Joint Detection and State Estimate with GSAs in PMU-Based Smart Grids

Abstract

The Phasor Measurement Unit (PMU) with a GPS signal receiver is a synchronized sensor widely used for power system state estimation. While the GPS receiver ensures time accuracy, it is vulnerable to network attacks. GPS spoofing attacks can alter the phase angle of PMU measurement signals and manipulate system states. This paper derives a power system state model based on PMUs under GPS spoofing attacks, according to the characteristics of changes in bus voltages and branch currents after GSA. Based on the characteristics of this model, a detection and correction algorithm for attacked data is proposed to detect GSA and correct attacked measurements. The corrected measurements can be used for power system state estimation. Simulation results on the IEEE 14-bus system show that the proposed algorithm improves the accuracy of state estimation under one or multiple GSAs, especially when multiple GSAs are present, compared to classical Weighted Least Squares Estimation (WLSE) and Alternating Minimization (AM) algorithms. Further research indicates that this algorithm is also applicable to large-scale networks.

1. Introduction

Phasor Measurement Units (PMUs) based on global positioning system have been widely used in wide area measurement system [1,2]. PMU is an advanced digital instrument used for real-time monitoring of grid operation in smart grids. By installing a PMU on one bus, it can obtain the bus voltage phasor and all current phasors of the branches connected to that bus [3]. PMU data is an important data source for situation awareness, dispatching control, and early warning of modern power systems. Many advanced applications have been developed based on PMU data, such as state estimation, wide area damping control, generator state monitoring, static voltage stability evaluation, etc. Accurate PMU data is a prerequisite for advanced applications.

The PMU uses a common time source for synchronization and can measure the electrical waves on the grid. The PMU does this by converting the analog signals of voltage and current to digital signals and applying anti-alias filters and discrete Fourier transforms to isolate the fundamental frequency components and compute their phase representation [4,5]. This allows obtaining the fundamental frequency amplitude and phase information of the voltage and current signals at each bus in the power system, instead of the actual measurements in conventional Supervisory Control and Data Acquisition (SCADA) systems. When the number of PMUs deployed in the system is sufficient to make the system globally observable, state estimation is only required based on the PMU data [6,7]. In this case, the state of the power system can be expressed in the form of a linear equation that can be solved in a single iteration, which improves the processing speed [8,9]. Replacing nonlinear state estimation with linear state estimation using PMU measurements allows direct manipulation of the Jacobi matrix. The reliability of the simplified model and PMU state variables was explained in [10]. The solution of the linear model is direct and non-iterative.

In recent years, with the intelligent development of power grid and the importance of the power grid security, PMUs have become increasingly important in power system state estimation [10,11,12,13,14,15]. The low reporting rate and complex nonlinear state estimation of traditional SCADA systems for power grids make it difficult to meet high-precision state analysis and real-time safety monitoring. However, PMU can provide synchronized phasor measurements, generating a linear model for state estimation. Their sampling rate is much higher than that of the SCADA system, and it can estimate the state of power system in real-time and quickly respond to abnormal conditions.

Each PMU is equipped with a GPS receiver, which is synchronized using GPS civilian signals, which are not encrypted like the military signals [11,16,17,18]. GPS provides sub-microsecond precision timing [16], which plays a crucial role in the time synchronization of PMU measurements. Wireless communication between civilian receivers and satellites is then vulnerable to cyber attacks. GPS spoofing is caused by transmitters mimicking GPS signals with the intent of altering the GPS time estimated by the PMU’s GPS receiver [19]. These attacks maliciously introduce incorrect timestamps, which leads to incorrect phase angles in PMU measurements [20], making the system state estimation problem nonlinear, counteracting the original motivation for the introduction of PMUs as well as posing a serious threat to the correct state estimation of the power system. The issue of time delay in PMU measurements and its compensation methods have been discussed in [21], but these methods have limited effectiveness compared to GSAs. As a result, GSAs detection and countermeasures are widely studied and methods are proposed to prevent serious destructions to the power system.

2. Prior Work

In recent years, there have been much research on GSA, and the research directions were mostly divided into three categories. They were respectively the feasibility of GSA [22,23,24,25], the impact of GSA on power grid state [19,26], and some solutions for GSA [21,27,28,29,30].

The feasibility details of GSAs were shown in [22,23,24,25]. Shepard et al. [24] have performed field tests of GPS spoofing on PMUs, exposing the vulnerability of PMUs to this malicious attack; by spoofing the GPS signal receiver inside the PMU, the attacker can introduce timing errors, which result in a consequent shift in the phase angle of the PMU, which posed a serious problem for real-time monitoring of the smart grid. Humphreys et al. [22] first implemented GPS spoofing attack in the laboratory and gave a preliminary mitigation method for non-encrypted GSA. Jiang et al. [25] manipulated the acquired GPS signal data, and they found that this operation could change the phase angle of the PMU-measured signal.

However, more research were on the countermeasures of GSA [19,26,27,28,29,30]. Liang et al. [26] comprehensively discussed the theoretical basis of false data injection attacks (FDIA) and gave the most basic defense strategy for FDIA. After measuring and collecting the data provided by the PMUs, a cross-layer detection method was proposed in [19]. Its principle is to use the angle of arrival of GPS as the initial guess, and then detect whether GSA has occurred through the state estimation of the system. Mahapatra et al. [27] proposed a method to detect bad data in PMU measurements during interference. Which was based on the principal component analysis (PCA) method to distinguish the safety data caused by bad data from the manipulation data caused by interference. In particular, Zhang et al. [28] proposed a novel distribution system identification and correction algorithm for simultaneous GSA with multiple PMU positions. The algorithm first analyzed the sensitivity of the residual of the phase angle state estimation under a single GSA, and then used the proposed detection technology identification algorithm to locate the attacked PMU and the shift range of the phase angle after the attack. Finally, the phase shift was determined by minimizing the offset of measurement and system state estimation. PMU is vulnerable to attack because it receives unencrypted civil signals. To solve this problem, Mina et al. [29] proposed a wide-area spoofing detection algorithm for PMU, which used the hybrid communication architecture of NAPSInet. They created conditional signal fragments containing military P (Y) signals, whose precise code sequences are not available to civilian users, thus protecting PMUs from attack from the source. Unlike adding military encrypted signal fragments, Bhamidipati et al. [30] proposed a new algorithm for jointly spoofer location and GPS time using multiple receivers direct time estimation (MRDTE). The experimental results show that it can locate the attacked PMU within a certain range and estimate the time change. For the error synchronization in PMU measurement data, Zhang et al. [21] gave the source of this error, and proposed the method of using the Kalman filter to compensate for this error, which effectively alleviates the error caused by different.

The impact of a GPS spoofing attack on the secure operation of the power grid system was shown in [25]. We can find that once the PMU is subject to GSA, it is impossible to conduct real-time monitoring and correct state estimation of the system, which will bring huge hidden dangers.

For system state estimation, the static estimation method was used to detect attacks of PMU in the power grid [31]. More PMUs were installed in the power grid to make the measurements of the bus redundant, and then various PMU signals are compared mathematically to obtain the GPS attack detection formula [32]. Most of the above literature treats the system as static. The dynamic changes of the system were not considered. Phase shift caused by PMU delay under system dynamic characteristics was considered in [33]. However, this phase shift is not caused by spoofing attacks, but the deployed PMUs come from different standards, protocols, and designs. Siamak et al. [34] also described the attacked power system under the dynamic framework, which was an extension of the dynamic model of the methods in [13,26], and then proposed a method to detect multiple non-constant attacks on the system. By using Kalman filter, this method can estimate the data and measurements of spoofing attack with higher accuracy, and determine the phase shift of spoofing attack. In addition, the traditional measurement model assumed that the incomplete synchronization of PMU was modeled as additive noise [27,35,36,37]. However, according to the numerical example given in [33], if the synchronization error and/or the time between successive synchronizations increase, the traditional estimation method will deteriorate significantly.

In this paper, we consider the introduced multiplicative noise by GSAs in the proposed model, which results in the attacked residuals being greater than the residuals of the nominal system. We propose a spoofing algorithm for attacked data that classifies the attacked data and secure data, and then inputs the attacked data into the proposed data correction algorithm to obtain measurement data under secure residuals. Finally, a static estimation method is employed to estimate the system state using all the data. The main contributions of this paper can be summarized as follows:

• The PMU’s measurement model under GSA attack is derived by comparing changes in bus voltage and branch current before and after the attack.
• According to the characteristic that the measurement residual of PMU data will change after being attacked, an attack detection method is proposed, which can effectively detect one or more GSAs.
• Through the particularity of the matrix in the measurement model, a bad data correction algorithm is proposed to restore the corrected attacked to the security measurements residual range. This method effectively avoids the challenge of coupling two unknown parameters in the model, which is difficult to estimate.

The rest of this paper is organized as follows. Section 3 introduces the security measurement model of PMU and derives the measurement model of PMU after being attacked by GPS spoofing. Section 4 describes the proposed algorithm and explains the simulation environment and implementation. Section 5 presents the simulation results, and our conclusions are peserented in Section 6.

3. System Model

This section summarizes the measurement model for the presence of GPS spoofing attacks in the network. The PMU measurements are correlated by derivation to the network state and the phase angle shift caused by GPS spoofing attacks.

3.1. Measurement Model

We consider a power network with N buses connected via l transmission lines, e.g., the IEEE 14-bus model, that is observed by M PMUs installed on several buses. This collection of measured quantities (in rectangular corrdinate) at bus k is concatenated in a vector ${\mathit{z}}_k\in {\mathbb{R}}^{(2+2l)\times 1}$. The PMU measurements at bus k, which is connected to l different buses, are given by

$$\begin{array}{c}\hfill {\mathit{z}}_k={[U_k^r,U_k^i,I_{k1}^r,I_{k1}^i,\dots ,I_{kl}^r,I_{kl}^i]}^T\end{array}$$

(1)

where $U_k^r$, $U_k^i$ denote the real and imaginary parts of the complex voltage at bus k, respectively. $I_{kl}^r$, $I_{kl}^i$ are the real and imaginary parts of the complex current injected into line $(k,l)$, T is the transpose operator. The system state $\mathbf{x}\in {\mathbb{R}}^{2\mathrm{N}\times 1}$ can be written as

$$\begin{array}{c}\hfill \mathbf{x}={[U_1^r,U_1^i,\dots ,U_k^r,U_k^i,\dots ,U_N^r,U_N^i]}^T\end{array}$$

(2)

Thus, using the bus admittance matrix of the network, ${\mathit{z}}_k$ can be written as a linear function of the system state $\mathbf{x}$:

$${\mathit{z}}_k={\mathit{H}}_k\mathbf{x}+{\mathit{e}}_k$$

(3)

where ${\mathit{z}}_k$ denotes the PMU measurements at the bus k, ${\mathit{H}}_k$ is the admittance matrix associated with a bus at bus k, and ${\mathit{e}}_k$ denotes gauss measurement noise. Thus, the overall PMUs’ measurements are given by

$$\mathit{z}=\mathit{H}\mathrm{x}+\mathit{e}$$

(4)

where $\mathit{z}={[{\mathit{z}}_1,\dots ,{\mathit{z}}_M]}^T$, $\mathit{H}={[{\mathit{H}}_1,\dots ,{\mathit{H}}_M]}^T$, $\mathit{e}={[{\mathit{e}}_1,\dots ,{\mathit{e}}_M]}^T$. In this case, the estimation of the state variable $\mathbf{x}$ can be obtained from the least square estimation (LSE), which is expressed as

$$\widehat{\mathbf{x}}={\left({\mathit{H}}^T\mathit{H}\right)}^{-1}{\mathit{H}}^T\mathit{z}$$

(5)

In the network, the continuous voltage signal on the bus k when the time t is defined as

$${\overline{U}}_k\left(t\right)=U_k\left(t\right)cos(2\pi f_{c}t+{\phi }_k\left(t\right))$$

(6)

where $f_c$ is the frequency, ${\overline{U}}_k$ can be expressed in the form of phasor $U_k\left(t\right)e^{j{\phi }_k\left(t\right)}$, where $U_k\left(t\right)$ denotes magnitude and ${\phi }_k\left(t\right)$ denotes the phase at time t. Since the subsequent analysis of the GPS spoofing attack is based on the data collected at a certain time point, we omit the symbol t in the subsequent formula for simplicity of notation. Therefore, according to its phasor form, it can be obtained that the real and imaginary parts of the complex voltage are

$$U_k^r=U_{k}cos{\phi }_k$$

(7)

$$U_k^i=U_{k}sin{\phi }_k$$

(8)

Here, a branch line is approximated using a $\pi$ model, as illustrated in Figure 1. The admittance matrix relates the complex current flowing in a line with the complex voltages at the buses of the $\pi$ model.

In Figure 1, we denote the susceptance at bus k as $B_k$ and the admittance at branch $(k,l)$ as $y_{kl}$ with

$$y_{kl}=g_{kl}+j{b}_{kl}$$

(9)

where $g_{kl}$ is the conductance and $b_{kl}$ is the susceptance. In this paper, we assume these parameters are known and constant. Therefore, we can calculate the real and imaginary parts of the branch current as follows:

$$I_{kl}^r=(U_k^r-U_l^r)g_{kl}-(U_k^i-U_l^i)b_{kl}-B_k{U}_k^i$$

(10)

$$I_{kl}^i=(U_k^r-U_l^r)b_{kl}+(U_k^i-U_l^i)g_{kl}+B_k{U}_k^r.$$

(11)

3.2. Spoofing Attack Model

Consider attackers can manipulate the synchronization of PMUs through GPS spoofing, such that the time reference of an attacked PMU is delayed or advanced. For each attacked measurement, we consider GPS spoofing attack will shift the phase angle of the phasor $z_n$ by an angle ${\alpha }_n$ while the phasor magnitude is unchanged [25]. Thus the attacked measurement are defined as

$$\begin{array}{c}\hfill z_n^{spf}=z_n{e}^{j{\alpha }_n}\end{array}$$

(12)

where $z_n^{spf}$ denotes the change of measurement under attack. The resulting measurement vector ${\mathit{z}}^{spf}$ is given by

$$\begin{array}{c}\hfill {\mathit{z}}_{}^{spf}={(z_1^{spf},\dots ,z_k^{spf},\dots z_M^{spf})}^T={\mathit{z}}^{spf}\odot \mathit{w}\end{array}$$

(13)

where $\mathit{w}={(e^{j{\alpha }_1},\dots ,e^{j{\alpha }_k},\dots ,e^{j{\alpha }_M})}^T$ is the attack vector, ⊙ is the Hadamard product and if a PMU is security, the shift angle ${\alpha }_n=0$, i.e., $e^{j{\alpha }_n}=1$ can be obtained. Thus, the measurments are still $z_n$. However, the PMU installed on bus k is attacked, and the voltage measurements are

$$\begin{array}{c}\hfill {\overline{U}}_k^{spf}={\overline{U}}_k·e^{j{\alpha }_k}=U_k·e^{j({\phi }_k+{\alpha }_k)}\end{array}$$

(14)

where ${\alpha }_k$ is the phase shift angle caused by the attack, and

$$\begin{array}{c}\hfill {\alpha }_k=2\pi f_c{t}_k\end{array}$$

(15)

where $t_k$ is the time delay of the kth bus due to a spoofing attack. Thus, by transforming (14) in the rectangular coordinates, we can obtain the real and imaginary parts of attacked voltage can be expressed as

$$\begin{array}{c}\hfill {\overline{U}}_k^{spf,r}=U_{k}cos{({\alpha }_k+{\phi }_k)}_{}^{}=U_k^{r}cos{\alpha }_k-U_k^{i}sin{\alpha }_k\end{array}$$

(16)

and

$$\begin{array}{c}\hfill {\overline{U}}_k^{spf,i}=U_{k}sin{({\alpha }_k+{\phi }_k)}_{}^{}=U_k^{r}sin{\alpha }_k+U_k^{i}cos{\alpha }_k\end{array}$$

(17)

Note that trigonometric identities $cos(x+y)=cos\left(x\right)cos\left(y\right)-sin\left(x\right)sin\left(y\right)$ and $sin(x+y)=sin\left(x\right)cos\left(y\right)+cos\left(x\right)sin\left(y\right)$ are introduced in the operation of the above formula. In addition, the delay expression of the current after being attacked are given by

$$\begin{array}{c}\hfill I_{kl}^{spf,r}=(U_{k}cos({\alpha }_k+{\phi }_k)-U_{l}cos({\alpha }_k+{\phi }_k))g_{kl}-(U_{k}sin({\alpha }_k+{\phi }_k)\\ \hfill -U_{l}sin({\alpha }_k+{\phi }_k))b_{kl}-B_k{U}_{k}sin({\alpha }_k+{\phi }_k)\\ \hfill =U_k^r(g_{kl}cos{\alpha }_k-b_{kl}sin{\alpha }_k-B_{k}sin{\alpha }_k)+U_l^r(-g_{kl}cos{\alpha }_k+b_{kl}sin{\alpha }_k)\\ +U_k^i(-g_{kl}sin{\alpha }_k-b_{kl}cos{\alpha }_k-B_{k}cos{\alpha }_k)+U_l^i(g_{kl}sin{\alpha }_k+b_{kl}cos{\alpha }_k)\hfill \end{array}$$

(18)

$$\begin{array}{c}\hfill I_{kl}^{spf,i}=(U_{k}cos({\alpha }_k+{\phi }_k)-U_{l}cos({\alpha }_k+{\phi }_k))b_{kl}+(U_{k}sin({\alpha }_k+{\phi }_k)\\ \hfill -U_{l}sin({\alpha }_k+{\phi }_k))g_{kl}+B_k{U}_{k}cos({\alpha }_k+{\phi }_k)\\ \hfill =U_k^r(b_{kl}cos{\alpha }_k+g_{kl}sin{\alpha }_k+B_{k}cos{\alpha }_k)+U_l^r(-b_{kl}cos{\alpha }_k-g_{kl}sin{\alpha }_k)\\ \hfill +U_k^i(-b_{kl}sin{\alpha }_k+g_{kl}cos{\alpha }_k-B_{k}sin{\alpha }_k)+U_l^i(b_{kl}sin{\alpha }_k-g_{kl}cos{\alpha }_k)\end{array}$$

(19)

Note that since GSA has the same effect on all signals measured by PMU at any time, phase angles of voltage and currents shift are identical [38]. Thus, the measurement of PMU installed at bus k after the spoofing attack is given by

$$\begin{array}{c}\hfill {\mathit{z}}_k^{spf}={\mathit{\tau }}_k{\mathit{H}}_k\mathbf{x}+{\mathit{e}}_k\end{array}$$

(20)

where ${\mathit{\tau }}_k$ is a block diagonal matrix with following submatrix

$$\begin{array}{c}\hfill \mathit{G}=\left[\begin{array}{cc}cos{\alpha }_k& -sin{\alpha }_k\\ sin{\alpha }_k& cos{\alpha }_k\end{array}\right]\end{array}$$

(21)

and the matrix ${\mathit{H}}_k$ can be written as

$$\begin{array}{c}\hfill {\mathit{H}}_k=\left[\begin{array}{cccc}\mathit{I}& 0& \cdots & 0\\ {\mathbf{\Psi }}_{k1}& {\tilde{\mathbf{\Psi }}}_{k1}& \cdots & 0\\ ⋮& ⋮& \ddots & ⋮\\ {\mathbf{\Psi }}_{kl}& 0& \cdots & {\tilde{\mathbf{\Psi }}}_{kl}\end{array}\right]\end{array}$$

(22)

where

$$\begin{array}{c}\hfill \mathit{I}=\left[\begin{array}{cc}1& 0\\ 0& 1\end{array}\right]\end{array}$$

(23)

$$\begin{array}{c}\hfill {\mathbf{\Psi }}_{kl}=\left[\begin{array}{cc}{g}_{kl}& B_k+b_{kl}\\ -B_k-b_{kl}& g_{kl}\end{array}\right]\end{array}$$

(24)

$$\begin{array}{c}\hfill {\tilde{\mathbf{\Psi }}}_{kl}=\left[\begin{array}{cc}-g_{kl}& b_{kl}\\ -b_{kl}& -g_{kl}\end{array}\right]\end{array}$$

(25)

Stacking (20) for all into one large model yields the measurements of all PMUs under attack as

$$\begin{array}{c}\hfill {\mathit{z}}^{spf}=\mathit{\varphi }\mathit{H}\mathbf{x}+\mathit{e}\end{array}$$

(26)

where the measurement error vector $\mathit{e}$ is assumed to be Gaussian $\mathit{e}\sim N(0,{\mathit{\delta }}^2\mathit{I})$, and $\mathit{\varphi }$ is given by

$$\begin{array}{c}\hfill \mathit{\varphi }=\left[\begin{array}{ccccc}{\mathit{I}}_1& & & & 0\\ & \ddots & & & \\ & & {\mathit{\tau }}_k& & \\ & & & \ddots & \\ 0& & & & {\mathit{I}}_{\mathit{M}}\end{array}\right]\end{array}$$

(27)

where $\mathit{I}$ denotes an identity matrix and the presence of ${\mathit{\tau }}_k$ in the diagonal element of the matrix indicates that the kth PMU is attacked. Note that ${\mathit{\tau }}_k$ depends on ${\alpha }_k$, when ${\alpha }_k=0$ (no spoofing attack), identity matrix ${\mathit{\tau }}_k={\mathit{I}}_{2l+2}$ can be obtained. Without given $\mathit{\varphi }$, the solution of the least squares of the state variable $\mathbf{x}$ in (26) is

$${\widehat{\mathbf{x}}}^{spf}={\left({\mathit{H}}^T\mathit{H}\right)}^{-1}{\mathit{H}}^T{\mathit{z}}^{spf}$$

(28)

4. Detection of Attacked Data and State Estimate of System

After collecting all the PMU measurement data, we propose a residual-based detection and correction method for attacked data. The specific steps of the entire algorithm are as follows:

(1) Initialization: Use the measurements of all PMUs to estimate the power system state ${\widehat{\mathbf{x}}}^{spf}$ and calculate the measurement residuals ${\mathit{r}}^{spf}$.

(2) Detection of Attacked Data: Compare the residuals ${\mathit{r}}^{spf}$ calculated in step 1 with the predetermined threshold $\epsilon$. If the norm of the measurement residuals ${\mathit{r}}^{spf}$ is greater than the predetermined threshold, we consider the PMU’s measurements to be generated under attack.

(3) Correction of Attacked Data: Correct the attacked data in step 2. We first estimate the attack angle and then use the special property of the PMU measurement model under attack to easily correct the attacked data.

(4) State Estimate: Use the corrected data and the non-attacked data to estimate the power system state $\mathbf{x}$. The detection and correction of attacked data are mainly composed of two sub-algorithms: the detection of attacked data and the correction of attacked data. We will provide specific details in the following sections.

4.1. Detection of Attacked Data

In Section 3.2, we theoretically derived the measurement model of PMU under GSAs. Equation (26) show that the attack model introduces multiplicative attacked data into the security measurement model. The more simplified relationship between the measurements before and after the attack is

$$\begin{array}{c}\hfill {\mathit{z}}^{spf}=\mathit{\varphi }\mathit{z}\end{array}$$

(29)

Given the security power grid, the measurement residual of PMU is expressed as

$$\mathit{r}=\mathit{z}-\mathit{H}\widehat{\mathbf{x}}=\mathit{z}-\mathit{H}{\left({\mathit{H}}^T\mathit{H}\right)}^{-1}{\mathit{H}}^T\mathit{z}=(\mathit{I}-\mathit{H}{\left({\mathit{H}}^T\mathit{H}\right)}^{-1}{\mathit{H}}^T)\mathit{z}$$

(30)

However, when PMU in the power grid is affected by GSAs, the residual becomes

$${\mathit{r}}^{spf}={\mathit{z}}^{spf}-\mathit{H}{\widehat{\mathbf{x}}}^{spf}={\mathit{z}}^{spf}-\mathit{H}{\left({\mathit{H}}^T\mathit{H}\right)}^{-1}{\mathit{H}}^T{\mathit{z}}^{spf}=(\mathit{I}-\mathit{H}{\left({\mathit{H}}^T\mathit{H}\right)}^{-1}{\mathit{H}}^T){\mathit{z}}^{spf}$$

(31)

Chauhan et al. [39] revealed that when GSAs occur in the power grid, the deviation of the residual error will be caused, which is embodied as $||{\mathit{r}}^{spf}|{|}^2\ge ||\mathit{r}|{|}^2$. However, a necessary condition to be met is that the matrix $(\mathit{I}-\mathit{H}{\left({\mathit{H}}^T\mathit{H}\right)}^{-1}{\mathit{H}}^T)$ must be Semi-positive definite.

Therefore, we can set a residual threshold $\epsilon$ for the measurement data to identify whether certain data is affected by GSA. When the residual error of a measurement is greater than a given threshold, the algorithm considers the PMU of the measured data as being attacked, otherwise the data is secure. For setting the predetermined threshold, as we mentioned in the previous section, the measurement residual increases under GSA attack. Based on this change, we perform Monte Carlo simulations under secure power system conditions and take the maximum measurement residual as the threshold to distinguish between secure and attacked scenarios. The specific simulation process is as follows: we use MATPOWER to simulate a power system, generate PMU measurements using Equation (4), and estimate the power system state using the least squares estimate. We perform multiple simulations and record the maximum residual norm as the threshold $\epsilon$.

4.2. Attacked Data Correction and System State Estimate

In Section 4.1, we used the attack detection algorithm to determine the measurements. If the norm of the measurement residuals is greater than the selected threshold, we correct the measurements in the measurement correction algorithm; otherwise, we can directly use the measurements to estimate the power system state. In this section, specific algorithm is proposed to correct the attacked data so that measurements can also be used for state estimation normally.

Equation (29) shows the relationship between the measurements of a PMU under GSA attack and the secure condition. For simplicity, we only consider an attack on one measurements.

$$\begin{array}{c}\hfill \mathit{\varphi }=\left[\begin{array}{cc}cos\alpha & -sin\alpha \\ sin\alpha & cos\alpha \end{array}\right]\end{array}$$

(32)

where $\alpha$ is the shift angle generated by the attack. According to the property ${cos}^2\theta +{sin}^2\theta =1$ of trigonometric function and the particularity of matrix $\mathit{\varphi }$, (33) can be derived.

$$\begin{array}{c}\hfill {\mathit{\varphi }}^T\mathit{\varphi }=\left[\begin{array}{cc}cos\alpha & sin\alpha \\ -sin\alpha & cos\alpha \end{array}\right]\left[\begin{array}{cc}cos\alpha & -sin\alpha \\ sin\alpha & cos\alpha \end{array}\right]=\left[\begin{array}{cc}1& 0\\ 0& 1\end{array}\right]\end{array}$$

(33)

Therefore, for the attack angles matrix introduced by the attacked measurements, we can obtain

$${\mathit{\varphi }}^T\mathit{\varphi }=\mathit{I}$$

(34)

Inspired by (34), the correction method of the attacked data can be given by

$$\begin{array}{c}\hfill {\mathit{z}}_{new}={\mathit{\varphi }}^T{\mathit{z}}^{spf}\end{array}$$

(35)

where ${\mathit{z}}_{new}$ represents a new measurement ${\mathit{z}}_{new}$ that can be used for normal state estimation obtained by correcting the measurements of the attacked PMU(s). With these data, we can use LSE to estimate the state of the system, that is

$$\begin{array}{c}\hfill \widehat{\mathbf{x}}={\left({\mathit{H}}^T\mathit{H}\right)}^{-1}{\mathit{H}}^T{\mathit{z}}_{new}\end{array}$$

(36)

When a PMU is detected to be under attack, i.e., the residual of its measurements exceeds the given threshold, we use an iterative method to minimize these residuals $||{\mathit{r}}_i||$ and bring this set of data back to the level where safe state estimation can be performed. To this end, the goal of the question is

$$\begin{array}{c}\hfill \underset{\alpha }{minimize}||{\mathit{r}}_{max}^{spf}||\end{array}$$

(37)

The specific steps of the correction and safe state estimation process are as follows:

(1) If the calculated residual norm is less than the predetermined threshold, i.e., the PMU is not under attack, the algorithm outputs the same measurements, which can be directly used for state estimation.

(2) When the measurements are under attack, we estimate the attack angle by solving the objective function (37). The specific method for minimizing the objective function is as follows:

• Firstly, we select the PMU with the largest residual norm, calculate its residual.
• Then give a priori state estimation $\mathbf{x}$, and minimize the objective function with respect to the angle to estimate the attack angle.
• Finally, use the estimated attack angle to correct the phase angle of the PMU’s measurements using equation (29) and update the power system state. Repeat this process until the estimation converges.

(3) Repeat from step 1 until the residual satisfies $||{\mathit{r}}^{spf}||<\epsilon$.

In this way, the difficult problem that the objective function (37) under the coupling of two unknown parameters is a non-convex becomes relatively simple.

We have presented the principles and implementation of the entire algorithm process for attack detection, correction of attacked data, and safe state estimation. The process is summarized in the flowchart shown in Figure 2.

5. Simulation Results

In this section, we conducted numerical experiments on the GSA detection, data correction, and system state estimation methods proposed in Section 3. The main simulation in this paper were conducted on the IEEE 14-bus system. The IEEE 14-bus test system (i.e., Figure 3) is a commonly used standard test system for evaluating the performance of power system load flow calculation and optimization algorithms. It is based on the IEEE standard 14-bus reference model and is widely used in research and applications in the field of power systems. The bus data, line data, and generator data of this test system all conform to the definitions and specifications of the IEEE standard, making it considered as a standard test system. It is extensively used for validating and comparing different load flow calculation algorithms, optimization algorithms, and other power system analysis methods. Using the IEEE standard test system as a benchmark ensures comparability of research and application results and provides a common platform for the academic and industrial communities. MATPOWER is a MATLAB toolbox used for power system load flow calculation and optimization. For the IEEE 14-bus test system, MATPOWER can provide the required buse data (bus number, bus types), line data (line resistance and reactance, etc.), and load flow calculation results (bus voltage magnitude and phase angle, etc.) as requested in this paper. With this data, the system model described in the paper has a standardized and realistic representation.

In addition, in the IEEE 14-bus system attack simulation, the threshold value $\epsilon$ that distinguishes the nominal scenario from the spoofing scenario is set to 0.0215. In all our simulations, we assume that the system bus network are observable.

Table 1. PMU buses for different IEEE bus test case.

Test Case	Number of PMUs	PMU Buses
IEEE 14	6	2,4,6,7,10,14
IEEE 30	12	1,3,5,7,9,10,12
		18,24,25,27,28
IEEE 118	54	1,3,4,5,6,8,9
		11,12,15,17,19,21
		23,25,26,28,30,34
		35,37,40,43,45,46
		49,52,54,56,59,62
		63,65,68,70,71,75
		76,77,78,80,83,85
		86,89,90,92,94,96
		100,105,108,110,114

provides the placement locations of PMUs for different test cases. And in this paper the measurement noise covariance of the PMUs is a diagonal matrix, with a standard deviation of 0.01 for each measurement.

5.1. Attacked Data Detection

In this paper, attacked data detection algorithm uses the residual norm of the measurements as the threshold to distinguish whether data is attacked data generated by GSA. Therefore, the selection of this threshold is very important. We conducted 2000 Monte Carlo simulations for nominal and spoofing scenarios. In the nominal scenario, no modifications were made to the PMU measurements. The highest residual values obtained from static state estimation in these nominal scenarios were utilized as the threshold. Remarkably, during over 1000 simulations of the nominal scenarios, the occurrence rate of instances reaching the maximum residual value is estimated to be around 2 to 3 thousandths of a percent. This suggests that using this threshold to distinguish between secure and attacked data exhibits exceptional robustness. Figure 4 shows the residual norm distributions under different simulation scenarios. The results in Figure 4 clearly demonstrate that the presence of GSA causes an increase in the measurement residuals for PMUs, thus further validating the feasibility of using a set residual threshold to differentiate between attacked and non-attacked systems.

Through the Monte Carlo simulation results, we found that the maximum value of the measurement residual for PMUs under secure conditions is 0.025, which serves as the threshold for differentiating between attacked and non-attacked PMUs based on residual values. The specific method is to generate a series of PMU measurements according to the security measurement Equation (4), then use the traditional static state estimation (5) to estimate the state of the power grid, and finally calculate the measurement residual $\mathit{r}$ under each simulation condition through (30), taking $r_{max}=\epsilon =0.0215$.

Since the GSA process requires special equipment and a long time to achieve, and the actual geographical span of the grid is huge, especially the distance between adjacent substations is long. Therefore, it is difficult to coordinate the generation of GSA in multiple locations or PMUs. Therefore, we first consider that only one PMU is subject to GSA on the system. For a single GSA, we consider that the measured phase of bus 2 has shifted by 12° due to the GSA. We record the measurements of all PMUs of the system under the security state and the attack of a single GSA in Figure 5. For multiple GSAs, we consider that the PMU measurement phase on bus 2 and bus 7 has a phase shift of 12° and 60°, respectively. Figure 6 shows a record of the measurements of all PMUs when the above attack occurs on PMUs on bus 2 and bus 7.

Figure 5 and Figure 6 show the measurements of the system PMU under a single GSA and multiple GSAs, and the measured results of each PMU under the security state. And the scatter diagram shows that when a PMU was attacked, the measurements will have a large deviation from the actual value, which is enough to significantly deteriorate the system state estimation. On the other hand, from the location of the data with obvious deviation, we can also accurately locate the location of the PMUs under attack. At the same time, this also verifies that it is reasonable for us to use the maximum deviation norm threshold to classify the security and attacked data within a certain range.

5.2. Correction of Attacked Data under Different Number of GSA

To observe the effects after correction, for a single GSA, we still take the PMU on bus 2 as an example, which is attacked to produce a 12° phase shift. In the measurement data detection algorithm, we can obtain a dataset of PMU measurements containing attacked data. After correcting these data with the data correction algorithm, a new set of effective measurements ${\mathit{z}}_{new}$ can be obtained, satisfying $||{\mathit{r}}^{new}||<\mathit{\epsilon }$. The data correction process is the same for multiple GSAs. Therefore, the measurement data correction results of two different attack scenarios in Section 5.1 are shown in Figure 6 and Figure 7, respectively. The results in Figure 8 and Figure 9 illustrated that the corrected measurements are almost identical to the true values with very small RMSE, indicating their suitability for power system state estimation for secure operation.

In addition, we apply 1–3 GSAs to the IEEE 14-bus system to study the performance of the algorithm. We take the root mean square error (RMSE) of corrected measurements as the performance metric, and RMSE is defined as $\sqrt{{(\widehat{\mathbf{x}}-\mathbf{x})}^2/n}$, where n represents the number of data samples, $\widehat{\mathbf{x}}$ represents estimated value and $\mathbf{x}$ is actual value.

Figure 9 shows that for the IEEE 14-bus system, the corrected measurements in this paper have a lower RMSE, and the algorithm also has good robustness with the increase of GSAs. Even when the system is subject to three GSAs at the same time, the RMSE of the corrected measurements remains below 0.02.

On the other hand, in our simulation study, we examined the applicability of the algorithm to larger scale networks to showcase its performance on larger networks. We proposed algorithm on the IEEE 14, IEEE 57, and IEEE 118-bus test cases. We performed Monte Carlo simulations in which the number of GSAs are varied from 1 to 3. For each GSA, we perform 100 Monte Carlo simulations in which we randomly spoofed a given number of PMU buses with the attack angles.

Table 2. Comparison of the proposed algorithm, the computation time of the AM algorithm, and the RMSE of the measurements corrected for different GSAs under the IEEE 14, IEEE 30, and IEEE 118-bus test cases.

Test	Scenario	Corrected Measurements	Computation Time (s)	Corrected Measurements	Computation Time (s)
Case		RMSE (pu) of Proposed Algorithm	of Proposed Algorithm	RMSE of AM Algorithm	of AM Algorithm
IEEE 14	1 GSAs	0.0093	0.0294	0.0413	8.4909
	2 GSAs	0.0120	0.1144	0.0429	14.6323
	3 GSAs	0.0158	0.2830	0.0522	21.3417
IEEE 30	1 GSAs	0.0026	0.1426	0.0193	87.9859
	2 GSAs	0.0219	0.2421	0.0396	94.3241
	3 GSAs	0.0413	0.3029	0.0641	107.4123
IEEE 118	1 GSAs	0.0033	0.1487	0.0137	91.3233
	2 GSAs	0.0057	0.4023	0.0366	122.4132
	3 GSAs	0.0068	0.7011	0.0539	129.5605

presents the RMSE in the corrected measurements obtained from AM and proposed algorithms. The RMSE of proposed algorithm corrected measurements is smaller than AM for all test cases under multiple GSAs. In addition, Table 2 gave the computation time of all algorithms for 100 Monte Carlo simulations. The computation time of the proposed algorithm is less than AM in all the test cases. The computation time of the proposed algorithm increases with the increase of GSA as it is an iterative estimator that mitigates one GSA at a time. For the scenario with 3 GSAs, the maximum computation time observed in the IEEE 118-bus test case is 0.0068 s. It is worth noting that all simulation tests were conducted in real-time calculations. This demonstrates that the proposed algorithm performs effectively when applied to large-scale networks and real-time monitoring.

5.3. State Estimate of System with Different Number of GSAs

In the previous section, we used the attacked data correction algorithm to correct the data damaged by GSA into secure data within the specified threshold range. Then we can use these data to estimate the state of the system through (36). We compared the proposed algorithm in this paper with the Alternating minimization (AM) [20] algorithm and the traditional weighted least square (WLS) algorithm under the influence of 1–3 GSAs. The results are shown in Figure 10 and Figure 11.

The results in Figure 10 and Figure 11 show that the proposed algorithm in this paper has a small RMSE for different GSAs. Even under three GSAs, the RMSE of voltage amplitude is below the same order of magnitude. The proposed algorithm can be well used in the process of system state estimation under GSAs.

6. Conclusions

This paper proposes a detection and data correction algorithm for the measurement data deviation caused by the GSAs of PMUs in the power grid, and uses the corrected data to estimate the system state. Through the simulation test on IEEE 14-bus system, we observed that the algorithm can detect the location of GSAs and the corrected data are very close to the original real measurements. And the root mean square error of the system state estimation for the corrected data is also very small, which greatly improves the estimation accuracy. In the generalized simulation, we also found that the algorithm is also applicable to larger scale networks.

Subsequent research will consider the study of the problem under different PMU placements, and develop a new joint estimation algorithm to estimate the two coupled unknown parameters in the model more accurately.