CP attack schemes with significant impact on the smart grid operation and corresponding defense solutions. With an in-depth review of the attacks and defences, we then discuss the opportunities and challenges along the smart grid CP security. We hope this paper raises awareness of the CP attack threats and defence strategies in complex CPS-based infrastructures such as the smart grid and inspires research effort toward the development of secure and resilient CP infrastructures.


Introduction
Cyber-physical systems (CPSs) are inducing profound changes in the modern society. Composed of computation, communication, and physical systems and processes, CPS integrate, and coordinate heterogeneous components with increasing intelligent, interactive, and distributed operations in the modern critical infrastructures. The emerging smart grid, being one of the most complex CPS ever built in history, witnesses such transformations during the ongoing integration of power and energy systems with information and communication technologies (ICTs) [1]. The fundamental changes in this critical infrastructure are leading toward far-reaching impacts on not only the energy, but also a number of critical interdependent sectors.
The smart grid encompasses complex systems of power, energy, control, sensory, computing, and communication. The complexity and heterogeneity in this architecture have underscored the potential challenges to its security and resilience. On one hand, the interconnection of bulk power systems is complicating the protection against inherent physical vulnerabilities therein. On the other hand, the cyber-integration requires substantial investments on security designs and upgrades against unforeseen patterns and threats from the cyberspace. The collective research effort on cybersecurity and physical security have been striding fast and fostering a new area of CP security for the smart grid [2].
An essential and primary focus of CP security is the investigation of complex attack schemes. Powered by the information and computation resources in the cyberspace, malicious attackers can conceive intrigue schemes to exploit both known and zero-day vulnerabilities in the smart grid. Compared with traditional power system and communication network security, CP security is still in an 'infancy' period. However, existing investigations have already revealed some catastrophic consequences that are largely unprepared by the government, industry, and public. The assessments of vulnerability and resilience against the CP attacks are providing the cornerstones for comprehensive defensive plans and emergency responses for the critical electrical power infrastructure.
In the meantime, the investigations of attack threats and the developments of defence strategies remain far from comprehensive. Inspections of cyber and physical security are essential for the security of smart grid, but neither direction alone is able to provide inclusive understandings and solutions without incorporating the other. Although many of the revealed attack threats are accompanied with protection, detection, or mitigation strategies, a large portion of the uncovered threats still remain to be addressed. Furthermore, the ongoing developments and deployments of CPS and technologies in the smart grid are continuously unveiling new vulnerabilities and schemes; the known threats also merit prompt re-evaluation in line with the new progresses. It has thereby become a task of paramount importance to keep up with the latest advances along this research frontier.
To this end, this paper aims to provide a review on the state-of-the-art of CP attack schemes and defence strategies in the smart grid. Instead of enumerating all potential attack schemes, this paper will focus on the most critical schemes, where attackers have the potential to significantly disrupt or damage power system operations. The victims emerge from the critical assets in generation and transmission systems as well as the field devices of distribution systems and customers. As shown in this paper, the attack threats are substantial and prevalent, yet they may still just be the tip of the iceberg. We hope to facilitate the understanding of existing and emerging vulnerabilities and to inspire innovations and solutions for the security and resilience of the smart grid as well as other critical CPS infrastructures.
In the rest of this paper, we first provide an overview of the CP security problems in the smart grid in Section 2, which will introduce the smart grid as a CPS infrastructure and the need for an integrative perspective of CP security. In Section 3, we will review the critical CP attack schemes revealed by extensive investigations. Section 4 reviews the defence strategies developed against these revealed attack threats. Section 5 discusses the challenges and opportunities to address the security of smart grid based on the existing attack schemes and defence strategies. The conclusions are provided in Section 6. traditional paradigm of power system operations, the electricity is generated in power plants and delivered along the transmission systems to customers in the distribution systems. Energy management systems (EMSs) located in control centres monitor and control this unidirectional process through supervisory control and data acquisition (SCADA) systems. The SCADA systems are usually hosted on dedicated communication infrastructures comprising wide-area networks, field area networks, and local area networks. Networked sensors in the system collect measurements, e.g. voltage and currents, and transmit the data to the control systems through remote terminal units (RTU) in the SCADA system. The RTU are also responsible for the operation of actuators to adjust topology and parameters of the dynamic system. The physical systems of generation, transmission, and distribution are interconnected through transmission lines and substations deployed in the field. On top of these infrastructures, regional transmission organisations and independent system operators coordinate the system operations among service providers and consumers in the electricity market. An overview of the entire smart grid infrastructure has been shown in Fig. 1, which contains seven domains of generation, transmission, distribution, operation, electricity markets, service providers, and customers, as defined by the National Institute of Standards and Technologies (NIST) [4].
Innovative systems and technologies in the smart grid have been transforming the traditional power systems in numerous areas [5][6][7]. The growing integration of renewable energy systems (RESs) improves the sustainability and economics of generation systems. Distributed energy resources (DERs) allow customer-side power generation and management with more flexibility and reliability, reshaping the existing patterns of power flows from unidirectional into bidirectional. The phasor measurement unit (PMU) utilises global positioning system (GPS) to provide more frequent, accurate, and reliable synchronised measurements in the transmission systems, enabling the implementation of wide-area monitoring, protection, and control (WAMPAC) over high-speed communication networks [8]. The advanced metering infrastructure (AMI) systems with millions of smart meters in the distribution systems provide innovative two-way, real-time (RT) communications in the smart grid, which promote numerous benefits from demand response, energy management, and consumer engagement. In addition, the increasing presence of energy storage, electrical vehicles, and other emerging techniques are consistently introducing new changes to the generation, transmission, and distribution of electricity.
The information, computation, and communication systems in smart grid have instituted a ubiquitous cyber infrastructure interwoven with the PSs. Measurements and commands are constantly generated and transmitted between cyber and PSs. The measurements from the PSs are primarily composed of status data and analogue data: the status data contain the topological connectivity of power grid components; the analogue data are measurements of the system dynamics. On the basis of the measurements, operators determine the optimal control policies and issue the control commands to coordinate actuators in the PSs. In the presence of a fault or disturbance, diagnostic logs are recorded by supplementary recording devices to support the location, evaluation, mitigation, and restorations during emergencies.
Sensor measurements are processed by centralised and distributed computation devices deployed at different levels and locations in the smart grid. In the traditional centralised operations, critical computations in EMS, including the state estimation (SE), optimal power flow (OPF), economic dispatch (ED), and automatic generation control (AGC), among others, are hosted in the control centres. In pursuit of better efficiency, resiliency, and flexibility, latest developments in intelligent electronic devices and programmable logic circuits have increased the utilisation of distributed and localised computations in the smart grid.
Communications in the smart grid have been primarily hosted on proprietary SCADA systems and networks. Industrial protocols such as IEC 61850 and DNP3 have been developed for communications between and within control centres and substations. New communication standards are being introduced in the smart grid to accommodate the integration of renewable energies, energy storage, and PMUs. Meanwhile, with the increasing efficiency requirements and cost pressures, the smart grid also increasingly relies on public communication infrastructures. Industrial control systems are accessing the Internet via ICT interfaces. Two-way communications between service providers and customers are also widely established through the AMI system, allowing flexible demand response for reliability and economic benefits.

CP security of the smart grid
Security challenges in the smart grid have been on the rise in both physical and cyber spaces [9,10]. The power systems have inherent physical vulnerabilities that could result in massive blackouts from a small number of contingencies [11]. The integration of RES introduces non-linearity, uncertainty, time-variance to existing power systems, and the new patterns from DER are inducing significant impacts on the stability [12]. The cyber-integration has imposed significant security challenges, as tremendous threats arise from the attacker's ability to launch intrigue, remote, simultaneous, and/or coordinated attacks from the cyberspace. An informed attack scheme can exert disruptions and damages ranging from service interruptions, power blackouts, economic losses, to life-threatening threats, where personal, societal, and national securities may all be affected.
The research on cyber-physical security of the smart grid advances on a frontier of CPS, striving at the intersection of physical security of power and energy systems and the cybersecurity of information, computation, and communication systems [2]. Incorporation of the strengths of physical and cybersecurity is an essential requirement for the security and resilience of this critical infrastructure. In what follows, we will briefly discuss the strengths and weaknesses of physical and cybersecurity for the smart grid and highlight the importance of CP security.

Physical security:
The physical security of power systems has been protected through the screening and assessment of contingencies. The contingency analysis (CA) evaluates the power system security after credible inadvertent contingencies on a selection of operating points [11]. Typically, the CA covers faults, disturbances, and planned outages, among others. Contingency-related security constraints are subsequently established by the CA to ensure the survivability of power systems with minimal interruptions to the delivery of electricity. Both the steady-state and transient security analysis of power systems serve as the foundation of CP security for the smart grid.
However, the interconnected power systems and the emerging CPS have presented challenges to the physical security analysis. The complexity and cost of the CA increase dramatically when the system scales, rendering it difficult to conduct multi-CA or implement N − k security in bulk power systems. The heterogeneity and complexity of hardware, software, and operations in power systems also limit accurate and timely evaluation of remotely located contingencies whose impact could propagate through long distance at the speed of electromagnetic waveform. Without sufficient wide-area coordination, multiple local remedial actions may compete, instead of collaborate, with each other, resulting in deteriorate impacts such as cascading failures or blackouts [13].
Moreover, the cyber-integration introduces new challenges. Most field devices and systems are not designed with sufficient security features against malignant events, particularly from the cyberspace. As the cyber-integration exposes the system to access points and resources in the cyberspace, investigations have been revealing vulnerabilities, both unknown and zero-day, in the emerging smart grid. The lack of sufficient protection against coordinated cyber-attacks could be catastrophic, as illustrated in the cyber-attack on a Ukraine regional grid [14]. Intelligent and automated systems, which have been designed to enhance the system security and reliability, maybe turned as weapons against the smart grid itself. With all these emerging threats, the traditional power system security merits an in-depth overhaul in the era of smart grid.

Cybersecurity:
The cybersecurity has been identified as a major component in the development of smart grid [15]. Principles of confidentiality, integrity, and availability (the CIA triad) have been established for the information security in the system. Intrusion detection systems (IDSs) and firewalls have been deployed to defend control centres and field devices against external intrusions. Secure protocols have also protected the SCADA communications within and between control centres, substations, and actuators. Secured wired and wireless networks have also provided trustworthy communications for the emerging PMU and AMI systems.
Meanwhile, the cybersecurity for the smart grid also needs to further accommodate physical properties, requirements, and dependencies of power systems. For instance, though it is common to deny access to an account after a number of failed log-in attempts, it is mostly unacceptable in power system control systems. Attackers may utilise the mechanism to lock operators out of the system that will result in disastrous consequences. Moreover, anomaly and signature-based IDSs also need to adapt to emerging and diversifying patterns in the smart grid to effectively identify the malicious attempts. Last but not least, the RT data streams in the smart grid also pose big data challenges to the cybersecurity analysis. Similar to the physical security, there is an urgent need to incorporate physical aspects into the cybersecurity of the smart grid.

CP security:
A secure smart grid is contingent on the integrative security that combines the strength in both physical and cybersecurity analysis against both inadvertent and malignant events. Vulnerabilities and contingencies shall be investigated on a broader spectrum. The causes, processes, and consequences across the CP spaces shall be comprehensively analysed with consideration of the interdependence and interoperability therein. Smart grid operators should be aware of the risks of measurements and commands corrupted by attackers externally and internally. Mitigation and restoration effort need to be guided with adequate security awareness to avoid secondary damages in the post-attack systems.
In security analysis, critical vulnerabilities are often revealed through scenarios where attackers are characterised with feasible resources, knowledge, and objectives. The investigation of attack schemes often serves as the first step to establish security in a vulnerable system. While it is impractical to exhaust all potential attack schemes, the worst-case analysis is of practical meaning to understand the feasibility and impact of a potential attack threat. The extensive investigations into the smart grid security have revealed a significant number of attack schemes that could exploit critical vulnerabilities with severe disruptions and damages. The understanding of these schemes is critical to establish and enhance the CP security of the existing systems and technologies in the smart grid; it will also help direct the effort to discover new vulnerabilities and solutions for the emerging CPS in this critical infrastructure.

Overview
In this paper, we refer to CP attack as the intrigue schemes exploiting the vulnerabilities in the CP structure of the smart grid. Although dedicated attacks on either cyber or PSs also pose threats to the system, investigation on the integrative CP attacks is an emerging yet critical topic that remains largely unclear. The interconnection of millions of field devices has created a huge attack surface while associated vulnerabilities be remotely located across the CP domains; moreover, the interfaces in-between the CP structures are also vulnerable to attacks launched from both domains. Fig. 2 illustrates a typical CP structure of smart grid. The CP loop of information and operations can be compromised at the control centres and systems, two-way communication channels, and the physical power systems. The vulnerability of this structure has been illustrated in the recent incidence of Ukraine power grid attack in 2016 [14]: malware injected from the communication channels allowed the attacker to obtain illegal access to the control centres. The information was collected subsequently to determine the critical lines in the regional grid. Malicious commands were then sent to trip these lines that led to a widespread power blackout. The control system was further hacked to delay the restoration process.
Knowledgeable attackers can directly exploit vulnerabilities of control systems to exert immediate and significant impacts in the smart grid. Depending on the target systems or policy, the impact of control-based attacks ranges from transient voltage and frequency instability, steady-state line overloading and load shedding, to massive blackouts resulting from cascading failures. An introduction to the control systems in smart grid and their attack-resilience can be found in [16], and a generalised control-attack model has been developed in [17]. Measurement-based attacks pose another critical threat in the smart grid. Instead of directly manipulate control signals, attackers can compromise the measurements to weaken situation awareness by concealing the occurrence of disturbances or mislead control actions by reporting non-existing contingencies. Both types of attacks are within the scope of CP attacks discussed in this paper.
Two types of factors are commonly considered in the design of a critical attack scheme: the cost of the attacker and the cost of the defender. For the attacker, the costs typically include the resources and knowledge required to launch the attack; in many cases, the risk of being detected is also included. For the defender or operator, the costs typically comprise from equipment damages, power outages, and economic losses. The rest of this section will unfold the attack schemes on generation, transmission, distribution, and electricity markets, respectively.

Generation system attacks
Interconnected power systems are managed by corresponding control areas, among which redundant power generated in one area flow along the tie-lines into another. The power generation in each control area is required to meet the dynamic load demand and the net interchanges so the load-generation balance can be maintained. To this end, the AGC has been widely implemented in modern generation systems. A functional diagram of the AGC is illustrated in Fig. 3.
An AGC system consists of two major functions: (i) the load-frequency control (LFC) that maintains the load-generation power balance and system frequency; (ii) the ED that distributes the generation among generators with minimal operating costs subject to stability and security constraints. Since ED does not directly issue control commands to the system, we will focus on the LFC-related attack schemes herein.
The LFC uses a primary controller to govern turbine speeds and adjust the generator outputs. In addition, a supplementary/ secondary controller is employed to maintain system frequency based on the area control error (ACE). The ACE is obtained as a function of inter-area power interchanges DP TL and system frequency deviations Df where b is a scale factor. In normal operations, the value of ACE in each control area should be minimised toward zero. The Aurora attack is a test scheme that exploits the vulnerability in the primary controller of AGC [19]. In the original test conducted by the Idaho National Lab, an assumed cyber-attacker applies fast opening and closure of the circuit breakers of a generator. When the actions are conducted within a critical time window, the generator became desynchronised and was ultimately destroyed. The impacts of the Aurora attack range from a short-term power outage to a long-term generation deficiency. An Aurora-like CP attack with incomplete information of the power system has been subsequently developed [20].
CP attacks on the input of secondary controller have also demonstrated feasible impacts on power system frequency stability. Four typical manipulations on the AGC input, i.e. scaling, ramping, pulse, and random attack, have been investigated in [21]. The investigation has demonstrated that the attacked inputs have effectively misled the LFC to incorrectly perform under-frequency load shedding in response to a fake frequency deviation. In addition, a malicious attacker can also induce substantial instability in the generation system by exerting significant loss [22] or delay [23,24] of the measurement packets sent to the AGC.
A reachability analysis has revealed that malicious control signals sent by the LFC will cause inter-area power swinging in the system [25]. The swinging will mislead protective relays to trip generation units from the grid, leading to power shortages and/or outages as in the Aurora attack. Further investigation has proposed a malicious control policy that is robust against incomplete information and model uncertainty [26]: the incomplete information can be addressed by Markov chain Monte Carlo simulations and the model uncertainty is addressed by the feedback linearisation.

Transmission system attacks
Transmission systems are responsible for the delivery of generated power across long distance through transmission lines and substations. In the meantime, voltage regulations are also operated in transmission systems. Protective relays and circuit breakers are deployed to cut off overloaded lines, generators, and load demands in emergent situations. The multitude and criticality of the transmission systems have inspired a large number of investigations on the potential CP attack schemes targeting the control and monitoring systems for power transmission.

Interdiction attacks:
The interdiction analysis is among the earliest investigations of power transmission system vulnerability under large-scale malicious attacks [27]. An interdiction refers to the tripping of lines, transformers, generators, buses, and/or substations in the transmission grid. In practise, the interdiction can be conducted directly by manipulated control commands or indirectly by false measurements. On the basis of a steady-state model, a bi-level max-min optimisation problem for the interdiction analysis has been formulated as where an attacker leverages the interdiction to maximise the system operator's minimal costs of operation and load shedding. g(P, d) are the OPF constraint functions with an upper-bound vector b, c is a vector of linearised cost factors, and P are the power system dynamics subjected to physical constraints. The inner minimisation solves an OPF problem in normal operations, and the outer maximisation solves the optimal interdiction as a binary vector d in the complete interdiction set D. The solutions can be obtained by mixed-integer bi-level programming [28,29], greedy search [30], game theory [31], and generalised Benders decomposition [32]. An interdiction scheme targeting wind farms in the smart grid through vulnerabilities the SCADA/EMS system has been recently proposed [33].
While interdiction has been modelled as multiple concurrent tripping in the above investigations, sequential attack schemes have revealed the risks of blackout resulting from multi-line interdiction [34,35]. As the timing and order of interdiction are non-trivial challenges to the formulation of an optimisation problem [34,35], data-driven approach based on reinforcement learning [36] and heuristic approach based on risk graph [37] have been proposed to search for the critical attack sequence. Both sequential schemes have identified effective schemes to exploit the cascading failure vulnerability that leads to massive blackouts.

Complex network (CN)-based attacks:
A notable number of investigations have been developed based on CN theories [38]. In general, the CN-based attacks have employed the interdiction as the means of attack; however, it is commonly assumed that the attacker does not possess the knowledge of the RT operational information (the analogue measurements); instead, the attacker can only access the information of system topology (the status measurements). Interconnected power grids are modelled as graphs of nodes (substations) and edges (lines) with designated physical properties. Topological and structural information are then utilised to identify the most-vulnerable components in the transmission system, which can be further visualised intuitively [39,40]. A comparison has been summarised in Table 1 and illustrated examples on the IEEE 39-Bus New England Test System have been provided in Fig. 4.
The merit of investigations on CN-based attacks is two-fold: (i) the information required to launch a fully informed attack maybe inaccessible or incomplete; the obtained information may also become obsolete; (ii) a devastating attack does not necessarily rely on the full knowledge of the system dynamics; publicly and commercially available data can be used to construct effective schemes that cause catastrophic blackouts.
Among the CN-based attacks, topological models have been proposed to analyse the risk of cascaded attacks [42][43][44][45][46]. On top of the topological models, hybrid models have integrated topological and electrical properties to integrate structural vulnerabilities in the transmission system [47][48][49][50][51]. Cascaded attack schemes on substations and transmission lines based on the hybrid models have been proposed [52,53].

Substation attacks:
Transmission substations host multiple measurement, control, and communication facilities. A compromised or damaged substation often results in the simultaneous loss of the victim substation as well as its transmission lines. A report from the Federal Energy Regulatory Commission has suggested that, while there were over 55,000 substations in operation across the USA, the entire interconnected transmission system could suffer a major blackout when coordinated attacks had been launched on as few as nine transmission substations [54].
An early investigation on substation network security has demonstrated that an attacker is capable of penetrating multi-layers of firewalls and password protections to gain full control of a substation [55]. Credible impacts of multi-substation intrusions have been subsequently evaluated in [56], and the potential risks given consideration of cascading failures under multi-substation attacks have been demonstrated in [57]. As shown in Fig. 5, the clustering-based vulnerability analysis can effectively identify the most-vulnerable victims in a bulk power grid.
Within a compromised substation, the voltage control loop of flexible alternating current (AC) transmission system becomes vulnerable to malicious attacks [58]. Malicious messages can be injected to manipulate the configuration of the voltage controllers that results in voltage violations and oscillations in the system [59]. Detailed simulations of typical substation attacks have been conducted in [60], and the cybersecurity issues of substation automation systems have been comprehensively analysed [61,62].

CP switching attacks:
The switching attack is another family of CP attacks developed against the power transmission systems [63][64][65][66]. Circuit breakers can switch the transmission  Fig. 4 Knowledge of the transmission grid: from topological information to vulnerability analysis a Topological information: Connectivity of the system is shown by its topology, where generation substations are highlighted as circles and distribution substations are shown in green, respectively b Structural information: Static generation and transmission parameters are included into the one-line diagram [41] c Operational information: The per unit active power flows are included and shown in the three-dimensional contour map [41] d Vulnerability visualisation: A risk graph is constructed to conduct sequential substation attacks [39] systems between complex discontinuous dynamics. Given the system state x, the switching signal s(x, t), and two distinctive system dynamics f 1 and f 2 , the non-linear power system can be presented by the following variable structure system [67,68] x An informed attacker can issue malicious switching signals to re-configure the power transmissions based on local structure information, and the switched system is subsequently steered to a degraded or unstable operation states. With consideration of model errors and incomplete information, the investigation has shown that single switching attack will cause frequency and voltage instabilities in the system [67]. In addition, multi-switching attacks on distributed circuit breakers are able to initiate a series of cascading failures [68]. Recently, it has been shown that the switching attacks can also exploit the energy storage systems to destabilise the transmission systems [69]. Some discussion regarding the practical limitations of the switching attack have been provided in terms of sampling, quantification, and signal-to-noise ratio [70].

State estimation attacks:
The SE is a core function in the smart grid that has been shown to be vulnerable to a large number of CP attack schemes. As shown in Fig. 6, SE is the entry function that processes the raw measurements of system topology and dynamics to obtain accurate estimation of the state variables for various subsequent EMS applications [71]. In a linear direct-current (DC) model, the fundamental SE problem can be written as where z is the measurement vector, x is the state vector, n is a white Gaussian measurement noise, and H is the Jacobian matrix built on system topology. The estimation problem is commonly solved by the weighted least square (WLS) method. In practise, bad data from faulty sensor and missing data will degrade the estimation accuracy. Residual-based x 2 -test and largest normalised residual test have been employed in the bad data detection and elimination (BDDE) process to remove such bad data from the measurements. The false data injection attack (FDIA) is a notorious family of CP attacks targeting a vulnerability in the residual-based BDDE system. Assume that a malicious attacker has the ability to inject a false data vector a into the measurements, which in the form of z a = z + a. The FDIA scheme has revealed that, given the full knowledge of the Jacobian H, an attack vector a undetectable by BDDE can be generated [72]. The stealth attack vector is given in the form of a = Hc, where c is the false state vector. The sufficient and necessary condition of the existence of an undetectable attack vector has been proved in [73]. While the scheme was originally proposed based on the DC model of SE, it has also subsequently extended to the AC-based SE [74]. A recent survey [75] has provided a summary of the state-of-the-art in FDIA, while this paper would like to highlight three major objectives in the existing FDIA schemes:

Fig. 5 Self-organising map (SOM) based analysis of multi-substation attacks [57]. Distant substations from each of the coloured self-organised regions form a critical victim set that could result in massive blackouts in the system
Objective 1: Least-effort attacks: Find the sparsest attack vector with the least number of measurements to be compromised. Objective 2: Least-information attacks: Find the attack vector with the least required information of system topology. Objective 3: Target-specific attacks: Find the attack vector toward a specific post-attack effect.
For Objective 1, finding the least-effort attack is NP-hard problem [76], and the solution is dependent on the system topology. To effectively identify the minimal stealth attack, schemes have been developed based on heuristic [72], greedy [77,78], graph theoretic [79], and sparse optimisation [80,81].
For Objective 2, investigations have revealed that an undetectable attack vector can be constructed without the complete information of H. Stealth FDIA schemes with incomplete information have been developed based on graph method [82] and data-driven approaches [83,84]. Even without the knowledge of H, investigations have shown that historic measurements can still be used to construct an undetectable FDIA [85,86].
For Objective 3, FDIA has been utilised to exert specific damages. The maximal SE error can be obtained by solving a potential game with a minimal detection rate [87]. Errors can be propagated into the OPF solutions through customised FDIA schemes [88,89]. Line overloading can be further induced the erroneous OPF solution [90]. Target-specific FDIA schemes have also been developed systematically to induce load redistribution (LR) in the transmission systems and transmission congestion in the electricity markets to induce operational costs and obtain financial arbitrages, respectively. Detail introductions on both families of FDIA schemes will be provided later in this section.
Other than the FDIA schemes, it is notable that (4) also reveals other SE vulnerabilities. Instead of the measurement vector, the Jacobian matrix H can also be compromised to forge a false data [91]. Attacking the line impedance alone will also induce misinformed voltage deviations and load shedding [92]. A two-stage optimisation for undetectable state-and-topology attack has been developed in [93], which has effectively increased the risk of line outages.
In contrast to the construction of undetectable attack vectors, malicious attackers can also intentionally create detectable false data to reduce the availability of measurements. As the BDDE consistently removes bad data from the measurements, an attacker can manipulate the measurements to frame good data so they would be incorrectly removed [94]. In contrast to the FDIA schemes, framing requires no information on the topology or parameters of the system; a subset of the measurements provides sufficient information to manipulate the normal data into bad data. The scheme effectively increases the SE error by an arbitrary degree while the number of measurements to be corrupted has been significantly reduced.
An advanced jamming strategy has been proposed to obtain an optimal scheme in the presence of protected measurements based on recursive min-cut [95]. Further investigation has indicated that the jamming attack is effective unless all measurements have been secured [96]. In addition, the availability of status data can also be reduced by the jamming attack, in which attacking a single circuit breaker on a transmission line could effectively perturb the SE without corrupting any measurements [97].
3.3.6 Load redistribution attacks: LR attack is a variant of target-specific FDIA schemes [98,99]. With the knowledge of system topology and dynamics, the injected false data can be crafted intentionally to redistribute individual bus load in the system without changing the overall load demands. Both the location and the quantity of the stealth injection can be solved precisely by the proposed schemes to induce immediate and delayed operational costs from the redistributed load demand. A concept of attacking region has been proposed to construct an LR attack with incomplete information [100]. The attacking region can be effectively localised into the vicinity of a target transmission line [101]. The concept has also been utilised to identify attack vectors in the AC SE with incomplete information [102]. A recent investigation has validated the non-negligible impact on the power system reliability from the LR attacks [103].
Investigations have demonstrated that the LR attacks can be utilised to construct coordinated multi-stage schemes [104][105][106]. First, a designated scheme has been proposed to mask the occurrence of line outages to the system operator [104]. The masking attack has been further utilised to conceal line outages created by the LR attack. A bi-level optimisation problem has been formulated for this combined scheme with consideration of the defender's responses [105]. The scheme has been further developed into a tri-level optimisation problem against the security constrained ED in the EMS [106]. It has been revealed that an attacker is capable of identifying an effective scheme to create line overloading in the system, even if the operator implements a dedicated multi-solution strategy against the LR attacks. These serial LR schemes have illustrated that CP attacks can be orchestrated to compose sophisticated multi-stage schemes with severe impacts.

PMU attacks:
Compared with the SCADA system, the PMUs are collecting more frequent and accurate measurements for the WAMPAC system [107]. Communications with GPS satellites provide time stamps to all PMUs, so that their measurements can be synchronised for significantly enhanced situation awareness in interconnected power systems. However, recent investigations have revealed that the dependence of GPS signals for synchronised measurements can render PMUs vulnerable under spoofing attacks [108,109].
Spoofing is the malicious impersonation of a trusted device in the system, which has been used to provide fake time stamps to the PMUs [108]. Two types of errors induced by corrupted time stamps have been identified: the phase angle error and the time of arrival (TOA) error. The phase angle error will mislead fault detection and location of transmission lines with an amplitude modulation and create false stability margins with incorrect Thevenin equivalents; the TOA error will result in miscalculation of disturbance event locations that delays or misleads mitigation and restoration effort. The spoofing can also alter the clock offset of a receiving PMU to increase both false alarms and false negatives in voltage stability monitoring systems [109].

Distribution system/customer-side attacks
Millions of smart meters have been installed in the AMI systems across the USA and more are on the way. These smart meters provide RT two-way communication between customers and the utility. In general, the AMI system is composed of smart meters, data concentrators/aggregators, and AMI head-ends, which has been hierarchically deployed from customers to the distribution systems [110]. Owing to budget and hardware limitations, smart meters only carry limited or light-weight security mechanisms against malicious attacks [111,112]. This makes them vulnerable and frequent targets of CP attacks. Although each meter has limited impacts on the system stability when compromised, the CP threat of AMI attacks is not negligible, particularly when a cluster of smart meters has been attacked [113].
To date, energy thefts [114,115] and information/privacy leakages [116][117][118][119] have been identified as the most prominent threats to the AMI system. The former will result in economic losses at various scales, while the latter maybe exploited to infer customer behaviours and personal information. In addition, the threat of denial-of-service attacks is also a critical issue in the smart grid, as it limits the availability of reliable and available measurements [120]. By compromising any smart meters, an attacker can exploit the ubiquitous two-way communication to flood the AMI system with malicious packets, which may effectively paralyse the metering networks [121,122].

Electricity market attacks
In the smart grid, the price of electricity is determined by the locational marginal prices (LMPs) from the day-ahead and RT markets, which are both obtained by solving respective OPF problems. Recall that in Fig. 6, the solution of OPF is dependent on the network topology and estimated system states; as a result, the LMP is also vulnerable to SE attacks [123].
CP attack schemes exploit the RT LMP vulnerability in the transmission congestion management. A transmission congestion occurs when the power flow on transmission lines reach the line capacity (i.e. the thermal rating limit). To meet the electricity request under congested conditions, generators in the vicinity will be temporarily dispatched, which are often considerably more costly. As a result, the price of electricity is affected dramatically on an imminent congestion. An attacker can leverage this mechanism to gain illegal profit from the price margin before and after the attack or induce frequent transmission congestion to impose expensive operations to the system.
Investigations have identified several feasible schemes targeting the RT markets. Attacks schemes have been developed based on vulnerabilities in virtual bidding mechanism [124], system topology information [73], generation ramping limits [125], and distributed energy management [126]. The sensitivity of LMP to the corrupted sensor data has been investigated in [127], and an index to quantify the impacts of electricity market attacks has been proposed [128]. Instead of manipulating the line flow in the measurements, the line ratings can also be attacked to induce transmission congestion [129]. The RT pricing system is also vulnerable under data integrity attacks, e.g. scaling and delay attacks, which will cause demand/price fluctuations as well as increase system operating costs [130]. A stealth scheme to generate arbitrary pricing signals has been further proposed in [131]. In addition to the impacts on the control and management side, the hijacked pricing information can alter the load demand of customers, which will retroactively create overloading and instabilities in the system [132].

Defence against CP attacks
The extensive investigations on potential CP attack schemes have allowed grid operators to establish various defence mechanisms, which have been commonly orchestrated in three stages: protection, detection, and mitigation. In this section, we will review the generic and attack-specified defence strategies against the CP attacks as follows.

Protection
Generic protection against CP attacks relies on the establishment of secured communication, the preservation of critical information, and the alleviation of exposed vulnerabilities. Since the early discussion on the challenges of cybersecurity in power systems [133], innovative systems, protocols, and technologies have been developed for the protection of smart grid security. These effort have been reiterated in a number of comprehensive reviews [134][135][136][137]. The secure communication in smart grid can effectively dissolve a majority of the CP attack threats. While it is difficult to conduct field tests on the operating power systems, dedicated security testbeds have been developed to validate the attack schemes and facilitate the development of security enhancements [138][139][140][141][142][143][144]. A framework has also been developed to evaluate the exposure of physical components in the cyberspace [145].
Meanwhile, a number of attack-specific protections can be implemented strategically to reduce or erase certain CP attack threats. The threat of FDIA schemes can be effectively reduced or eliminated by the protection of a few critical measurements, as the stealthiness is dependent on the number of measurements being compromised. The protection can be achieved by the installation of secured or encrypted devices on critical locations so the protected measurements are immune to the injections. To identify these locations, greedy algorithms have been proposed to heuristically search for the critical subsets of measurements [77,146]. Mixed-integer linear programming optimisation [147,148] and game-theoretic approach [149] have been proposed with consideration of the costs of attackers and defenders, respectively. The optimal locations can also be obtained by graph-based approaches, which also provide suboptimal solutions for situations where the complexity is a major concern [150]. Protection strategies for critical measurements against the FDIA-based LR attacks have also been proposed in [98,99].
Alternatively, protection against FDIA can be achieved through the preservation or rearrangement of crucial information in the system. Covert power network topological information can effectively enhance the security of SE when a subset of the line reactance has been preserved from the attacker's knowledge [151]. Re-configuration of the topological information in the cyberspace can also eliminate the risk of FDIA in large-scale distribution systems [152]. Recent development of distributed SE systems has also exhibited promising attack-resilience for the protection of SE measurements [153].
For the AMI systems, secure key management and distribution mechanisms have been developed as the most effective protection against unauthorised accesses to smart meters [154][155][156]. In addition, game-theoretic approach for the optimal deployment of encrypted smart meters with limited budget [157] and Markov decision process (MDP)-based preventative maintenance strategy [158] have both been developed for the protection of smart meters.

Detection
Despite the protection effort, an attacker will still have the advantage to initiate attacks on poorly protected components. In case of such protection failures, IDSs are employed as the major defence mechanisms at the second stage. Signature-and anomaly based IDSs have been developed against known and unknown attack threats, respectively, which are deployed at various layers and locations to detect the traces of imminent attacks. These early warnings allow system operators to react with proper countermeasures and/or emergency plans so the attack impacts can be minimised.
At the control centres, generic detection mechanisms have been developed and integrated into CPS control systems. Both model-based [159] and game-theoretic [160] approaches have been developed to provide effective security enhancement against the CP attacks. Physical watermarking of control inputs is a promising technique to authenticate the integrity of control systems [161]. With the physical watermarking, an artificial control noise known only by the operator is injected to produce predictable measurement outputs from the controlled systems. Since the noise is unknown to the attacker, the pattern between the noisy-input and predicted output will be altered and subsequently detected in the presence of an attack. A run-time semantic analysis has also been developed to provide early warnings on altered control commands in the SCADA system [162]. With an efficient look-ahead power flow analysis, the semantic analysis simulates the execution consequence of control packets to issue alerts if the execution would result in unfavourable impacts such as line outages.
A model-based IDS has been developed against the input attacks on the AGC system [21]. The IDS utilises RT load forecast to predict the ACEs over time, and their performances are compared with that of the actual ACEs obtained. With statistical and temporal characterisations of these performance, anomaly detection in the IDS is able to detect scaled and ramped inputs before they are sent into the AGC system.
Interdiction in the transmission system maybe observed by effective online contingency screening [163]. The nature of these tripping can be further examined by IDSs deployed at substations. A standard-specific IDS for automated substations has been proposed in [164]. A dedicated IDS has been developed to identify temporal anomalies induced by multi-substation attacks [56]. Host-based and network-based IDSs have been integrated in an innovative strategy against simultaneous multi-substation intrusions [165].
While the threat of PMU attacks has only been revealed recently, detection mechanisms have been developed against both manipulation and spoofing attacks on PMU. Innovative IDSs have been proposed against generic manipulations of PMU data based on whitelist/behaviour [166], network topology [167,168], and data mining [169]. A comprehensive IDS across both physical and cyber layers has been developed to identify the PMU data attacked by the GPS spoofing [170].
Hierarchical IDSs have been developed against CP attacks on the AMI systems based on behaviour rules [171] and data stream mining [172]. A distributed multi-layer IDS has been proposed in [173], and an early warning system has been developed in [174]. Active inspections by the service providers and mutual inspections between the providers and the customers have been developed to effectively detect attacked smart meters [175,176]. To hold a malicious meter accountable in home area networks and neighbourhood area networks, an effective peer-review strategy has been developed in [177]. To detect energy thefts, an evaluation of IDSs has been conducted in [178], while machine learning-based IDSs have been recently developed in [179,180].
Detection mechanisms against the FDIA schemes have been developed along multiple directions. An integrative Kalman filter-based detector against both bad data and false data has been developed in [181]. Instead of a WLS estimator, a Kalman estimator has been implemented in this innovative mechanism. A x 2 -detector is then used to detect the bad data and an Euclidean detector is used to detect the false data. High-performance FDIA detectors have been proposed based on adaptive cumulative sum detection [182] and quickest detection [183]. An online anomaly detection considering load forecasts, generation schedules, and synchrophasors has also been developed in [184]. Furthermore, machine learning approaches have been proposed to identify the false data based on statistic information. Both supervised distributed support vector machine based on alternating direction method of multipliers and semi-supervised anomaly detection based on principal component analysis have been developed recently to classify the false data from the normal data even with incomplete measurements [185]. A variety of supervised and semi-supervised classifiers have also been evaluated in [186], which have displayed robust performances in both online and offline scenarios. Using historic data, generalised likelihood ratio detector can provide the optimal detection against weak FDIA schemes when the attacker could not compromise the minimal required number of measurement to construct undetectable FDIA schemes [79,187].

Mitigation
When signs of an attack have been confirmed, mitigation efforts are made by the system operator to minimise the potential disruptions and damages. If the attack has been cleared from the system, existing mitigation and restoration mechanisms can effectively resume the secure and reliable power system operations. However, if the attack threat has not been resolved, the operator needs to consider persisting malicious attempts in the system. In such interactive scenarios, mitigation strategies are commonly modelled and solved by bi-level optimisation or game-theoretic approaches.
An attacker-defender game has been developed against generic attacks on power system components [188], and a zero-sum game between an informed cyber-attacker and a system operator has been proposed under different network configurations [189]. To deceive an attacker with misinformation so the attack damage can be reduced, a zero-sum Markov game has been proposed in [190], based on which a scalable solution has been further developed [191].
For mitigation against interdiction, a tri-level optimisation has been developed, which introduces countermeasures of the defender in a third-level minimisation into the problem [192]. Alternatively, line switching has been proposed as an effective strategy to mitigate the interdiction, which is introduced directly in the lower/ inner-level of the bi-level optimisation. The solutions with the minimal cost of the operator can be obtained by genetic algorithm [193], Benders decomposition [194], and single-level reformulation [195]. In addition, MDP has also been integrated to model the attack-defence interaction in a substation intrusion [196]. By modelling a successful intrusion as a probabilistic event, the investigation has formulated a competition to gain access of multiple substations between the attacker and the operator. The optimal solution is obtained with consideration of system parameters, the attacker's resources, and the operator's budgets.
A coordinated mitigation framework for the mitigation against FDIA has been developed in [197]. Security metrics have been proposed within the framework to evaluate the importance of substations and measurements. Strategies in both the network layer and the application layer have been developed to mitigate the threat of attacks. Game-theoretic approach has also been applied to achieve an optimal equilibrium given the resources and costs of attackers and defenders [149], where a notable strategy has been identified for the multi-attacker scenario: the defender can use the game-theoretic approach to achieve a critical equilibrium, at which the impacts from multiple attackers can be cancelled even when the operator has no knowledge of the attacker's intentions. The zero-sum game approach has also been applied for the mitigation of attacks on electricity market where the attacker is given limited resources [198].

Opportunities and challenges
The smart grid encompasses a vast diversity of devices and facilities that are vulnerable under CP attacks. Despite the extensive research effort reviewed in this paper, the vulnerability and security of a large portion of components in the smart grid remain to be carefully examined in the presence of a potential attacker. Critical mechanisms such as the unit commitment, demand response, and distributed intelligence may also become targets of malicious attacks, for which the potential damages remain unknown to date. Large-scale integration of DER including energy storage, distributed generations, and electrical vehicles will have strong impacts on the stability that can be exploited. In addition to the expansion of vulnerability screening and assessment, we would also like to highlight four critical opportunities and challenges in the future investigation of CP attacks as follows.

Influence of interdependence
Interdependence is a driving force behind the development of smart grid security. To date, the majority of CP attack schemes have exploited the interdependence to launch attacks in the cyberspace and induce damages to the PSs. Meanwhile, the physical attacks targeting cybersecurity have been less investigated, but the threats can be nevertheless devastating when the dependence of PSs is exploited. Most cybersecurity mechanisms have assumed the availability and reliability of electrical power to operate designated electronic devices. Under physical attacks, these devices can be damaged or disabled by intentional surges and outages of electricity. Such vulnerabilities should also be integrated into the investigation of the CP security in the smart grid. It should also be noted that vulnerability of CP interdependence maybe exploited frequently and interactively by complex intrigue schemes. Assume that an attacker has launched an attack and successfully induced a power outage: during this outage, the security mechanism on some critical field devices can be compromised, and the parameters and data stored therein maybe manipulated. Once the power has been restored, the attacker can either utilise the compromised device to access more information from the cyberspace or induce further damages into the physical system. To date, there are still limited investigations into this kind of schemes that repeatedly exploit the vulnerability of the CP interdependence.
On a broader sense, the interdependence does not only exist between the cyber and physical spaces within the smart grid. Through cyber and physical interconnections, other critical infrastructures are also vulnerable under CP attacks on the smart grid, as illustrated in Fig. 7. Investigations on the crossinfrastructure interdependence have largely remained to be conducted.

Temporal vulnerability
CP attacks are largely equipped with the ability to launch multiple remote and coordinated intrusions. While most of the multi-target schemes reviewed in this paper have constructed the attacks in a simultaneous manner, time has been less frequently considered as a relevant factor mostly due to the complexity of time-domain analysis. However, the timing of multiple attacks, particularly for those launched in a sequential manner, is critical to the potential impacts of CP attacks in a realistic scenario.
For instance, attacks launched during the peak load and the normal load will most likely result in different impacts on system stability, which shall be responded with different levels of attack awareness. In addition, when an attack vector is successfully injected into the system, the duration it remains undetected and uncleaned will also have a substantial influence of the damage it can exert in the system, as discussed in the feasibility of Aurora attack [19]. In addition, as revealed in the sequential interdiction on transmission lines and automated substations [35][36][37], the timing and ordering of coordinated sequential attacks will also play an important role in the eventual blackouts. With a proper timing, not only will concurrence be removed as a stringent condition of attack feasibility, but the early warnings of an imminent large-scale attack can be diluted. Nevertheless, informed sequential attacks have still demonstrated the ability to cause greater damages than the concurrent counterparts.

Imperfect attacks
Investigations of CP attacks are often conducted in the worst-case scenario to fully evaluate their impacts on the system. Assumptions of the worst-case scenario usually include the full access of resource, knowledge, and/or control of the system as well as a well-defined intention of the attack objective. These 'perfect attacks' are crucial to reveal the maximal damages an attacker may induce in the system.
However, in terms of practical and usable security, a perfect attack is usually infeasible. The attacks that an operator may face more frequently are the imperfect attacks, some of which could be completely uninformed.
While incomplete information, hierarchical information, and limited resources have been considered in some of the investigations, the evaluation of system vulnerability under imperfect attacks need to be incorporated as a standard feature to investigate and grade the threats of all feasible attack attempts. More specifically, the level of security should be evaluated with respect to the level of resource, knowledge, and control compromised by the attackers, so that corresponding level of warnings and responses can be effectively developed.

Attack-resilient designs
As it is impossible to enumerate or eliminate every potential attack threats for a perfectly secured smart grid, the concept of attack-resilience should be integrated against the permanent presence and evolution of threats. Additional security features and mechanisms against the most common attacks should be incorporated into the design of measurement and control systems. The costs of attack-resilient designs should be balanced with that of emergent situations, so that a proper trade-off between economic concerns and broader impacts can be achieved. Meanwhile, security analysis should be aware that the development and deployment of advanced and distributed intelligence are double-edged: the intelligent systems are both targets of CP attacks as well as tools to defend against them. Along with the upgrades being made in generation [199], transmission [200], and distribution systems [201,202] of the smart grid, security analysis should integrate the impacts of these upgrades, enhance their resilience against potential attacks, and utilise their potentials to improve the security.

Conclusions
CP security is at the core of modern CPS. In this paper, we focus specifically on the CP attacks and defences in the smart grid by providing a comprehensive and systematic review of the state-of-the-art in the field, ranging from security foundations, attack schemes, defence strategies, to a wide range of opportunities and challenges. As smart grid has become one of the key technological and economic developments around the globe, this survey provides critical insights into enhancing energy security by maintaining the integrity of smart grid under complex CP attacks.

Acknowledgment
We gratefully acknowledge the support from the National Science Foundation through grants CNS 1117314 and ECCS 1053717.