A Data-Driven Framework for FDI Attack Detection and Mitigation in DC Microgrids

Abstract

This paper proposes a Data-Driven (DD) framework for the real-time monitoring, detection, and mitigation of False Data Injection (FDI) attacks in DC Microgrids (DCMGs). A supervised algorithm is adopted in this framework to continuously estimate the output voltage and current for all Distributed Generators (DGs) with acceptable accuracy. Accordingly, among the various evaluated supervised DD algorithms, Adaptive Neuro-Fuzzy Inference Systems (ANFISs) are utilized because of their low computational burden, efficiency in operation, and simplicity in design and implementation in a distributed control system. The proposed framework is based on the residual analysis of the generated error signal between the estimated and actual sensed signals. The proposed framework detects and mitigates the cyber-attack depending on trends in generated error signals. Moreover, by applying Online Change Point Detection (OCPD), the need for a static user-defined threshold for the residual analysis of the generated error signal is dispelled. Finally, the proposed method is validated in a MATLAB/Simulink testbed, considering the resilience, effectiveness, accuracy, and robustness of multiple case study scenarios.

1. Introduction

Microgrid (MG) integration into the power grid has emerged as an effective strategy for improving power grid reliability and efficiency in recent years. When conventional power systems are damaged during extreme events, MGs have demonstrated self-healing and resilience capabilities [1]. Because of their operational flexibility and controllability, MGs are a viable solution for increasing the resilience of power systems. In addition, in some cases, DC MGs (DCMGs) distribution systems have become more popular than traditional AC MGs (ACMGs) for the following reasons [2,3]: a more straightforward control system, because the vast majority of Renewable Energy Sources (RESs) have DC outputs; easy integration with a wide range of the RESs, including PV systems, fuel cells, and batteries; and no need to tackle with reactive power flow, power quality, and frequency regulation challenges [4,5,6]. DCMGs can be used in many applications, such as distribution systems, data centers [7], electric ships [8], aircraft [9], and so on. It is worth noting that DCMG-based ships may offer advantages over ACMG-based ones, particularly regarding operability and component size.

Over the past few years, an increased penetration of RESs in traditional power grids has raised some concerns about the reliable and stable control of DCMGs. To tackle this challenge, a coordinated control of sources, loads, and energy storage is necessary [10]. Among several potential control structures for DCMGs and in light of the DCMG’s main control objectives, the dynamic state of charge balancing, proportional load current sharing, DC bus voltage restoration, and the hierarchical control schemes have gained considerable attention [11,12,13,14]. Three primary, secondary, and tertiary levels typically comprise hierarchical control structures [15]. Although the droop-based controllers typically have a decentralized structure at the primary level, the controllers in the secondary and tertiary control layers are typically centralized in nature. Given the rapid development of communication networks, distributed schemes are becoming more applicable in microgrid control systems due to their high reliance on communication networks [16]. The distributed control scheme with a hierarchical structure has received considerable attention and has been used in DCMGs more than the other control structures. The distributed control systems’ reliance on a global communication network makes the entire system vulnerable to cyber-attacks. This has led to a greater interest in developing and implementing attack detection strategies for DCMGs using distributed control systems; however, significant technical gaps remain [17,18,19].

Conventional DCMG control systems cannot identify malicious attacks, degrading grid reliability and efficiency. Therefore, an ideal DCMG needs an effective control system to achieve the desired performance and provide the capability to detect and mitigate cyber-attacks of different types. False data injection attacks (FDIAs) [20], denial of service (DoS) [21,22], hijacking [23], replay [24,25], and man-in-the-middle attacks [26,27] are some more frequent examples of cyber-attacks that can occur in DCMGs. In a distributed control scheme, steady-state values of the grid’s measurements and control variables are the most common and straightforward cyber-attack targets. Cyber-attacks can cause imbalanced output power/current, bus voltage deviations, and grid instability from the perspective of the control system. FDIAs seem to be the most notable form of cyber-attack reported more frequently in recent years [28]. During FDIAs, an attacker modifies the sensor measurements or control variables by either adding or subtracting incorrect data. Physical protection strategies, such as hard-wiring the sensor outputs to ensure physical layer security, can be implemented in some cases to reduce the number of such damages.

Generally, to cope with the negative consequences of cyber-attacks, one of the main goals of distributed control systems for DCMGs is to maintain the system’s resilience in the presence of malicious attacks. Thus, many studies are dedicated to addressing resilience issues of power systems and DCMGs. In [20], a unique vulnerability factor is proposed for the FDIAs detection on microgrid voltage measurements to identify the attack location and the difference between the real and tampered data. In [18], for robust detection in a DCMG testbed against electrical parameter perturbations and unknown disturbances, the authors formulate a multi-objective optimization problem based on a parity-based method. In [29], a distributed noise is applied to the secondary control unit, causing negative consequences in the control variables and raising MG stability issues. Despite the disadvantage of having lower performance in detecting FDIAs on specific state variables in [30], the authors proposed a unique method to determine the difference between actual and attacked data based on Kullback–Leibler distance.

Moreover, some Data-Driven (DD) algorithms, such as supervised and unsupervised deep learning approaches, have been used in MGs for cyber-attack detection. For instance, to classify the measured data into secure and attacked categories, a DD-based method is used in [31]. In addition, online learning algorithms (supervised and semi-supervised) are employed with the decision- and feature-level fusion to model the attack. In [19], the authors suggest a decentralized artificial neural network (ANN)-based method for detecting and removing coordinated FDIAs on current measurements to achieve a secure control scheme. Using a proportional–integral (PI) control strategy, a reference tracking method is proposed, in which a unique ANN predicts the PI controller references of each DG unit. In addition, a deep learning system is used in [32] to learn the features of an attack and defend against transmission supervisory control and data acquisition attacks. Unsupervised feature learning minimizes the reliance on the system’s model and human experience in various complicated scenarios. In [33], the authors propose a real-time deep learning-based scheme for detecting FDI attacks. By utilizing a conditional deep belief network, the high-dimensional temporal behavior features of the unobservable FDI attacks are efficiently determined by ignoring the state vector estimation mechanism. In [34], a recurrent neural network-based FDIAs detection system is proposed for residual analysis in a DCMG. The voltages and currents of the DGs are estimated using a nonlinear autoregressive exogenous model of the DCMG.

Some blockchain-based data protection systems in power systems have recently been discussed. The protection system can protect the system against some kinds of cyber-attacks by utilizing blockchain-based techniques. In [35], the authors develop a blockchain-based differential protection technique specially tailored for DCMGs. According to their protection scheme, a blockchain system is accompanied by several differential relays to protect the DCMG from cyber-attacks. In this technique, the differential relay identifies internal faults and isolates the defective line before completely discharging the capacitor. They also develop a new threshold selection approach for the differential relay to detect high-impedance faults.

However, to the best of the authors’ knowledge, the majority of the above-mentioned reviewed techniques have two serious shortcomings for detecting cyber-attacks in DCMGs. First, most of them are based on a residual analysis, which necessitates a user-defined static threshold to distinguish between the attacked and normal data. A slight difference between actual and estimated values makes the system more sensitive to this threshold level and increases the rate of false alarms. Determining a suitable threshold level using either strict or flexible values adds new challenges to the main cyber-attack detection and mitigation schemes. Second, high-resolution data about the intrusion, such as the location of the attack, is inaccessible. As a result, a new detection strategy that can indicate not only the presence of an attack but also the location of the intrusion is required.

To address the above-mentioned issues, this study provides a DD-based FDIA detection and mitigation framework. Since real-time performance is crucial in this framework, output voltage and current estimators with a low computational burden and satisfactory accuracy are needed. In [36], a couple of DD-based estimators’ performances which can be implemented in real time are compared in terms of precision, recall (the recall is represented by the ratio of the number of correctly predicted positive samples (attack occurrences) to the all number of instances), accuracy and F1 score (the F1-score is a metric that combines the precision and recall metrics to provide a more comprehensive evaluation of the model accuracy and sensitivity simultaneously). According to the research conducted in [36], an Adaptive Neuro-Fuzzy Inference System (ANFIS)-based estimator is selected in this study because of its reliable performance, high robustness, and low computational time with an acceptable accuracy in output voltage or current estimation among the typical DD-based methods for regression problems. As the ANFIS’s structure is based on fuzzy logic and ANN, it can benefit from both the learning capability of ANNs and the inference ability of rule-based fuzzy systems. Using ANFIS brings more flexibility and adaptability in predicting the relationship between input and output while simplifying implementation. The evaluation results demonstrated that the ANFIS-based estimator outperforms the other Feedforward Neural Network and Decision Tree-based estimators in the same FDI attack detection framework, with an accuracy of 99.40% [36]. The authors believe that other supervised DD-based systems can also be used in this framework if they are trained well and have acceptable real-time performances for the underlying application. This study shows that the above-mentioned design objectives in the proposed real-time FDIA detection and mitigation framework are met by utilizing ANFIS as an output estimator.

In the proposed framework, the presence of an attack in a cyber-physical system is detected using change point (CP) detection in error signals provided by each DG unit. Based on the selected detection metric (error signals), if any positive or negative changes are detected, the detection method highlights the CPs in error curves as attack intrusion. Using the CP detection method avoids entirely misdiagnosis due to the similarity of the effect of abrupt load fluctuations in the system and the effects of FDI cyber-attacks. Furthermore, unlike the recently published attack detection method in [27], there is no longer a need for a user-defined threshold for real-time residual analysis. For instance, if the threshold is too low, the attack detection system’s robustness to environmental noise decreases, resulting in a significant number of false-positive alarms on the FDI detection. On the other hand, if the threshold is set too high, the efficiency of the attack detection system may be degraded; thereby, the number of hidden intrusions into the system increases.

In addition to detecting the presence of a cyber-attack, the proposed method can detect the place of the intrusion in current or voltage sensors in each DG unit. The location of the cyber-attack can be determined by making small changes in the error signal related to each voltage or current sensor. Furthermore, the proposed mitigation scheme adds the absolute difference between the estimated data by ANFISs and the received tampered data with the opposite sign to the received tampered data from the manipulated unit. These new data are considered as the approximation of safe data and given as the control system input to recover the pre-attack performance. The proposed method is validated in terms of resilience, effectiveness, accuracy, and robustness in multiple case study scenarios using MATLAB.

The main contributions of this paper are listed below:

• Developing a data-driven detection and mitigation framework for the real-time monitoring and detecting malicious system activities in DCMGs.
• The proposed framework can detect not only the presence of a cyber-attack but also the place of the intrusion, which could occur in either the current or voltage sensors of each DG unit, making the mitigation process easier.
• Proposing an online change point detection mechanism, which eliminates the need for a use-defined static or dynamic threshold for the residual analysis of the generated error signal.
• Proposing an online attack mitigation mechanism, which maintains the system performance in an acceptable range without the need for plugging out attacked units during intrusion.
• The proposed framework can distinguish between different types of FDIAs and regular load changes, which is one of the most complicated design challenges for FDI detection and mitigation schemes, which reduces the rate of mis-alarms.

It is worth mentioning that the proposed framework is designed for the distributed control of DCMGs to cope with FDI attacks on communications links.

The rest of this paper is organized as follows: Section 2 provides a brief overview of the ANFIS system used in this paper and the modeling of FDI. Section 3 elaborates on the description of the proposed strategy. Real-time simulation results are provided in Section 4. Finally, the paper is concluded in Section 5.

2. ANFIS Design and FDIA Modeling

2.1. ANFIS Design

Power systems, and MGs in particular, use ANNs and Fuzzy Inference Systems (FIS) in a wide range of applications. The ANFIS was designed to take advantage of the ANNs’ learning ability and the rule-based fuzzy logic system inference capability. ANFIS learning is a hybrid learning method that can form the relationship between the input and output based on knowledge inference and input–output data [37]. The effectiveness of this technique has been proved in nonlinear system modeling, identifying the nonlinear parameters in online control, and predicting time series models’ parameters, just to mention a few.

A FIS system uses fuzzy theory to map inputs to outputs; common components include a fuzzy decision-making unit, fuzzification and defuzzification interfaces, fuzzy membership functions, and fuzzy rules. The fuzzy decision-making unit employs fuzzy if–then rules and fuzzy membership functions to transform the input vector’s fuzzy value into the output vector’s fuzzy value. Five different layers make up a standard ANFIS architecture (shown in Figure 1): fuzzification, implication, normalization, defuzzification, and combination. The ANFIS design procedure and the training phase are discussed in greater depth in [36].

2.2. FDIA Modeling

Generally, the information from the current(s) and voltage(s) measurements in the DC system are the points that are vulnerable to FDIA. Usually, the attacker with sufficient access to the system information tries to manipulate the actual system measurements by adding cleverly designed attack values which negatively affects system performance. For better clarity, the FDIA model expressions for the received signals from the system’s voltage or current sensors can be described as follows, i.e., based on two states: Attacked or Normal.

$$V_{d{c}_j}\left(t\right)=\{\begin{array}{ccc}{V}_{d{c}_j}\left(t\right)+C_j^V\left(t\right)\hfill & \hfill \delta =1\hfill & \hfill \left(\mathrm{Attacked}\right)\hfill \\ V_{d{c}_j}\left(t\right)\hfill & \hfill \delta =0\hfill & \hfill \left(\mathrm{Normal}\right)\hfill \end{array}$$

(1)

$$I_{d{c}_j}\left(t\right)=\{\begin{array}{ccc}{I}_{d{c}_j}\left(t\right)+C_j^I\left(t\right)\hfill & \hfill \delta =1\hfill & \hfill \left(\mathrm{Attacked}\right)\hfill \\ I_{d{c}_j}\left(t\right)\hfill & \hfill \delta =0\hfill & \hfill \left(\mathrm{Normal}\right)\hfill \end{array}$$

(2)

where $V_{d{c}_j}\left(t\right)$, $I_{d{c}_j}\left(t\right)$, and $C_j\left(t\right)$ denote the received signals from the voltage and current sensors and the attack value, respectively [38]. Here, $j\in \left\{1,\cdots ,N\right\}$, where N denotes the number of DG units. Based on the value of $\delta$, the presence of an attack is detected. Using this FDIA model, all types of FDI attacks, including time-variant (dynamic attacks) and time-invariant (static attacks) ones and hijacking attacks, can be mathematically represented. In other words, all types of FDIA can be divided into two types of attacks: (a) adding false data to the actual value before injecting it into the system and (b) entirely replacing the actual data with fake data. In the second type, which is also referred to as a hijacking attack, it is acceptable to consider that two false values are simultaneously added to the measured data. The first piece of data can be assumed equal to the measured value with the opposite sign ($-V_{d{c}_j}\left(t\right)$), and the second piece of data can be considered false data ($C_j^V\left(t\right)$).

As mentioned before, in this study, it is assumed that due to the attacker’s adequate level of access to the system information, smartly designed FDIs are generated and added to the actual current(s) and voltage(s) measurements. Thus, different types of FDIs can be considered as $C_j^V\left(t\right)$ and $C_j^I\left(t\right)$ in the attack model expressions, which are added to the voltage and current measurements. It should be noted that since the proposed framework in this paper employs a modeling approach that is only valid for FDIA, it can only detect and mitigate FDIA attacks, which is the main focus of this paper.

3. Proposed Method

In general, all crucial data are collected in the monitoring center (MC) as part of the distributed control strategy in DCMGs to evaluate system performance. Since all data are available in the MC, two different DD-based estimators are used in each DG, considering the estimated voltage and current of each DC/DC converter. It is important to note that due to the scalability of the proposed framework, it can be extended for FDI attacks detection and mitigation in a DCMG system with N DGs. The main FDIA detection framework is shown in Figure 2.

The offline phase is associated with the training of ANFIS estimators. The trained ANFIS is implemented in the online phase to estimate the output DC voltage and current of the jth DC/DC converter in a DCMG. Since the output current and voltage vulnerability rate to cyber-attacks in the DCMGs are the same, also for more simplicity, two separate ANFIS models are considered. Using two separate ANFIS for each DG reduces the computational time significantly. It makes the system more efficient in finding the exact place of intrusion, either in voltage or current sensors. The proposed FDIA detection and mitigation framework has five main phases: pre-data acquisition phase, offline training phase, online output prediction phase, online CP detection phase, and mitigation phase.

3.1. Pre-Data Acquisition Phase

In the pre-data acquisition phase, all DGs’ outputs (voltage and current) are collected and combined to form the input vector for the next step in the training phase. The voltage and current outputs of the connected DGs serve as inputs to the ANFISs. All of the acquired data are measured by individual smart meters at the DC bus of the DCMG system. Since the time of FDIA detection is critical for the system’s performance, the quality of input data plays a key role. The input data should be collected at a high sampling rate to have a better training process in the following phases. However, a high sampling rate is directly proportional to the amount of collected data, thereby significantly increasing the computational burden. Therefore, a trade-off decision must be made between the required quality of inputs and the computation burden of the pre-data acquisition. For this purpose, offline simulations were used to collect data for training sets, in various likely scenarios, such as changes in the source input voltage and different load profiles. Hence, a long simulation with a wide diversity of scenarios is conducted by considering all permutations of the likely changes in the DC source voltage and load profiles. According to the number of input variables (four voltages for DC sources and four load values), eight input variables are defined for data collection. Thus, according to all possible permutations of these 8 variables, 8ǃ (=40,320) possible scenarios based on different values for each variable in a range of 0–100% could be defined. After experimenting with various distributions for selecting these input values, the accuracy of the estimators is slightly better when using the Gaussian distribution for modeling input data than other distributions, such as the Laplace and continuous uniform distributions (less than 5% improvement). Therefore, a Gaussian distribution is considered for these possible values. Each of these scenarios is applied to simulation inputs, and 10 different samples are collected as the overall behavior of the system performance from each scenario for the training set. Thus, 40,320 * 10 input samples are collected for each training set.

In addition, for each output voltage and current of the j^th DG units, two training sets ($Tr\_se{t}_j^V$ and $Tr\_se{t}_j^I$) are collected from past historical input and output data to train ANFISs to make accurate dynamic predictions.

$$Tr\_Se{t}_V=\left(\begin{array}{cccc}{V}_1\left(t\right)\hfill & \hfill \cdots \hfill & V_i\left(t\right)\hfill & \hfill y_1\left(t\right)\hfill \\ V_1(t-t_s)\hfill & \hfill \cdots \hfill & V_i(t-t_s)\hfill & \hfill y_1(t-t_s)\hfill \\ V_1(t-2t_s)\hfill & \hfill \cdots \hfill & V_i(t-2t_s)\hfill & \hfill y_1(t-2t_s)\hfill \\ ⋮\hfill & \hfill ⋮\hfill & \hfill ⋮\hfill & \hfill ⋮\hfill \\ V_1(t-p{t}_s)\hfill & \hfill \cdots \hfill & V_i(t-p{t}_s)\hfill & \hfill y_1(t-m{t}_s)\hfill \end{array}\right)$$

(3)

$$Tr\_Se{t}_I=\left(\begin{array}{cccc}{I}_1\left(t\right)\hfill & \hfill \cdots \hfill & I_i\left(t\right)\hfill & \hfill y_2\left(t\right)\hfill \\ I_1(t-t_s)\hfill & \hfill \cdots \hfill & I_i(t-t_s)\hfill & \hfill y_2(t-t_s)\hfill \\ I_1(t-2t_s)\hfill & \hfill \cdots \hfill & I_i(t-2t_s)\hfill & \hfill y_2(t-2t_s)\hfill \\ ⋮\hfill & \hfill ⋮\hfill & \hfill ⋮\hfill & \hfill ⋮\hfill \\ I_1(t-p{t}_s)\hfill & \hfill \cdots \hfill & I_i(t-p{t}_s)\hfill & \hfill y_2(t-m{t}_s)\hfill \end{array}\right)$$

(4)

where p, m, i, t_s and y are the input-memory order, output-memory order, the inputs sample number, the sample time, and the outputs, respectively.

3.2. Offline Training Phase

In this phase, based on the obtained information from the previous step, the offline training of the ANFIS is performed. To achieve better performance and avoid overfitting during the training phase, these data should be randomly divided into three sets: training, validation, and testing. A large number of input data can be considered for the training set, which can be critical in avoiding overfitting, which has negative impacts such as poor prediction and high testing error. The validation data set should be used to evaluate the error immediately after each epoch to reduce the likelihood of overfitting. The training, validation, and testing data set percentages have been set to 70%, 15%, and 15%, respectively. As mentioned before, FIS training depends highly on the input data. Accordingly, the primary FIS is generated by the subtractive clustering method. Then, ANFIS attempts to find a better input–output domain mapping using the hybrid learning method, which is enhanced during the training phase. An error index is considered to measure the training performance and enhance the mapping ability. In Figure 1b, the offline training phase of the proposed method is shown.

3.3. Online Output Prediction Phase

In this phase, for each DG, two trained estimators are utilized to predict the estimated values (${\widehat{V}}_{out}^{D{G}_j}$ and ${\widehat{I}}_{out}^{D{G}_j}$) for actual output voltage ($V_{out}^{D{G}_j}$) and actual output current ($I_{out}^{D{G}_j}$) of each DC/DC converter. In Figure 1c, the proposed online prediction scheme is shown. Two dynamic error signals for each output voltage ($erro{r}_V^{D{G}_j}\left(t\right)$) and current ($erro{r}_I^{D{G}_j}\left(t\right)$) are available for the following steps.

$$erro{r}_V^{D{G}_j}=V_{out}^{D{G}_j}\left(t\right)-{\widehat{V}}_{out}^{D{G}_j}\left(t\right) \approx {\widehat{C}}_j^V\left(t\right)$$

(5)

$$erro{r}_I^{D{G}_j}=I_{out}^{D{G}_j}\left(t\right)-{\widehat{I}}_{out}^{D{G}_j}\left(t\right) \approx {\widehat{C}}_j^I\left(t\right)$$

(6)

In the presence of a cyber-attack, these error signals are nearly equal to the attack values ($C_j^V\left(t\right), C_j^I\left(t\right)$), and in normal mode, when no attack has been detected in the system, they are approximately equal to zero. Here, ${\widehat{C}}_j^V\left(t\right)$ and ${\widehat{C}}_j^I\left(t\right)$ are the attack values’ approximations that are nearly equal to the attack values.

3.4. Online Change Point Detection Phase

During this phase, the FDIA detection scheme should determine the system status, namely normal and attacked, by interpreting the data from the error signals $erro{r}_V^{D{G}_j}\left(t\right)$ and $erro{r}_I^{D{G}_j}\left(t\right)$. By using an OCPD, any CPs in the error signal curves are detected, which is a sign of the presence of an attack in the system. In Bayesian Change Point Detection (BCPD), all sample data should be divided into non-overlapping state partitions, assuming that each state’s data are independent and identically distributed from a probability distribution. Moreover, the BCPD tries to compute the probability distribution of the length of the current “run”, or time since the last CP, using a simple message-passing algorithm [39]. In BCPD, the posterior probability distribution is estimated by defining an auxiliary variable run length $(r_t)$ that shows the elapsed time after the last CP. The probability distribution equation is shown here:

$$P\left(r_t|r_{t-1}\right)=\{\begin{array}{cc}H\left(r_{t-1}+1\right)\hfill & \hfill if r_t=0\\ 1-H\left(r_{t-1}+1\right)\hfill & \hfill if r_t=r_{t-1}+1\\ 0\hfill & \hfill otherwise\end{array}$$

(7)

$$H\left(\tau \right)=\frac{P_{gap}\left(g=\tau \right)}{{{\displaystyle \sum }}_{t=\tau }^{\infty }{P}_{gap}\left(g=\tau \right)}$$

(8)

H(τ) is the hazard function, which is shown as the ratio of probability density over the run to the total sum of probability densities, where $P_{gap}\left(g\right)$ is a discrete exponential distribution with time scale $\lambda$, and $H\left(\tau \right)$ is constant and equal to $\raisebox{1ex}{$1$}\!\left/ \!\raisebox{-1ex}{$\lambda $}\right.$. After calculating the run-length probability distribution, the CP prediction is performed by comparing the run-length probability distribution while updating the probability distribution. A CP occurs when $r_t$ has the highest probability in the distribution. In this step, $r_t$ is reset to zero ($r_t=0$); otherwise, $r_t$ is incremented by one ($r_t=r_{t-1}$). For further details, see [40].

Based on the above procedure, the error signal’s statistical characteristics (probability distribution) begin to change after the first sampling time of the injected FDIA into the systems. It should be noted that any changes in the first error signal indicate the attacked DG. For instance, if the FDIA occurs in a voltage sensor in DG 3, the error signal of the DG 3 output DC voltage starts to change. As mentioned before, this approach not only detects the existence of FDIA in DCMG but also pinpoints the exact location of a cyber intrusion.

3.5. Mitigation Phase

Following the detection of a cyber-attack as well as the location of the intrusion in the cyber layer, the control system attempts to mitigate the negative consequences of FDIA. Because of the possibility of gaining access to both false and estimated output data from the associated attacked DGs, a compensatory action is taken based on the proposed approach below.

$$V_{d{c}_j}^{amended}\left(t\right)=\{\begin{array}{cc}{V}_{d{c}_j}\left(t\right)\hfill & \hfill \left(\mathrm{Normal}\right)\\ V_{d{c}_j}^{attack}\left(t\right)-sign({\widehat{C}}_j^V\left(t\right))|{\widehat{C}}_j^V\left(t\right)|\hfill & \hfill \left(\mathrm{Attacked}\right)\end{array}$$

(9)

$$I_{d{c}_j}^{amended}\left(t\right)=\{\begin{array}{cc}{I}_{d{c}_j}\left(t\right)\hfill & \hfill \left(\mathrm{Normal}\right)\\ I_{d{c}_j}^{attack}\left(t\right)-sign({\widehat{C}}_j^I\left(t\right))|{\widehat{C}}_j^I\left(t\right)|\hfill & \hfill \left(\mathrm{Attacked}\right)\hfill \end{array}$$

(10)

The absolute value of the difference between the attacked and approximation of the actual data (${\widehat{C}}_j^V\left(t\right), {\widehat{C}}_j^I\left(t\right)$) but with the opposite sign is added to the attacked data as a new approximation of the actual data obtained from the neighbors. In other words, the secondary controller receives amended data ($V_{d{c}_j}^{amended}\left(t\right)$, $I_{d{c}_j}^{amended}\left(t\right)$), which are approximately actual and safe instead of false data for the following control subsystem, keeping the system running as if there was no attack.

4. Simulation Results

The test system that is shown in Figure 3 is commonly considered to study attack presence conditions and evaluate the attack detection and mitigation efficiency [13,20]. The system includes four RES units (with DC source) interfaced by DC/DC converters, four impedance distributed lines that connect the DGs, and four DC loads fed by the network. The voltage reference of the DCMG is 315 V. The testbed DCMG’s specification is presented in

Table 1. Specifications of the testbed DCMG.

DGs	DG 1	DG 2	DG 3	DG 4
	𝑃nominal1,2 ≃ 4.7 kW		𝑃nominal3,4 ≃ 3.1 kW
Converter	𝐿𝑖 = 300 μH, 𝐶𝑑𝑐𝑖 = 250 μF
	$I_{d{c}_{1,2}}^{max}=15$		$I_{d{c}_{3,4}}^{max}=10$
Line	T12	T23	T34	T14
	R = 0.5 Ω L = 80 μH	R = 2.5 Ω L = 85 μH	R = 3.3 Ω L = 95 μH	R = 2.3 Ω L = 70 μH
Load	Laod 1	Laod 2	Laod 3	Laod 4
	𝑃𝑙1 ≃ 3.4 kW	𝑃𝑙2 ≃ 3.7 kW	𝑃𝑙3 ≃ 2.9 kW	𝑃𝑙4 ≃ 3.1 kW

.

To evaluate the effectiveness of the proposed framework to deal with FDIs that are not detectable with traditional bad data detection methods, four different attack scenarios including simultaneous abrupt load change and FDI, time-varying FDI, hijacking and Gaussian distributed attacks are introduced with the properties listed in

Table 2. Attack properties.

Scenario No.	Place of Intrusion	Type of Attack (Sine Waves 1, 2, 3 and Gaussian 4)	Period of Attack
1	$D{G}_1^V$	$C_1^V\left(t\right):Amp=5\pm 1.5,Frq=5\pm 1.5 \mathrm{Hz},$ $DC gain=5\pm 1.5$	t = [5.1, 7.3] s
2	$D{G}_2^I,D{G}_4^I$	$C_{2,4}^I\left(t\right):Amp=10\pm 2.5,$ $Frq=5\pm 2.5 \mathrm{Hz},DC gain=4\pm 2.5$	t = [4.0, 6.0] s
3	$D{G}_2^V$	$C_2^V\left(t\right):Amp=15\pm 2.5,$ $Frq=10\pm 2.5 \mathrm{Hz}, DC gain=3\pm 2.5$	t = [5.0, 7.0] s
4	$D{G}_4^V$	$C_4^V\left(t\right): \mu =4.25, \sigma =0.35, DC gain=2.2$	t = [3.0, 5.5] s

. In each scenario, various cases with different attack parameters are considered. However, to preserve the brevity of the paper, one representative case is investigated in each scenario.

4.1. Scenario 1: Abrupt Load Change and FDIA

One of the challenging attack scenarios in FDIA detection is when the attacker injects false data into the network during abrupt load changes, as shown in Figure 4.

For instance, DG 1 is attacked, while loads 4 and 2 increase by 45% and 25% at t = 3.6 and t = 4.6, respectively. Therefore, the FDIA detection method should distinguish between the abrupt load changes and actual intrusion, which is not a straightforward task because of the same instant effects (changes in average output voltage and sharing the current consequently) on the system performance. The output voltage of the DCMG without the attack detection scheme and the output voltage and currents with the attack detection and mitigation control method is shown in Figure 4b for comparison. As shown in Figure 4c, two other abrupt load changes occur before and during an actual intrusion, and the detection method does not consider those as an intrusion. In Figure 4e, the error signals ($erro{r}_V^{D{G}_i}\left(t\right)$) for DGs are presented. Obviously, due to the attack occurrence in voltage sensor data from the connected neighbors in DG 1, the related error signal is the largest and starts to change before the others. In the proposed mitigation scheme, the absolute difference between ANFIS estimates and tampered data with the opposite sign is added to the manipulated unit’s tampered data. These new signals are considered as an approximation of safe data and are given as input to the control system to recover the pre-attack performance. Hence, it is not required to plug out the attacked unit during the intrusion, as manipulated data will not affect the controller’s performance.

4.2. Scenario 2: Time-Varying FDIA in Transmitted Current Sensor Measurement

In this scenario, the injected false data are considered as two sine waves in the current sensor measurements of DG 2 and DG 4. The attacker injects the time-varying false data into the communication layer, while some abrupt load change occurs in the time interval [4.0, 6.0] s, as shown in Figure 5a.

Furthermore, as shown in Figure 5b, two other abrupt load changes occur before an actual intrusion, and the detection system does not consider those as an attack. The output currents when the attack detection scheme does not exist are illustrated in Figure 5b for better comparison. As shown in Figure 5b, for the system without the proposed attack detection framework, DG 2 and DG 4 lose their current-sharing capabilities due to receiving manipulated data from the cyber communication layer in their control units. The error signals ($erro{r}_I^{D{G}_i}\left(t\right)$) for DGs are shown in Figure 5e.

Due to the false data attack occurrence in the current sensor measurements of DG 2 and DG 4, the related error signals (DG 4 and DG 2) begin to change, which may cause some CPs that are detected by the OCPD scheme. Due to various measurement and communication delays in this study, the detecting process in DG 4 is completed earlier than in DG 2.

4.3. Scenario 3: Hijacking Attack

The hijacking attack is one of the most challenging types of FDIA since the actual data are entirely replaced with the fake one. Thus, it does not follow the exact characteristics of the actual data, such as the slope of change and the limited amplitude, as described in Scenario 1. In this scenario, it is assumed that the intrusion is placed on the voltage sensor in DG 2. In Figure 6, the performance of the proposed method is shown in the presence of a hijacking attack on the voltage sensor.

As described in Scenario 1, the results show that the proposed method not only can detect the hijacking attack but also distinguishes between abrupt load changes and intrusions. Based on the attack properties in Table 2, the presence of an attack is detected by the proposed method in DG 2 (Figure 6e); the final status of the detection system in the presence of the intrusion is also shown in Figure 6f. It is worth mentioning that utilizing this method can successfully detect and mitigate all the FDIA even though all units are under attack.

4.4. Scenario 4: Gaussian Distributed Attack

One of the other challenging and common types of FDIA, which is likely to occur in DCMGs, is evaluated in this scenario. In this scenario, the performance evaluation is studied in the presence of a Gaussian-distributed attack. In this attack, the attacker tries to conceal its malicious activities by injecting false data that looks like regular load profile changes and has an almost similar trend to a Gaussian distribution.

Similar to the previous scenarios, the load profile, output DC voltage, and current with and without utilizing the proposed attack detection and mitigation scheme are presented in Figure 7a–c, respectively. As depicted in Figure 7b and all similar graphs in the previous scenarios, it is obvious that the consensus is lost when the attack is injected into the typical DCMG, which is not equipped with an attack detection and mitigation scheme. Finally, the attack detection system’s error analysis and final status in the presence of the Gaussian-distributed FDIA are illustrated in Figure 7e,f, respectively.

5. Conclusions and Future Work

A data-driven-based framework for detecting and mitigating FDIA in DCMGs was proposed in this paper. The proposed method used the ANFIS to estimate the DC outputs of all DGs in a DCMG with 99.40% accuracy. The transient and steady-state error between the estimation and measured data converges to a non-zero value as soon as any false data are injected into the DCMG. Based on the estimation error, the proposed method can not only identify the intrusion’s existence and location but also mitigate the negative consequences of the FDIA in the system. Furthermore, the proposed method does not need to access an extra secure communication line to detect the place of intrusion. It can also detect the various types of FDIA without needing to model those attacks in the training process.

In addition, there is no need to plug out the attacked unit during a malicious intrusion. The proposed method’s performance was validated using real-time simulations in the MATLAB/Simulink environment to evaluate its efficiency and accuracy under different scenarios. The results demonstrated that the FDIA presence and the attacked DG unit are detected and successfully mitigated in both transient and steady-state conditions. Extending the proposed framework by adding an online learning capability for maintaining the system performance over time which also address the scalability issue of the proposed framework are subjects of future studies by the authors.