Network Security Challenges and Countermeasures for Software-Defined Smart Grids: A Survey

Abstract

The rise of grid modernization has been prompted by the escalating demand for power, the deteriorating state of infrastructure, and the growing concern regarding the reliability of electric utilities. The smart grid encompasses recent advancements in electronics, technology, telecommunications, and computer capabilities. Smart grid telecommunication frameworks provide bidirectional communication to facilitate grid operations. Software-defined networking (SDN) is a proposed approach for monitoring and regulating telecommunication networks, which allows for enhanced visibility, control, and security in smart grid systems. Nevertheless, the integration of telecommunications infrastructure exposes smart grid networks to potential cyberattacks. Unauthorized individuals may exploit unauthorized access to intercept communications, introduce fabricated data into system measurements, overwhelm communication channels with false data packets, or attack centralized controllers to disable network control. An ongoing, thorough examination of cyber attacks and protection strategies for smart grid networks is essential due to the ever-changing nature of these threats. Previous surveys on smart grid security lack modern methodologies and, to the best of our knowledge, most, if not all, focus on only one sort of attack or protection. This survey examines the most recent security techniques, simultaneous multi-pronged cyber attacks, and defense utilities in order to address the challenges of future SDN smart grid research. The objective is to identify future research requirements, describe the existing security challenges, and highlight emerging threats and their potential impact on the deployment of software-defined smart grid (SD-SG).

1. Introduction

The need for increased electricity usage, declining infrastructure quality, and growing concerns about reliability have prompted the development of grid modernization and the implementation of smart grids (SGs) as replacements for traditional power networks. According to the US Department of Energy, SGs will enable utility companies to perform wide-ranging data collection and implement widespread electrical system control in real time, resulting in more reliable electricity for all grid users. Traditional power grids are hindered by obsolete and unreliable equipment, as well as the need for manual administration and frequent power outages. However, the implementation of SGs brings with it a range of contemporary technologies, such as Internet of Things (IoT) sensors, analytic processes that incorporate machine learning, and advanced control systems. These technologies enable more efficient monitoring and management of energy consumption, generation, and distribution [1]. There are still several challenges in SGs, such as the time-consuming and tedious need for manual network administration. Furthermore, SG networks are made up of hardware and software from various vendors, which can result in interoperability issues for contact between those devices.

Presently, ongoing research has suggested the utilization of software-defined networking (SDN) methods to enhance the performance of SGs [1,2]. SDN is a network design methodology that enables the intelligent control and programming of networks. This is achieved by the utilization of software applications and a distinct network controller function, which is independent of the network’s data transport capabilities. This enables more flexibility, agility, and scalability in the management of network infrastructure [3].

Figure 1 illustrates a software-defined smart grid (SD-SG) architecture. A software controller with centralized control handles and configures all devices and protocols in the SG network. The application plane enables real-time monitoring and analysis, making it easier to proactively detect and resolve faults in the SG network [4]. The upper-layer analysis and control functions can then be used to implement SG network policy in terms of data movement or storage, telecommunications, energy movement or storage, and customer prioritization. Although current SDN research offers broad security response solutions, SD-SGs are vulnerable to many utility-specific cyberattacks, such as distributed denial of service (DDoS), illegal access, and false data injection [5]. Furthermore, the use of SDN increases the susceptibility of the SD-SG to additional weaknesses, particularly aimed at compromising the controller or other designated elements of the SDN network. The possible shortcomings of incorporating SDN into SGs include the risk of having a single point of failure, the requirement to upgrade communication devices to SDN-enabled devices, the additional communication overhead of SDN controller(s), and the increased security demands of the SDN controller. When constructing and planning a communication infrastructure for an SD-SG system, the network operator and designers must take these factors into account.

SGs have a significant impact on the lives of many people. Renewable energy sources play a crucial role in providing power to residential areas, supporting commercial enterprises, and aiding service providers in satisfying the escalating requirements for sustainable energy. SG technology has a significant impact on how we live and conduct our daily lives, and it is thoroughly interwoven in our modern lifestyles. Hence, cyberattacks in an SD-SG system can result in significant repercussions, such as power disruptions for customers, extensive service interruptions, and substantial financial losses for providers [6].

There is a demand for a comprehensive examination that consolidates, condenses, and evaluates these methods for the advancement of future endeavors. Previous studies on security in smart grid networks either provide limited coverage of network security; are now obsolete and lack up-to-date techniques and attack types; or at the time focused solely on one specific type of cyberattack, such as denial of service (DoS), and/or one particular defense strategy per study [1,7,8,9,10,11]. This survey addresses this gap by offering an in-depth, up-to-date survey of existing cyber threats to SD-SG networks, as well as unique future directions and open problems for SD-SG network security research. The survey’s contributions are as follows:

• It is an up-to-date study on cyberattacks targeting SD-SG and the latest methods used to mitigate them.
• It provides a contemporary discussion of defense systems that consider multi-pronged cyberattacks and defenses that can be applied to various types of SD-SG networks.
• It involves a review of open challenges of SD-SG cybersecurity and potential mitigation techniques for emerging cyberattacks such as low-rate denial of service, controller botnet attacks, and black hole attacks for SD-SG network security.

Figure 2 displays a diagram illustrating the overall structure of this article. The green boxes denote the main section headings, which are then followed by the subsection headings in either blue, purple, or red. The subsequent sections of the paper are structured as follows: Section 2 presents the foundational information on SDN and SD-SG. Section 3 provides an overview of previous surveys that are relevant to this work and emphasizes the unique contributions made by this work. Note that

Table 1. List of acronyms and definitions.

Acronyms	Definitions
SG	Smart Grid
SD-SG	Software-Defined Smart Grid
SDN	Software-Defined Networking
DDoS	Distributed Denial of Service
LDoS	Low-Rate Denial of Service
ICT	Information and Communication Technologies
SDWSNs	Software-Defined Wireless Sensor Networks
HANs	Home Area Networks
NANs	Neighborhood Area Networks
WANs	Wide Area Networks
API	Application Programming Interface
ForCES	Forwarding and Control Element Separation
PCEP	Path Computation Element Communication Protocol
NetConf	Network Configuration Protocol
I2RS	Interface to Routing System
FML	Flow-Based Management Language
RESTful	Representational State Transfer
ALTO	Application-Layer Traffic Optimization
NVP	Nicira Network Virtualization Platform
QoS	Quality of Service
OVSDB	Open vSwitch Database Management
BC	Blockchain
POF	Protocol Oblivious Forwarding
P2P	Peer-to-Peer Communication
RNNs	Deep Recurrent Neural Networks
BiLSTM	Bidirectional Long Short RNN
SCADA	Supervisory Control and Data Acquisition
MTD	Moving Target Defense
IDS	Intrusion Detection System
HIDS	Host IDS
SIDS	Signature-Based IDS
AIDS	Anomaly-Based IDS
ML	Machine Learning
SD-CPC	Software-Defined Controller Placement Camouflage
VSFs	Virtual Security Functions
RED	Random Early Detection
TCP	Transmission Control Protocol
AQM	Active Queue Management
C&C	Command and Control Channel
DNS	Domain Name System
DDNS	Dynamic DNS
WSNs	Wireless Sensor Networks
MANETs	Mobile Ad Hoc Networks
SDDCs	Software-Defined Data Centers
CECD-AS	Cross-Layer Ensemble CorrDet with Adaptive Statistics
FDI	False Data Injection
TCP-SYN	Transmission Control Protocol—Synchronize
TSA	Time Synchronization Attack
MITM	Man in the Middle
DR	Demand Response
FS	Frequency Stability

presents a list of acronyms and their definitions used throughout the paper. A literature review of the SD-SG network security of DDoS/DoS, SDN controller attacks, and multi-pronged cyberattack threats and defense mechanisms is discussed in Section 4, Section 5 and Section 6, respectively. Next, Section 8 presents a discussion of emerging threats on the horizon of SD-SG security solutions. In Section 9, we discuss the open challenges of current SD-SG security solutions. Lastly, the paper is concluded in Section 10.

2. Background

Network security is a critical component of SG systems, which are interconnected with and reliant on communication networks [12,13]. SG systems enhance transparency and accessibility for energy providers, enabling the efficient real-time monitoring and management of energy consumption [14]. They also enable utility companies to offer customers real-time feedback on their energy usage, empowering them to make well-informed decisions regarding energy consumption [15]. These qualities arise from a strong interconnection between the power grid and networking components in SG designs [5,16,17]. Regrettably, the extensive interdependence among components in the system makes it very susceptible to cyberattacks. In such settings, a network attack has the potential to modify the functioning of the power grid [5]. Moreover, as the SG infrastructure expands, the network becomes more complex, necessitating the use of advanced management tools and expertise to effectively handle network performance [18] in terms of energy demand and supply, network management, customer service, monitoring and control, and real-time data delivery to various locations [19].

Managing the complex infrastructure of an SG system can be a daunting task with traditional networking, requiring significant manual intervention and human resources [1]. On the other hand, SDN research has shown rapid improvements and discoveries since its public launch in 2009. SDN has enhanced the utilization, efficiency, and flexibility of network services while also reducing the cost of maintenance when compared to traditional networks [20].

Table 2. Comparison of survey articles on SD-SG network security: ✓ indicates that the topic is covered, * indicates that the topic is partially covered, and — indicates that the topic is not covered.

References	Publication Year	DDoS/DoS Attacks	Controller Attacks	Defense Techniques for Each Cyberattack	Defense System Considers Multi-Pronged Attacks	Emerging Threats
[1]	2019	—	*	*	—	—
[7]	2017	*	—	—	—	—
[8]	2015	—	*	*	—	—
[9]	2019	*	—	*	—	—
[10]	2018	✓	—	*	—	—
[11]	2015	—	—-	*	—	—
This Survey	2023	✓	✓	✓	✓	✓

shows the current research efforts that have proposed the use of SDN techniques to improve SG network security and performance [1,2].

2.1. Software-Defined Networking (SDN)

SDN is a network management structure that enables the user-controlled management of forwarding in network nodes. SDN developed over several decades and was realized by researchers at Stanford University [21,22,23]. SDN has the following characteristics, as illustrated in Figure 3:

• The control plane and data plane are independent of one another.
• The controller functions as the primary decision-making and external component. Its primary function is to manage the flow of traffic throughout the network and ensure the network’s operational status.
• Forwarding decisions are based on flow policies and not the destination. A flow represents a common set of instructions for the exchange of packets between a source and a destination. SDN controllers provide policies that are used to establish flow tables. The flow tables are then implemented by forwarding devices.
• The network can be configured using software programs that operate on top of the SDN controller.
• Application programming interfaces (APIs) facilitate the transfer of data between the different layers of the SDN system.

The infrastructure layer consists of routers, switches, and access points, as depicted in Figure 3. This layer represents the tangible network equipment within the network and is responsible for the data plane. The controller utilizes southbound programming interfaces, such as OpenFlow [24], ForCES [25], PCEP [26], NetConf [27], or I2RS [28], to communicate with the data plane. These interfaces enable the controller to send instructions to switches and routers. In the presence of several controllers, they establish communication with each other through eastbound and westbound APIs, commonly referred to as east/west APIs, such as ALTO [29] or Hyperflow [30]. This enables the controllers to uphold a comprehensive perspective of the network. The highest layer is the application plane. Within this layer, the network operator can establish the guidelines for the network, based on the functional applications for different tasks such as optimizing energy usage, regulating access, managing mobility, and ensuring security. The application layer conveys policies to the network by utilizing northbound APIs, such as FML [31], Procera [32], Frenetic [33], and RESTful [29], through the control layer. The network operator can utilize these APIs to transmit the required modifications to the control layer, enabling the controller to implement the necessary adjustments in the infrastructure layer based on the desired outcomes.

SDN differs from traditional networks in that flow management, or flow policy, is determined by the forwarding devices. The sole method to modify this policy is through the actual reconfiguration of the devices themselves. Due to these obstacles, network management strategies in conventional networks lack flexibility and are challenging to expand. SDN provides the capability to rapidly modify data flows, allowing network operators to effectively address evolving traffic requirements.

2.2. Software-Defined Smart Grid (SD-SG)

SD-SGs use SDN to improve bus communication, network topology organization, security, and grid network visibility and control. SDN data analytics can also be used by SD-SGs to manage grid communication. Figure 1 provides a comprehensive picture of the integration of SDN within an SG system. Each level in relation to SD-SGs can be characterized as follows:

• Infrastructure/Data Layer: The data layer facilitates the movement of data amongst SG entities, including energy producers, servers, power transmission lines, and private/commercial users. The data are sent to programmable SDN-based switches and routers to be directed to the desired destination. The control layer enforces routing decisions through its policies.
• Control Layer: The advanced distribution management system (ADMS) and the SDN controller(s) make up the control layer. The ADMS includes supplementary control and data acquisition (SCADA), distributed energy resource management (DERMS), and a distribution management system (DMS) to monitor the smart grid system. Receiving system data from the application layer and returning those data to it is the role of this layer.
• Application Layer: The application layer receives data from the lower two tiers of the system to verify that the system is functioning in line with the policies set by the control layer. It carries out statistical analysis, load balancing, mobility management, flow filtration, security monitoring, and real-time system monitoring and analysis.

Although current SDN research offers network management capabilities, including security response and solutions, SD-SGs are vulnerable to various utility-specific cyberattacks such as DDoS unauthorized access and false data injection [5]. In addition, an SD-SG will introduce additional attacks that specifically target the controller or other aspects of the SD-SG network, to gain control over the entire system [6].

2.3. SD-SG Cyber Threats

Studies in the domain of SD-SG security have investigated numerous types of attacks. Through a thorough examination of the literature on security protocols based on SDN, we have identified the primary types of attacks, which may be classified into the following categories, as depicted in Figure 4:

• Distributed Denial of Service (DDoS): A DDoS/DoS attack involves launching a coordinated attack from multiple nodes on a target with the aim of overwhelming the server’s resources, rendering it incapable of responding to valid requests [34].
• Controller Attacks: SDN networks’ controllers are susceptible to many threats, such as DoS, hijacking, and illegal access [3,35]. These attacks seek to exploit the centralized nature of SDN controllers, which creates a single point of failure. Thus, for simple, centralized, SDN controller architectures, these attacks can disrupt the entire network by attacking the controller.
• Multi-Pronged Attacks: Multi-pronged attacks involve multiple cyberattacks of different types. An attacker can launch cyberattacks (e.g., DDoS/DoS and controller attacks) on a network without authorization. Very few researchers have investigated multi-pronged attacks against SD-SGs [36].
• Grid Balancing Attacks: Grid balancing attacks refer to the various techniques employed by adversaries to disrupt the demand response (DR) and frequency stability (FS) of SD-SG by initiating cyberattacks, including deception cyberattacks (DCAs), DoS attacks, delay attacks, and replay attacks.

Next, we examine the research field concerning cyberattacks, which is outlined in Figure 4.

Figure 4. Taxonomy of SD-SG network security: cyberattacks and defense techniques (Current focus of research literature: DDoS/DoS Attacks Defense Techniques [37,38,39,40,41,42,43,44,45,46,47,48,49,50]; SDN Controller Attacks Defense Techniques [51,52,53,54,55]; Multi-Pronged Attack Defense Techniques [5,17,36,56,57,58,59,60]; Grid Balancing Attacks Defense Techniques [61,62,63,64,65]).

Figure 4. Taxonomy of SD-SG network security: cyberattacks and defense techniques (Current focus of research literature: DDoS/DoS Attacks Defense Techniques [37,38,39,40,41,42,43,44,45,46,47,48,49,50]; SDN Controller Attacks Defense Techniques [51,52,53,54,55]; Multi-Pronged Attack Defense Techniques [5,17,36,56,57,58,59,60]; Grid Balancing Attacks Defense Techniques [61,62,63,64,65]).

2.4. SD-SG Practical Applications

To our knowledge, there are currently no smart grids in operation that have implemented SDN yet. However, a number of studies [66,67,68,69,70,71] recommend the implementation of SDN to enhance the capabilities and enhance quality of service (QoS) of smart grid communication networks by utilizing SDN’s ability to configure and manage communication topology and parameters during future operations. Various previous studies have investigated and verified the benefits of network performance of SD-SG in various size IEEE-bus (i.e., 14-300) systems that reflect real-world applications [5,66,67,72,73,74,75,76,77]. SDN offers enhanced security, adaptability, observability, scalability, and control, which can enhance communication performance across networks of different sizes [1,3,9,78,79,80]. Thus, SDN can offer these advantages compared to conventional approaches when implemented in smart grids of different scales, ranging from small to large (i.e., IEEE 9-300+ bus systems).

Figure 5 depicts an attack scenario on an integrated SDN communication network for the IEEE 14 bus system, presented in a study by Qu et al. [77]. The network includes six switches, four phasor measurement units (PMUs), and two phasor data concentrators (PDCs). In this instance, the attacker takes over the management of PDC 5 located at switch 5. PMUs 2 and 6 send measurement data to PDC 5, whereas PMUs 7 and 9 send measurement data to PDC 4. If an assailant manages to breach the communication integrity of PDC 5, the PMU measurements at buses 2 and 6 will be unable to be relayed to this PDC. Consequently, the control layer experiences a reduction in the system’s observability and efficiency. This figure demonstrates how legacy smart grid systems could be updated and targeted by attackers in future operational integrations. Moreover, Nafi et al. [81] propose an example integration of SDN architecture of a neighborhood area network (NAN) of smart meters. The sensor nodes are deployed in customers’ premises to form home area networks (HANs), building area networks (BANs), or industrial area networks (IANs). One NAN is created when these networks are combined. The sensor nodes and smart meters in a NAN are connected to SDN-enabled switches (SDSWs), as discussed in Nafi et al. [81]. The switches are managed by a hierarchical system of controllers, with the NAN controller/gateway acting as the primary access point for the control plane of the NAN. SDN controllers, which monitor traffic flows by providing directives for packet forwarding, are connected to the switches. The flow table within a switch stores the packet forwarding instructions received from the controller. This example demonstrates how the future integration of SDN for NANs might be controlled and viewed.

3. Related Work

This survey explores the analysis of network security vulnerabilities and strategies for protecting SD-SGs, including complex cyberattacks. Table 2 presents a summary of the comparison between this work and other related survey articles. The existing literature has provided limited coverage of these themes, and as far as we know, it has not addressed multi-pronged cyberattacks.

Table 3. Topics explored in this software-defined smart grid security survey.

Main Domain	Sub-Topic: Cyberattack	References
	DDoS/DoS	[37,38,39,40,41,42,43,44,45,46,47,48,49,50]
SD-Smart Grid Security	SDN Controller	[51,52,53,54,55]
	Multi-Attack	[5,17,36,56,57,58,59,60]
	Grid Balancing	[61,62,63,64,65]
	DDoS/DoS/PhysicalDoS (PDoS)	[82,83,84,85]
	Spoofing, Sniffing, and Message Relay	[86,87,88,89]
	MITM, Eavesdropping, and Homograph	[90,91,92,93,94]
	Meter Manipulation and Theft	[95,96,97,98]
	FDI	[99,100,101,102]
	Impersonation, Session Key Exposure, and TSA	[103,104,105,106,107,108]
Smart Grid Security	TCP-SYN Flooding	[109,110,111,112]
	Jamming	[113,114,115,116,117,118]
	RAM Exhaustion/CPU Overload	[119,120,121]
	Brute Force	[122,123,124,125]
	Message Replay, Covert	[126,127,128,129,130,131]
	Sybil	[132,133,134,135]
	Multi-Attack	[136,137,138,139]

provides an overview of the relevant literature on both SG and SD-SG security. This study specifically addresses the security of SD-SG networks and the persistent threats they face. Therefore, any related work that pertains to the general security of SG networks, shown in Table 3, is not within the scope of this paper. In addition, this article takes into account the relevant literature that has been published within the five years leading up to the publication date of the study. This is done to ensure that we examine the most up-to-date research and solutions. This section offers a comprehensive examination of the relevant literature and surveys on SD-SGs, emphasizing the specific components that are absent in previous surveys but are addressed in this paper.

Ibdah et al. [7] examine the shortcomings associated with employing SDN in SG systems. The authors commence by providing a detailed description of the structure of SDN-based SG systems, along with an analysis of the security vulnerabilities linked to this particular technology. Their study presents a security framework consisting of five components for SDN-based SG systems: secure communication, secure data storage, secure computing, secure authentication, and secure access control. The authors provide a comprehensive analysis of each of these components and their potential applications in SDN-based SG systems. The authors employ the Mininet network simulator to simulate the efficacy of their proposed security system. The simulation demonstrates the efficacy of the proposed framework in mitigating a range of security attacks, including DoS attacks, data manipulation, and unauthorized access. While the authors do touch upon the security of SD-SG systems, their presentation is concise and mostly centers around DDoS attacks and their framework proposal. The researchers do not offer an exhaustive analysis of SD-SG security, unlike our survey.

Abujubbeh et al. [9] examine the utilization of software-defined wireless sensor networks (SDWSNs) in SGs. The authors start by outlining the benefits of SDWSNs in comparison to conventional wireless sensor networks, including enhanced flexibility, scalability, and adaptability. Their paper introduces an SDN architecture designed for SDWSNs in SGs, aiming to establish a centralized control layer for network administration. The authors delineate the architecture’s diverse constituents, including sensor nodes, SDN controllers, and network infrastructure. Furthermore, their article examines the diverse obstacles that SDWSNs encounter in SGs, including security, energy efficiency, and network dependability. The authors highlight the significance of surmounting these obstacles to efficiently utilize SDWSNs in SGs. Unlike their survey, this study offers a concise analysis of DDoS attacks and associated defense strategies while excluding other network security risks highlighted in the survey. Moreover, this work specifically focuses on SDWSNs rather than broad SD-SG systems.

Kim et al. [11] examine the development of SG infrastructure and the possibility of SDN to facilitate improved SG functionalities. The authors commence by providing an overview of the SG infrastructure and the pivotal role played by information and communication technologies (ICTs) in facilitating enhanced functions such as demand response, distribution automation, and advanced metering. The report presents an analysis of the challenges encountered by conventional SG infrastructures, including those related to interoperability and adaptability. Their study suggests employing SDN to overcome the difficulties encountered by conventional SG infrastructures while simultaneously facilitating the implementation of sophisticated features. The authors delineate the distinct constituents of an SDN-enabled SG architecture, including the SDN controller, network infrastructure, and applications. The authors examine the possible benefits of an SDN-enabled smart grid architecture, including enhanced dependability, security, and energy efficiency. The use scenarios in which SDN can provide sophisticated capabilities, such as dynamic load balancing and network slicing, are emphasized. However, their paper fails to discuss the issues of DDoS and controller attacks in depth. It simply provides a quick introduction to anonymity/intrusion attacks and defense strategies, which are all covered in this study.

Rehmani et al. [1] provide an extensive analysis of the existing literature on SDN in SG communications. The authors analyze the difficulties presented by SGs and explore how SDNs can aid in surmounting these hurdles. Their article investigates the advantages of SDN-based communication for SGs, encompassing improved network performance, efficient resource management, and greater security. The authors conduct a thorough examination of current SG communication systems that utilize SDN, encompassing their structures, protocols, applications, and security measures. In addition, their report highlights unresolved research topics and obstacles that need to be addressed to enhance the efficiency of SDN-based communication in SGs. It offers valuable knowledge about technologies and highlights potential areas for future study and development. Nevertheless, the security portion cited in the article offers just a concise summary of the security aspects of SD-SGs, and the cited papers on security are currently outdated. Additionally, their article lacks a comprehensive analysis of potential future research endeavors on security vulnerabilities in SD-SG systems.

Akkaya et al. [8] examine the implementation of software-defined networking (SDN) in wireless local networks (WLANs) for SG applications. The authors commence by delineating the challenges that conventional WLANs encounter when accommodating SG applications, including issues related to scalability, dependability, and security. Their study introduces an SDN architecture for wireless local area networks (WLANs) in SG applications. This design incorporates a centralized control plane that can adaptively reconfigure the network in response to evolving requirements. The authors provide a comprehensive description of the proposed architecture, outlining the different components and their respective functions. They employ an NS-3 network simulator [140] to evaluate the efficacy of the SDN-based design. The simulations demonstrate that the suggested architecture surpasses conventional WLANs in terms of network performance, resource utilization, and security. The researchers examine the pertinent security factors for each deployment scenario as they advance. Nevertheless, they solely focus on analyzing anomaly/intrusion detection systems while only briefly addressing controller attacks. Their study lacks a discourse on DDoS attacks or the defensive methodologies for the attacks discussed in this research.

Demirci et al. [10] propose the utilization of SDN as a means to enhance the security of SG systems, as stated in their study. The authors analyze the difficulties faced by traditional SG systems, including the absence of network traffic visibility and control, which hinders the ability to identify and address security issues. Their paper presents a security framework for SG systems that utilizes SDN technology. The framework comprises three essential components: network visibility, policy enforcement, and threat detection and response. The authors offer a comprehensive explanation of each of these elements and examine their potential implementation through the use of SDN. In order to assess the effectiveness of the suggested framework, the authors simulate their networking using the Mininet tool [141]. The simulation illustrates that the suggested architecture can improve network visibility, policy enforcement, and threat detection and response compared to traditional SG systems. Nevertheless, their study prioritizes the presentation of their framework rather than providing an extensive analysis of the network security of SD-SGs. The authors provide a brief analysis of DDoS attacks while only briefly mentioning anomaly/intrusion attacks and response measures for each attack. In comparison, this survey offers a more comprehensive examination of network security concerns. In addition, the existing literature fails to describe any controller attacks.

Specific Contributions of This Study

Table 2 illustrates the range of prior research that has discussed SD-SG network security. The aforementioned discussions often provided concise segments about SD-SG security within a broader survey or study. However, a comprehensive examination of SD-SG security has remained absent until the present study. Moreover, the prior studies on SD-SG, as evidenced by Table 2, have presented fragmented discussions of SD-SG attacks and their defense techniques.

Since SD-SGs differ from traditional SGs in terms of defense techniques and attack threats, it is critical to conduct a thorough assessment that covers a wide range of SD-SG-specific attacks and their corresponding response techniques and consolidates them into a single manuscript. This study offers a comprehensive analysis of DDoS/DoS, SDN controller, multi-pronged, and grid-balancing attacks that explicitly aim at the SDN communication architecture of SD-SG infrastructure, in contrast to prior studies. Furthermore, this survey fills a gap in the current literature by providing an in-depth examination of security systems that handle the challenges of multi-pronged cyberattacks and offer sufficient comprehensive protection for SD-SG networks.

In addition, current surveys have not examined the new and developing risks to SD-SG network security, such as low-rate denial of service, controller botnet attacks, and black hole attacks. This study specifically addresses these emerging threats and offers potential methods for mitigating them, as detailed in Section 8. This study also addresses the unresolved issues surrounding network resilience following a cyberattack, the confidentiality of network data, the dependability of network defense systems, and the flexibility of network solutions in Section 9. Through these contributions, our work sets itself apart from prior surveys.

4. DDoS/DoS Attacks

As previously mentioned, denial-of-service (DoS) attacks can be used to overwhelm certain target nodes or SD-SG components in order to damage them or force a complete shutdown. DDoS attacks can cause severe damage to SD-SG systems and have become increasingly popular among cyberattackers who target SDN frameworks because of their simplicity [142]. Several countermeasures have been suggested to mitigate DDoS/DoS attacks, such as utilizing blockchain technology, employing machine learning (ML) algorithms, leveraging aspects of SDN, and implementing moving target defenses. Blockchain methodologies can enhance network security by verifying network traffic and the conduct of nodes. Nevertheless, the existing limitations entail the need for recording, storing, and confirming the blockchain process, which might introduce additional burdens and stress to the system.

There is currently a need for the development of a blockchain system that is both lightweight and capable of safeguarding an SD-SG against DDoS/DoS attacks while also allowing for the recovery of nodes. ML models can be trained to identify DDoS/DoS threats; however, they are ineffective in identifying DDoS/DoS attacks initiated through zero-day flaws or utilizing techniques that the model has not been trained and tested on. It may not be practicable to consistently update trained machine learning solutions with the newest accessible data. There is currently a need to establish a strong machine learning model that can accurately identify new DDoS/DoS attacks and offer methods to recover affected nodes. Proposals have been made for techniques such as access control and rate restriction, distributed software-defined networking topologies, and graph learning methodologies, in addition to blockchain and deep learning. These measures have produced encouraging outcomes in enhancing the security of the SD-SG systems against DDoS attacks. We chose to present and examine a selection of current initiatives for detecting and mitigating DDoS attacks in SD-SG systems.

4.1. Blockchain

Blockchain (BC) provides a decentralized communication system where every connection-related record for each network member is stored in a well-maintained and easily accessible database. The database contains information in a structured manner, where each piece of information is organized into blocks. Each block is assigned a unique hash value, which serves as its identification. Moreover, the blockchain demonstrates the characteristics of decentralization and functions autonomously without relying on central nodes. A potential solution is proposed to enforce a verification system at every edge of SD-SG’s SDN networks. This solution aims to address trust-management difficulties and enhance the system’s resilience against authentication assaults [143,144]. These systems utilize a consensus technique to identify and report network dangers.

Xiong et al. [37] introduce a distributed SDN control architecture for SG that is safeguarded by blockchain technology. Their article analyzes the deployment of substation automation through the utilization of the IEC 61850 standard. Originally designed for substation automation, this standard has since been extended to encompass other aspects of smart grid communication. Essentially, the authors’ proposed design entails a switch verifying the presence of a corresponding rule in its table upon receiving a new data packet. If the condition is not met, it initiates a request for a rule assignment to the control layer using the southbound interface API. The control layer then receives and sends these rules to the switch while also storing them on the chain. The transition implements services in compliance with the recently established regulations. Moreover, it compares these rules with the ones recorded on the blockchain to validate them. If there are inconsistencies that arise, which imply the existence of a malevolent regulation, it signifies the detection of an attack. The core idea presented is to use blockchain technology to ensure the consistency of the control layer strategy and the flow rules to prevent faulty or malicious data from being accepted in the network. Figure 6 shows the proposed architecture, which includes three layers. The first layer is the data layer, which involves the common switch and flow forwarding process for SDN, as described in a previous section. The second layer is a control layer consisting of a distributed SDN cluster structure. Every SDN controller is interconnected in a distributed blockchain network. The blockchain layer is the third layer. In this layer, the cluster-head SDN controllers are responsible for verifying whether devices are “on-chain”. Several processes have been proposed for SDN cluster controllers to authenticate both data and devices using blockchain-based verification. To minimize network latency inside each SDN domain, a single SDN controller is designated as the cluster head for each domain. The primary responsibility of this controller is to coordinate and supervise the distribution of control commands throughout the specified area. Within the proposed framework, all SDN controllers are interconnected in a distributed blockchain manner. This setup enables smooth and effective communication between all smart grid devices in the network.

The attack detection technique outlined in this work primarily utilizes the Jaccard similarity coefficient to assess the similarity of data packet transmission rates among switch ports. The Jaccard similarity coefficient between odd and even arrays is computed using the following formula:

$$\begin{array}{c}\hfill J(O,E)={\displaystyle \frac{O·E}{O+E-O·E}}\end{array}$$

(1)

$$\begin{array}{c}\hfill J(O_i,E_i)={\displaystyle \frac{{\sum }_{i=1}^n(O_i\times E_i)}{{\sum }_{i=1}^n{O}_i+{\sum }_{i=1}^n{E}_i-{\sum }_{i=1}^n(O_i\times E_i)}}\end{array}$$

(2)

$$\begin{array}{c}\hfill J(r_i,r)={\displaystyle \frac{{\sum }_{i=2k,j=2k-1}^{2m}(r_i\times r_j)}{{\sum }_{i=2k}^{2m}{r}_{2k}+{\sum }_{j=2k-1}^{2m}{r}_{2k-1}-{\sum }_{i=2k,j=2k-1}^{2m}(r_i\times r_j)}}\end{array}$$

(3)

where m = 1, 2, …, k. By utilizing the Jaccard coefficient, one may determine the extent of change in the port rate. When the magnitude of the change surpasses a specific threshold, it is determined that the network is being targeted by an attack.The simulations demonstrate that the blockchain-based distributed consensus mechanism effectively safeguards the system from DDoS attacks, with a capacity to handle 400 packets per second, while maintaining a bandwidth of over 80%.The DDoS attack simulation mimics a flooding tactic that is specifically intended to make the target switch port unable to function. It occurs in the data plane, specifically among the forwarding switch ports. The attack pattern consists of a persistent and targeted flow aimed toward the switch ports. The application prospects of this study suggest that integrating blockchain technology into SG systems can enhance security and resilience in the face of DDoS attacks. The current limitations of this approach include the need for regular blockchain updates while assuring a minimum workload for controllers. Future research should focus on developing efficient systems that prioritize the speed of verification among blockchain participants by the controllers while minimizing any additional costs or burdens.

4.2. Machine Learning

Machine learning has evolved from a set of robust artificial intelligence (AI) algorithms and is extensively employed in data mining. This enables a system to train on data and acquire valuable structural patterns and models. This application of ML is well suited for network security [145]. Modern methodologies employ diverse machine learning models, such as deep learning models, to create classifiers capable of identifying DDoS attacks in supervisory control and data acquisition (SCADA) and SG systems based on SDN). In addition, these papers emphasize that a good match between classifier and dataset is key to developing a successful model.

Polat et al. [38] propose a technique to accurately detect DDoS attacks in supervisory control and data acquisition (SCADA) systems based on SDN. This method utilizes parallel recurrent neural networks (RNNs). Their proposed approach employs long short-term memory (LSTM) and gated recurrent unit (GRU) recurrent neural network (RNN) models. The LSTM model is a variant of RNNs that is becoming increasingly prominent in the field of machine learning. Its purpose is to tackle difficulties such as the disappearance of gradients and problems with long-term dependencies, even when there are significant delays in time. The structure of the system efficiently captures long-term dependencies by utilizing specialized memory cells. These memory cells can be formed as follows:

$$\begin{array}{c}\hfill f_t=\sigma (W_f·[h_{t-1},x_t]+b_f),\end{array}$$

(4)

$$\begin{array}{c}\hfill i_t=\sigma (W_i·[h_{t-1},x_t]+b_i),\end{array}$$

(5)

$$\begin{array}{c}\hfill {\tilde{C}}_t=\tan \mathrm{h}(W_C·[h_{t-1},x_t]+b_C),\end{array}$$

(6)

$$\begin{array}{c}\hfill C_t=f_t·C_{t-1}+i_t·{\tilde{C}}_t,\end{array}$$

(7)

$$\begin{array}{c}\hfill O_t=(W_o·[h_{t-1};x_t]+b_o),\end{array}$$

(8)

$$\begin{array}{c}\hfill h_t=O_t·tanh\left(C_t\right).\end{array}$$

(9)

The LSTM architecture consists of sequential memory blocks, with each cell formation (f) consisting of a cell and three gates (entrance, (o) output (C), and forget (i)) that regulate the flow of information. The operation of these gates is determined by mathematical equations that incorporate weight matrices (b), bias vectors ($\tilde{C}$), input directory ($h_t$), output directory ($\sigma$), cell content (W), and activation functions such as the sigmoid and hyperbolic tangent functions. The sigmoid function generates values between 0 and 1, controlling the information flow, whereas the hyperbolic tangent function ($ta{n}_h$) adjusts the output of the cell.Adataset was created by combining non-attack data and DDoS assault traffic data from an experimental topology setting that mimics a small-scale SDN-based SCADA system.To gather the dataset, the researchers designed an experimental topology with four hosts. The OVS switch was targeted with a packet flood attack. The attacks occurred in the data plane layer and used a variety of packet types, including transmission control protocol (TCP), user datagram protocol (UDP), and internet control message protocol (ICMP). The attack was initiated by host 2 and targeted host 4. The dataset comprised 89 features, including 420 instances of non-attack data and 3780 instances of attack data. The RNN model, which included parallel LSTM and GRU layers, was trained and evaluated using the dataset. Their approach highlights a high average accuracy of 97.62% in classifying DDoS attacks and demonstrates its usability for SD-SG cybersecurity defense. The limitations of their study reside in the fact that they generated a unique dataset from their experimental setup. It is unclear how well this testbed represents other systems and the extent to which their DDoS attack scenario accurately reflects real-world attacks. In future research, it is important to examine the representativeness of testbeds and assess the performance of machine learning models in real-world applications. Additionally, it is crucial to evaluate models against unforeseen DDoS attack scenarios and compare their effectiveness with other existing scenarios.

In contrast to the aforementioned work, Nagaraj et al. [39] propose GLASS, a graph learning technique designed to enhance the security of SDN-based SG systems by mitigating DDoS attacks. The proposed methodology employes graph convolutional neural networks (GCNNs) to efficiently detect DDoS assaults in various scenarios by acquiring knowledge of the patterns exhibited by both normal and malicious network traffic. In addition, unsupervised learning methods are used to identify compromised entities. The approach not only involves detecting attacks but also uses spectral clustering to identify DDoS-compromised entities and proposes mitigation strategies. Spectral clustering primarily relies on the utilization of graph Laplacian (L) matrices, which are constructed based on the principles derived from spectral graph theory. The normalized graph Laplacian of a graph (${\mathcal{G}}^t$) has a weighted adjacency matrix ($W_{adj}^t$) and a weighted degree diagonal matrix ($W_{deg}^t$), which is calculated as follows:

$$\begin{array}{c}\hfill L^t=I_N-{\left(W{t}_{deg}\right)}^{-1}\times W_{adj}^t\end{array}$$

(10)

where $I_N\in {\mathbb{R}}^{N\times N}$ represents the identity matrix of size ($N\times N$). The spectral decomposition of matrix $L^t$ yields eigenvectors and eigenvalues, which are then combined with the standard K-means technique to separate compromised PMUs from normal PMUs in the SDN-SGC network.

Mitigation is achieved by sending updated flow rules to the northbound interface of the primary SDN controller to change the flow tables in switches. The controller limits the transmission of TCP SYN packets to the affected nodes, leading to a substantial improvement in network performance. The authors assess the effectiveness of the proposed method on a simulated SG network for the IEEE 118-bus power grid system, which commonly uses IEEE C37.118.2 or IEC 61850 communication protocols using TCP/IP. The perpetrator generates abnormal network traffic, specifically a DOS attack, by employing tools such as hping3 [146], to launch TCP flooding attacks. The attack is a TCP flood attack, characterized by a random pattern, targeting a variable number of buses, ranging from 1 to 10. The attack occurs within the data plane layer. The resulting dataset consists of a total of 354,000 data points. Half of these data points correspond to DDoS attacks, while the other half represent regular network performance samples. Their study demonstrates a detection rate exceeding 97% and a throughput of 84% when employing the mitigation strategy, as opposed to a mere 4% throughput during DDoS attack scenarios without implementing the techniques. The shortcomings of this work reside in the simplicity of the attack scenario and the yet-to-be-realized effectiveness of the GCNN in complex attack scenarios. Moreover, when the SD-SG is represented as a graph, there are difficulties in training it when the structure changes due to natural events such as outages or disasters. Additionally, the use of GCNNs poses a challenge in terms of the computational time and overhead in the application layer when scaling the grid. Hence, future endeavors should explore adaptable GCNNs that consider these challenges.

Jung et al. [40] argue that the utilization of feature distributions of the network in entropy-based anomaly detection methods has proven effective in identifying DoS assaults. Therefore, the authors propose using Shannon entropy to detect abnormalities in the communication network of an SG by analyzing the distribution of SDN traffic features such as source Internet Protocol (IP) address and destination IP address. Shannon entropy can be denoted as follows:

$$\begin{array}{c}\hfill H\left(X\right)=-{\displaystyle \sum _{x\in X}}p\left(x\right){log}_{b}p\left(x\right)\end{array}$$

(11)

where x represents an event. High entropy signifies a wide dispersion of the feature distribution, while low entropy suggests a tight clustering of the feature distribution. To generate the necessary data for testing, the authors employed Raspberry Pis equipped with OpenMuc, a framework that facilitates the implementation of crucial smart grid communication protocols such as IEC 61850, IEC 60870-5-104, and Modbus. The researchers conducted a range of attacks, including DoS, network scans, and port scans, against the nodes in the testbed. The attack was launched in the data plane layer, with the attack pattern determined at random for each type of attack. Principal component analysis (PCA) was employed to preprocess the traffic flow before classification. Nevertheless, the authors anticipate applying this suggested entropy-based anomaly detection technique on an SDN-based testbed as part of their ongoing study. Therefore, this proposed method has not undergone validation to ascertain its efficacy in accurately identifying anomalies in SD-SG. Further investigation is needed to assess the feasibility of implementation and the effects on the performance of SD-SG networks.

Allen et al. [41] suggest a hybrid, distributed, and decentralized (HDD) SDN architecture as a means to protect the phasor measurement unit (PMU) subsystem network, which differs from previous studies. HDD-SDN employs a physically distributed controller technique to ensure fault tolerance and fail-over operations. It also incorporates parallel execution of machine learning models to detect abnormal activity, hence creating a resilient SD-SG. The presented technique utilizes the concept of parent–child multiple controllers. The parent controller is responsible for reconfiguring the network and allocating and managing resources. On the other hand, the child controller detects abnormalities in packets and monitors the status of the parent node and other devices in the subregion network. The authors incorporate the OPAL-RT smart grid network emulator into their testbed to produce smart grid data. The server streams virtual measurements from OPAL-RT to clients, which are then examined by the HDD-SDN program in ONOS. The network state information obtained from remote SDN controllers is stored in a database, such as InfluxDB or AWS, for analysis by an AD module. The AD module thereafter communicates the required network reconfigurations to the main SDN controller for implementation. The authors utilize parallel computing to implement both the K-means method and the incremental K-means algorithm. The traditional K-means algorithm recalculates the cluster centroids by taking into account the entire dataset, but the incremental K-means approach just uses newly added data to update the previous centroids in each iteration. These clustering methods identify anomalies in the network traffic data and PMU measurement data. The data points are allocated to the cluster that has the smallest Euclidean distance to the computed cluster centers, which is computed as follows:

$$\begin{array}{c}\hfill d(P_n,C_k)={({\displaystyle \sum _{d=1}^D}{(P_n-C_k)}^2)}^{1/2}\end{array}$$

(12)

where $p_n=[p_1,p_2,\dots ,p_D]\in {\mathbb{R}}^D$ is a vector of D dimensions that includes the attributes related $n^{th}$ data point (a network packet), and $c_k=[c_1,c_2,\dots ,c_D]\in {\mathbb{R}}^D$ is a D dimensional vector of the $k^{th}$ cluster representative. Cluster representatives are determined by calculating the vector mean of the data points. The cluster algorithms were trained using the KDD CUP 1999 dataset, a standardized collection of data [147]. This dataset contains a diverse range of classified intrusions and cyberattacks, such as DoS, user to root (U2R), remote to local (R2L), and probing. These occurrences were duplicated in a military network environment and employed for the purpose of testing. Their work highlights the clustering-based anomaly detection technique, which achieves an accuracy of around 90%. One of the shortcomings of their work is that it introduces a single point of failure and vulnerability into the system through the parent–child relationship between controllers. If the parent controller is compromised or experiences a failure, the entire system will encounter interruptions. In addition, the utilization of the K-means method for face detection is hindered by challenges related to the expansion of dimensions and the impact of outliers on the classification process. Future research should explore these areas and provide solutions to address them.

Preseka et al. [42] specifically investigate the detection of anomalies in the communication network traffic during its first stages, highlighting a remarkable accuracy of 96% in near real time. The authors propose the utilization of CyResGrid, a technique that utilizes a hybrid deep learning model comprising a graph convolutional long short-term memory (GC-LSTM) and a deep convolutional network. This technique is utilized for identifying abnormalities in operational technology (OT) communication networks for power grids using time-series classification. GC-LSTM is a fusion of two machine learning models, namely the graph convolutional network (GCN) and LSTM. The graph convolutional network (GCN) examines the structural characteristics of the OT network in the spatial domain. The LSTM model acquires knowledge of the time-series data of the observed OT network traffic within the temporal domain. Therefore, GC-LSTM can acquire knowledge from both the spatial and temporal domains. GC-LSTM generates traffic predictions that serve as inputs for time-series classifications (TSCs):

$$\begin{array}{c}\hfill y_i^l=\mathrm{ReLU}({\displaystyle \sum _{j=0}^{m-1}}w{y}_{\left(i\right)}^{l-1}+b)]\end{array}$$

(13)

$$\begin{array}{c}\hfill x^{\ast }=arg{\displaystyle \underset{x}{max}}f\left(x\right)\end{array}$$

(14)

where the variables considered are the number of layers (l), filter size (m), weight (w), and bias (b). CyResGrid utilizes Bayesian optimization for hyperparameter tweaking in its deep convolutional network to accurately identify anomalies. The authors employ a dynamic model of the IEEE 39-bus test system in DIgSILENT PowerFactory to simulate the power system in real time. To establish a link between the power grid simulation and an operational technology (OT) communication network emulator, the CPS model integrates OPC UA via Python. The OT network emulation, facilitated by Mininet, functions on a collective of 10 virtual servers and includes 27 substations, 118 measurement devices, and over 800 data points. The functionality of the SCADA device is achieved by the utilization of customized Python code. This code is responsible for creating SCADA communication between the substations and the control center. The Linux bwm-ng tool is employed to capture and analyze this traffic. The authors examine the network traffic of OT systems during normal operations as well as during cyberattacks such as DDoS attacks using Syn Flood and OT network scanning attacks using nmap. They collect data on the observed traffic for the purpose of applying deep learning techniques. The control center receives measurement data from each substation using SCADA protocols such as IEC 104 and DNP3. The primary shortcoming of this effort is that the scalability of their solution has not been evaluated yet. As previously stated, GCNs need significant computing resources, and their scalability and resource costs have not yet been thoroughly evaluated. Future studies should focus on exploring a more efficient implementation of GCNs to implement SD-SG.

4.3. SDN Attributes

As was stated in Section 2, SDN network architecture enables flexibility, control, and security via the SDN controller and its management of data flows through switches and routers. Researchers have utilized these attributes to create security frameworks for SD-SG that exploit the centralized SDN controllers, customized data plane flows, and inherent SDN network resilience.

Mahmood et al. [43] introduce S-DPS, a software-defined networking-based DDoS protection system (S-DPS) designed specifically for SG systems. The suggested system utilizes a centralized SDN controller to oversee the network. DDoS attacks are detected and classified based on employing lightweight Tsallis entropy-based defense mechanisms. Tsallis entropy is commonly defined by its entropic index, which is used to assess non-extensive systems. It is commonly applied to edge detection and image segmentation in image processing. The authors employ the following equations to identify anomalies by utilizing the Tsallis entropy ($H_q$):

$$\begin{array}{c}\hfill w=x_{mi}m=1,2,3,4;i=1,2,\dots ,n,\end{array}$$

(15)

$$\begin{array}{c}\hfill P_{mi}={\displaystyle \frac{x_{mi}}{n}},\end{array}$$

(16)

$$\begin{array}{c}\hfill H_q={\displaystyle \frac{1}{q-1}}-{\displaystyle \sum _{i=1}^n}{P}_{mi}^q,\end{array}$$

(17)

Here, as shown in Equation (15), w is regarded as a set of data consisting of n items, where $x_{mi}$ denotes the occurrence related to a certain traffic attribute. The probability of event $x_{mi}$ occurring in window w can be computed using Equation (16). Finally, the Tsallis entropy ($H_q$) is computed using Equation (17). When q is greater than 1, higher probabilities have a greater influence on the ultimate entropy value, while lower probabilities have a lesser influence, and vice versa. The authors assigned the value of q as either −1.3 or −0.8 to obtain a higher detection rate and a lower false-positive rate. The authors employed Scapy [148], a versatile tool for generating traffic, to mimic a DDoS attack. Scapy is capable of generating both regular and attack traffic. The software provides functionalities such as scanning, packet spoofing, forging, and sniffing. Scapy enables the generation of TCP packets. The tool is compatible with Python, which was also used by the POX controller in their study. This integration facilitated efficient coordination between the controller and the traffic generator for the authors. The Python function "random" was used to generate spoofed source IP addresses and host IP addresses. This function generates uniform random floats within the range of 0.0 to 1.0. These floats are merged to create forged IP addresses. Scapy’s features, such as the ability to specify packet types and intervals, allow for the generation of both regular and malicious network traffic. The authors employed the Scapy tool to initiate smurf, socket stress, and SYN flood DDoS attacks at the data plane layer. These attacks occur sporadically but consistently target the utility server.

Traffic features are extracted from new packets destined for the SDN controller. The SDN controller matches or identifies flows associated with SDN characteristics that demonstrate an anomaly in their entropy values or changes in entropy. The proposed algorithms effectively identify both low-rate (LR) and high-rate (HR) DDoS attacks and then apply countermeasures such as rate limitation and filtering. Each flow in flow tables is linked to a distinct action performed by the controller. With this technique, a detection rate of DDoS attacks of 100% was observed with a 0% false-positive rate. A shortcoming of this work is that the testbed design utilizes a single POX controller to accommodate the detecting module. Nevertheless, this creates a single point of vulnerability that might cause the entire system to fail. Additionally, POX is a legacy controller that is implemented using Python. Many practical applications utilize advanced controller systems, such as ONOS, for instance. The implementation of a distributed strategy with modern controllers has not yet been achieved. Moreover, the efficacy of their system in addressing more practical attack scenarios has not yet been achieved.

4.4. Moving Target Defense—Dynamic Topology

Used as a countermeasure, a moving target defense (MTD) implements flow, path, or route/switching mutation to defend normal operations in communication networks, making it difficult for attackers to launch successful DoS attacks along a given set of devices or paths. MTD enhances the ambiguity and complexity faced by system attackers, hence reducing their ability to identify targets such as susceptible system components. Additionally, it increases the cost of assaults and scans, including reconnaissance attacks [149]. An instance of an MTD is illustrated in Figure 7. The SDN controller communicates with the switches with the help of southbound API to instruct the switches on which links to use for flows. The green links are “on”, i.e., are active flows being used by the network. The red links contain data that are false or are links that are no longer active because they have been turned off by the SDN controller. When an attacker attacks these links, the false packets are not routed to the correct destination and are essentially dropped, which prevents them from affecting the intended network traffic.

Abdelkhalek et al. [44] introduce an MTD routing method to enhance the security of SDN-enabled SG systems. This technique synergizes the benefits of SDN’s dynamic programmability and MTD’s randomization in topology changes to avoid and mitigate cyberattacks in the smart grid. Their proposed mechanism randomizes the network topology by changing the paths that network flows take in response to a DoS attack. The SDN controller detects the obstruction of the communication pathway and redirects the data flow to an alternative accessible channel. The focus of this work is on DoS attacks on links and connections between the substations and the control center. To evaluate their implementation, it consists of four primary components: (1) The OPAL-RT is a power system simulator that combines physical grid models with network communication interfaces in real time. (2) The SD-WAN is based on Mininet and uses SDN technology to imitate routers, switches, and a controller. (3) The control center houses a comprehensive wide-area control system (WACS) program for overseeing the grid. (4) The external nodes comprise a cyber assailant who inserts denial-of-service (DoS) attacks into the SD-WAN, and a maintenance node that transmits legitimate data to the grid and control center. The grid and WACS exchange data via the DNP3 protocol, where measurements are converted from IEEE C37.118 to DNP3 using OPAL-RT’s I/O interface.

The SD-WAN enables DNP3-based communication using three concurrent channels, where the attacker and maintenance node are connected to the SD-WAN through a switch. The attack is characterized by a TCP SYN packet flood. The location is the data plane. The attack pattern involves an attacker carrying out a DoS attack on a communication channel that acts as the main route for data exchange between the control center and the grid. This attack assumes that the attacker can completely obstruct only one channel. Attack vectors exhibit varying levels of intensity, which can be quantified by the rate at which TCP SYN packets are injected each second. The rate can range from 0% to 100% of the maximum attack volume, which is set at 1000 packets per second for different test cases. One shortcoming of this work is that DDoS attacks and attacks on nodes/devices as single points of failure are not considered and should be investigated for future work. The proposed mechanism involves simulation using a real-time power system simulator (OPAL-RT), a Mininet network, and an SDN emulator, with external hosts acting as the attacker and the maintenance node. The proposed approach highlights significantly reduced packet drop percentages. The researchers also examine the link switching time that minimizes packet drops during DoS attacks.

4.5. Flow Filtration

Static state estimation (SSE) does not take into account the historical information of the measurement vector $\mathbf{z}$ and simply provides a single snapshot of the system. The concept of “memorylessness” in SSE was demonstrated to be suitable for real-time monitoring in early EMS. Historically, power networks had a less structured distribution level, with fewer microgrids, dispersed energy resources, and netload dynamics compared to contemporary systems. In addition, the measurement data that were provided to the state estimator usually came from measurement equipment with low sample frequencies, such as the SCADA system, which had sampling rates that fell within the range of 2–4 s. The modest metering rates were the primary hindrance to adequately capturing dynamic activity in state estimation. Nevertheless, Schweppe’s formulation emerged shortly after the introduction of the Kalman filter in 1961 [150], prompting academics to investigate alternative formulations beyond the then-nascent SSE. The problem of slow meter sample rates would be partially alleviated by implementing synchronized phasor measurements in the 1980s [151]. Phasor measurement units (PMUs) provide higher sampling rates in comparison to SCADA systems, together with GPS coordination to eliminate any uncertainty regarding synchronization. Dynamic state estimation (DSE) is akin to SSE and encompasses a range of methodologies. At first, the formulas for DSE used the same set of measurements and state variables as the classic SSE approach. These variables included both active and reactive power flow and injections, as well as complex bus voltages. Alternative approaches strive to enhance the accuracy of the representation of load dynamics by including the generator rotor angle and speed as differential-algebraic state variables [45,46,47]. However, this review will primarily concentrate on anomaly detection implementations that utilize algebraic state variables and are based on DSE. DSE can be accomplished by modeling the power system as a discrete-time dynamic system. The Kalman filter utilizes the method described in [48] to estimate the state variables at time k. This is achieved by carrying out prediction and measurement update stages in each iteration.

Predict:

$$\begin{array}{cc}\hfill & {\widehat{\mathbf{x}}}_{k|k-1}={\mathbf{A}}_k{\widehat{\mathbf{x}}}_{k-1|k-1}\hfill \end{array}$$

(18)

$$\begin{array}{cc}\hfill & {\mathbf{F}}_{k|k-1}={\mathbf{A}}_k{\mathbf{F}}_{k-1|k-1}{\mathbf{A}}_k^T+{\mathbf{Q}}_k.\hfill \end{array}$$

(19)

Update:

$$\begin{array}{cc}\hfill & {\mathbf{K}}_k={\mathbf{F}}_{k|k-1}{\mathbf{H}}_k^T{\left({\mathbf{H}}_k{\mathbf{F}}_{k|k-1}{\mathbf{H}}_k^T+{\mathbf{R}}_k\right)}^{-1}\hfill \end{array}$$

(20)

$$\begin{array}{cc}\hfill & {\widehat{\mathbf{x}}}_{k|k}={\widehat{\mathbf{x}}}_{k|k-1}+{\mathbf{K}}_k\left({\mathbf{z}}_k-{\mathbf{H}}_k{\widehat{\mathbf{x}}}_{k|k-1}\right)\hfill \end{array}$$

(21)

$$\begin{array}{cc}\hfill & {\mathbf{F}}_{k|k}={\mathbf{F}}_{k|k-1}-{\mathbf{K}}_k{\mathbf{H}}_k{\mathbf{F}}_{k|k-1}\hfill \end{array}$$

(22)

where at time k, ${\mathbf{A}}_k$ denotes the state transition matrix, ${\mathbf{K}}_k$ denotes the Kalman gain matrix, and ${\mathbf{H}}_k$ denotes the measurement matrix. The symbols ${\mathbf{F}}_{k|k}$ and ${\mathbf{F}}_{k|k-1}$ denote the state covariance matrices inferred from measurements up to times k and $k-1$ correspondingly. The matrices ${\mathbf{Q}}_k$ and ${\mathbf{R}}_k$ reflect the statistical measure of the variability or dispersion of the process noise and observation noise, respectively. The creators of the original Kalman filter power system DSE approach [152] proposed that it may be combined with anomaly detection technologies, which were being studied for SSE at that particular period. Initial investigations, based on the studies conducted by [153,154], focused on identifying erroneous data by analyzing the process of innovation.

$${\mathbf{v}}_k={\mathbf{y}}_k-\mathbf{h}\left({\widehat{\mathbf{x}}}_{k|k-1}\right).$$

(23)

Additional approaches for managing inaccurate data in DSE include asymmetry analysis, which relies on evaluating the skewness of the normalized estimation error [48,49]. Research on anomaly detection in the field of DSE remains a lively and active area of study, as evidenced by [47,50]. This is especially significant due to the widespread occurrence of dynamic demand and generation profiles in microgrid systems that integrate distributed energy resources (DERs).

4.6. Summary and Lessons Learned

This section presents a comprehensive examination of the taxonomy of defense strategies employed to mitigate DDoS and DoS attacks in the context of SD-SG network security. In this section, we provide several solutions, namely blockchain, machine learning (ML), SDN attributes, and MTD. The performance of each is thoroughly examined, along with the respective benefits they offer. It is revealed that each proposed solution has demonstrated enhancements in the areas of confidence augmentation within the system; the precise identification of attacks; and the utilization of the inherent properties of SDN, such as the installation of flow rules, to bolster the security of SD-SG against DDoS and DoS attacks. Furthermore, certain domains have not been thoroughly investigated. Future research efforts should focus on examining the most suitable deployment site to minimize network overhead, enhance the speed of response of defense systems, and explore methods to retain throughput in order to restore connectivity in areas affected by DDoS attacks.

Several strategies have been proposed to counter controller attacks, such as the implementation of moving target defense (MTD) and the utilization of deep learning techniques. Game theory is being explored as a novel approach to enhancing network security in SD-SGs. Game developers utilize game theory to design games where the security system, acting as a player, must make several options to accomplish a pre-established goal, such as safeguarding the controller from an adversary. While game theory can enhance controller security and prevent data leakage to safeguard data privacy, integrating it into a system may lead to increased system overhead. In the following section, we will analyze the most recent research on defenses against controller attacks.

5. SDN Controller Attacks

SDN controllers are a crucial element in any SD-SG framework because of their significance in the background, algorithms, protocols, and tactics for DoS attacks. The ability to access the controller grants an operator full authority over network topology, as well as the ability to modify or create traffic regulations for their applications. SDN controllers are attractive to cyberattackers and are a significant concern for safe network management [155]. This section analyzes the tactics for defending against SD-SG controller attacks and classifies them according to their use of moving target defense (MTD) and game theory. This section focuses on reviewing the most recent literature about the protection of SDN controllers. Specifically, we will discuss the utilization of MTD strategies and game theory in defending against potential threats.

5.1. Moving Target Defense for Controller Attacks: Controller Migration

As discussed in Section 4.4, MTD defenses implement flow, path, or route/switching mutation to defend normal operations in communication networks. In this section, MTD is applied to protect against controller attacks by virtually migrating the controller instance instead of altering the network topology, in contrast to Section 4.4.

Lin et al. [51] introduce an MTD strategy that utilizes virtual security functions such as firewalls, intrusion detection systems (IDSs), traffic classifiers, and others to enhance the security of SDN networks in SG environments. Moreover, the researchers propose transferring the virtual security functions to servers with ample resources, which aids in reducing the impact on the virtual security activities. The suggested work comprises a three-tier architecture comprising an SDN controller layer, a virtual security function layer, and an infrastructure layer. Aside from the typical components of an SDN controller, there is an additional component known as migration controllers, which oversee the dynamic allocation of physical resources. The infrastructure layer consists of the typical hardware resource servers that operate using VSF instances and OpenFlow switches. The virtual security function enables the migration of the virtual security instantiation to new locations in the network to respond to network attacks. During the migration process, the authors carefully took into account parameters such as uniqueness, resource capacity, and bandwidth capacity limits. For example, the bandwidth capacity constraint can be defined as follows:

$$\begin{array}{c}\hfill {\displaystyle \sum _{d_m\in E_t^V}}{b}^{vw}ij\left(t\right)\times p_{ij}^{vw}\left(t\right)\le B_{ij},\forall t\in R,\forall i,j\in V^P\end{array}$$

(24)

where symbol $B_{ij}$ represents the bandwidth of the physical link $e_{ij}$ for all elements in the set $E^p$. The symbol $b^{vw}\left(t\right)$ represents the bandwidth allocated to the virtual link $d_{vw}$ for all elements in the set $E_t^V$ at time t. The sets $V^P$ and $E^P$ represent the collection of physical resource servers and the network links connecting them, respectively.

The suggested approach seeks to mitigate controller assaults by implementing a dynamic defense strategy of virtualized security in SD-SG, thereby impeding attackers from identifying and exploiting vulnerabilities. To evaluate their pre-approach against greedy and random migration policies, they developed a virtual testbed. The testbed consisted of virtual PCs connected by a network comprising five OpenFlow switches and one SDN controller. The current servers were interconnected using switches in a sporadic fashion. The server resources and residual bandwidth of physical links were assumed to follow uniform distributions. There were a total of 20 physical servers, with each server having a resource capacity ranging from 1000 to 1200 Mb. Each server had the capacity to accommodate one to five virtual security function (VSF) instances. The remaining bandwidth on physical lines varied between 100 and 150 Mb. The assigned resources for a VSF instance ranged from 150 to 200 Mb, with an occupancy rate ranging from 0.2 to 0.9. Moreover, the aggregate amount of data to be transmitted for a VSF instance varied between 3000 and 5000 megabytes. The strategies highlight their effectiveness in countering cyberattacks that specifically aimed at the controller’s physical location or sought to take advantage of weaknesses in the controller’s software. A shortcoming of their study is the presence of a persistent SDN controller responsible for overseeing the migration of other controllers. Their study does not address the possibility of the migration controller being attacked and compromised, which would render the migration scheme ineffective as the attackers may modify the migration process. Incorporating a migration scheme into the controller responsible for managing the migration should be considered in future studies. Another shortcoming of their work is that, despite the implementation of a distributed approach for the controller architectures, the entire framework introduces single points of failure due to certain modules such as "AllocatoR" being responsible for selecting the optimal location for SDN controllers to move to. These specialized modules might become vulnerable sources of failure and targets for attackers to exploit. Future work should aim to decentralize these modules to enhance ambiguity.

Azab et al. [52] introduce “MystifY”, a proactive MTD strategy designed to enhance the resilience of the software-defined control plane in software-defined cyber–physical systems (SD-CPSs) against attacks. The approach employs regular changes to the network addresses and/or ports of the controller, hence complicating the task of attackers in tracking the controller’s whereabouts and taking advantage of weaknesses. AllocatoR identifies the optimal location for deploying the controller. The system determines the most suitable site, referred to as $S^{\prime }$, such that $|S^{\prime }|=c$, with a capacity of c representing the number of SDN controllers connected to the network at that specific location $S^{\prime }$. AllocatoR selects the optimal position by taking into account the latency between the controller and the nodes, which is represented as $L_{avg}\left(S^{\prime }\right)$. The following equation is used to determine the average distance between SDN controller nodes and other connected nodes:

$$\begin{array}{c}\hfill L_{avg}\left(S^{\prime }\right)={\displaystyle \frac{1}{n}}{\displaystyle \sum _{v\in V}}mind(v,s)\end{array}$$

(25)

Then, the controller is dynamically relocated among heterogeneously configured hosts. However, in contrast to other approaches, the workload of the controller also migrates among a set of multiple controllers for robust and increased resilience with controller operations. In order to assess the system, the authors employed the PYGRID framework, as described in [156], to simulate an SD-SG. PYGRID is a sophisticated software development and evaluation framework specifically created for grid-aware software-defined networking, making use of the Python programming language. In addition, in their simulation, they used several Python scripts to create grid traffic and establish paths between the mimicked power components. The testbed was constructed utilizing the IEEE 24-Bus power system to showcase the efficiency and efficacy of their proposed design. The PYGRID simulator had the IEEE 24-Bus system using twenty-four emulated virtual hosts. Their simulation scenario involved eight ‘Docker’ stations to symbolize the controller migration tier. Each Docker station contained an SDN container that included Ubuntu 14.04, Mininet 2.1.0, and POX 0.1.0 SDN controller. Based on their findings, MystifY can decrease the effectiveness of different types of attacks by preventing the attacker from determining the position or identity of the controller. The IEEE1646 [157] international standard in the energy industry specifies the communication delivery time and performance standards for the automation process in electric power substations. It was utilized to evaluate the performance of the author’s suggested framework. Their system has an average communication speed of 30 ms for both node-to-controller and controller-to-controller communication. This speed falls within the “medium speed” range (10–100 ms) for non-critical information of the IEEE1646 standards. The strategy is highly effective in countering assaults that specifically target the controller’s network location or seek to exploit flaws in the controller’s software.

5.2. Game Theory

Game theory is a framework that considers numerous decisions, such as in games, where players attempt to maximize their advantages while considering the rational choices of others, such as cyberattackers [158]. Game theory involves people making choices and acting to attain their goals. SD-SG network security studies evaluate cyber-threat scenarios using gaming theory. Control and data planes are evaluated as players.

Sivaraman et al. [53] suggest a game-theoretic strategy for enhancing data privacy in SD-SGs. The objective is to minimize the unintentional disclosure of information by compromised controllers. The privacy framework is based on the creation of a noncooperative game that involves switches. The quantification of privacy requirements is accomplished by employing information theory, namely mutual information and differential privacy. The game’s Nash equilibrium is computed using an iterative best-response approach [159]. The Nash equilibrium, a key idea in game theory, proposes that maintaining one’s initial approach can lead to advantageous outcomes, considering the decisions made by other participants. The authors’ proposed game theory achieves Nash equilibrium in their game. Their mapping probability matrix P is considered Nash equilibrium if and only if

$$\begin{array}{c}\hfill f_u(p_u,P_{-u})\le f_u(p’u,P’-u)\forall p’u\in Su\forall u\in U.\end{array}$$

(26)

The performance of the proposed strategy is evaluated by comparing it to both the globally optimal solution and the exponential mechanism, which is used for differential privacy. In comparison to global solutions (globally optimal mapping game), the theoretical game (differential private mapping game) achieved nearly optimal outcomes and demonstrated greater fairness on the IEEE 30, 118, and 300 networks [160]. Additionally, it enhanced the data security of the controller, safeguarding it against passive attacks. To summarize the highlights, the suggested method can enhance data confidentiality in SG systems and safeguard against compromised controllers. A shortcoming of this study is that the impact of quick scalability is not assessed. The presented technique is tailored for specific IEEE bus systems, but its performance under real-life scenarios of rapid expansion and grid education has not been evaluated yet. This aspect should be investigated in future research.

Unlike existing game-based methods, Samir et al. [54] propose a software-defined controller placement camouflage (SD-CPC) method as a stochastic game-based MTD technique to enhance the resilience of SDN controllers against cyberattacks. The model of a game-based MTD is depicted in Figure 8. The technique aims to enhance the security of SDN controllers by dynamically relocating virtualized controllers and altering their IP addresses, hence reducing their vulnerability to potential attackers. The objective is to identify the optimal positioning $S^{\prime }$ in order to achieve the optimum outcome.

$$\begin{array}{c}\hfill |S^{\prime }|=k\end{array}$$

(27)

where the variable k represents the number of controllers dispatched at each of these locations. The game developed by the authors aims to reduce latency $L_{avg}\left(S^{\prime }\right)$ by decreasing the distance between the placed controllers and the nodes assigned to them. The average latency can be calculated using the following formula:

$$\begin{array}{c}\hfill L_{avg}\left(S^{\prime }\right)={\displaystyle \frac{1}{h}}{\displaystyle \sum _{v\in V}}{\displaystyle \underset{s\in S^{\prime }}{min}}d(v,s)\end{array}$$

(28)

where the variable $d(v,s)$ represents the shortest path from node v to node s, with v considered an element of the set V and s an element of the set S.The game consists of two participants: player 1 serves as the system defender, while player 2 assumes the role of the attacker. The assailant focused on the most susceptible areas of the network throughout their simulations, while the system defender identified the optimal position to relocate the controllers in response. The approach has exceptional performance in countering attacks that attempt to exploit flaws in the software of the controller or specifically target the physical location of the controller.To devise an optimal gaming strategy, the defender is advised to assign an equal chance of “0.25” to all places and acquire knowledge during gameplay, rather than consistently selecting the options with the lowest latency. This facilitates a fluid and adaptable learning process. The attacker’s cyberattack is classified as a DoS attack, specifically targeting the controller in the control plane at unpredictable intervals. Both the attacker and the defender employ dynamic strategies, such as adaptive learning, to ascertain the most effective approach in anticipation of real-world implementation. The game has little impact on system performance, and the SD-CPC technique provides a highly effective and efficient option for enhancing SDN resilience against advanced persistent threats to controllers. A shortcoming of this study is its exclusive focus on a single defender and attacker. The extent to which this system can handle and counter more complex and coordinated attacks has not been determined yet and should be investigated in future research.

SDN-related issues such as SDN controller assignment, anomaly detection, and mitigation can be represented as game models [55]. Niazi et al. [55] consider an intrusion detection system (IDS)-SDN architecture, such as the one shown in Figure 9, and formulate the strategic interaction between a hypervisor and a possible attack source, while the hypervisor monitors its virtual SDN (vSDN) controllers in the control plane, and the attack source launches DDoS attacks via compromised switches. The game is modeled as a noncooperative dynamic Bayesian game-theoretic IDS [55]. The conditional probabilities are utilized to forecast the adversary’s next activities, taking into account the historical profile and the sort of assailant in the preceding round. Subsequently, these probabilities are employed in Bayes’ law to gauge the hypervisor’s ($H^{\prime }s$) inference regarding the specific type of compromised switch. The authors leverage Bayes’ law to establish the belief update mechanism utilized by the hypervisor, allowing it to update its belief from stage game $t_n$ to $t_{n+1}$. Thus, the belief about the type of switch ($S^{\prime }$) is modified at the end of the game in the following way:

$$\begin{array}{c}\hfill {\mu }_H\left(T_D\right|a_D\left(t_n\right),h_D^H\left(t_n\right))={\displaystyle \frac{{\mu }_H\left(T_D\right|h_D^H\left(t_n\right))P\left(a_s\left(t_n\right)\right|T_D,h_d^H\left(t_n\right))}{\sum {\mu }_H\left(T_D\right|h_D^H\left(t_n\right))P\left(a_s\left(t_n\right)\right|T_D,h_D^H\left(t_n\right))}}\end{array}$$

(29)

Figure 9 provides an example game scenario from [55]. The four scenarios show strategic interactions between the hypervisor and the attacker. Within the game model, a hypervisor can efficiently allocate its finite resources in order to effectively supervise guest virtualized SDN controllers. The depicted approach involves a hostile entity that strategically alters its behavior between normal and malicious states to evade detection. This is achieved through the breaching of a switch. In order to mitigate the impact of a DDoS attack on virtualized SDN-based SGs, the authors examine an attack method that takes advantage of a switch to generate low-traffic flows. This attack is designed to trigger packet-in signals to the controller, specifically targeting the control plane. This attack will finally overwhelm the hypervisor by excessively utilizing its resources with policy composition activities, potentially resulting in a random pattern. Therefore, if a hypervisor’s processing and storage resources are all exhausted, it will result in the services becoming unavailable. The analysis highlights that the noncooperative dynamic Bayesian game-theoretic intrusion detection system (IDS) enhances the likelihood of a hypervisor detecting distributed attacks, decreases the occurrence of false positives, and lowers the expenses associated with monitoring. An inherent shortcoming of the approach is that the use of a single hypervisor creates a new potential target for attackers. The attacker may attempt to directly target the hypervisor in order to render the game ineffective. Future work should consider protection measures to be implemented.

5.3. Summary and Lessons Learned

In this section, we examined the taxonomy of mitigation measures used to mitigate SDN controller-based attacks. We presented solutions in the form of MTD and game theory. We analyzed the individual advantages associated with each proposed option. It was observed that each proposed solution has the objective of enhancing the security of the controller to prevent the unauthorized disclosure of sensitive information, or alternatively, frequently relocating the virtualized instances of the controller to create a continuously evolving and dynamic environment for controllers to thwart targeting by attackers. Nevertheless, there are a few areas that require further investigation in future research. Future research should focus on investigating methods for detecting hacked controllers and examining the impact of frequently changing the virtual location of the controller on the quality of service (QoS) for end users. If a controller has already been compromised, it is clear that the approaches proposed in existing research will be insufficient.

Game-theoretic approaches are a recently explored field of study for SD-SG systems. A novel field of research in SD-SG focuses on developing multifaceted strategies for both attacking and defending. SD-SG is susceptible to various types of assaults, including false data injection (FDI), man-in-the-middle (MITM) attacks, and DDoS/DoS. To our knowledge, no other research has focused on the multi-attack scenario. However, at the University of Florida, with the support of a grant from the National Science Foundation (NSF), we have developed a suite of cross-layered strategies enhanced by machine learning algorithms to detect multi-pronged cyberattacks with greater performance than other state-of-the-art single-attack methods. We have developed distributed SDN-controller strategies to enable risk mitigation and throughput maintenance during cyberattacks.

6. Multi-Pronged Attacks

Multi-pronged attack defensive SD-SG solutions are primarily cross-layered, machine learning algorithm-assisted approaches that dynamically update the statistical model of both the system measurement parameters and the network parameters based on power flow traffic to improve the likelihood of detection of multi-pronged cyberattacks. Our multidisciplinary smart grid team at the University of Florida, consisting of experts in power, networks, and machine learning, has developed several ground-breaking cross-layered machine learning algorithms and demonstrated robustness in the presence of a range of SG attacks.

6.1. Cross-Layered Machine Learning Approach

Our suite of Cross-Layer Ensemble CorrDet with Adaptive Statistics (CECD-AS) methods has been designed to detect many types of cyberattack threats that have random attack patterns, including FDI, DoS, and MITM attacks, within the data plane layer of the SD-SG  [5,17,36,56,57,58].Allen et al. (2022) propose an SDN-based cross-layered strategy to safeguard SGs from cyberattacks. Their solution involves integrating data from the power grid, networking, and communication levels into a machine learning model. The cross-layer architecture is shown in Figure 10. The smart grid layer provides physical/physics-based monitoring and measurements, while the communication network layer monitors and provides cyber-based measurements. The analysis layer trains and tests the cross-layer data to model the system’s normal operations versus anomalous operations. The data are trained to detect and identify the presence of single attacks and multiple types of cyberattacks, including false data injection (FDI), denial-of-service (DoS), and man-in-the-middle (MITM) attacks. The management layer is responsible for mitigation actions using the SDN-based control of the SD-SG system.

The CECD-AS algorithm is used to evaluate data from the power grid and SDN-communication layers. Its purpose is to detect any unusual behavior in real time in the SD-SG. The algorithm is described in Algorithm 1. The equations required for the implementation of the CECD-AS algorithm are as follows:

The Mahalanobis distance equation:

$${\delta }_m^{ECD}\left({\mathbf{z}}_m\right)={({\mathbf{z}}_m-{\mathsf{\mu }}_m)}^T{\Sigma }_m^{-1}({\mathbf{z}}_m-{\mathsf{\mu }}_m)$$

(30)

The threshold equation for the CECD-AS algorithm:

$${\tau }_m={\mathsf{\mu }}_{\mathbf{thr},\mathbf{m}}+\eta \ast {\sigma }_{\mathbf{thr},\mathbf{m}}$$

(31)

The Woodbury matrix identity [161] in Equations (32) and (33) is used as follows:

$${\mathsf{\mu }}_{new,m}=(1-\alpha ){\mathsf{\mu }}_m+\alpha ({\mathbf{z}}_m-{\mathsf{\mu }}_m)$$

(32)

$${\Sigma }_{new,m}^{-1}={\displaystyle \frac{1}{1-\alpha }}\left[{\Sigma }_m^{-1}-{\displaystyle \frac{({\mathbf{z}}_m-{\mathsf{\mu }}_m){({\mathbf{z}}_m-{\mathsf{\mu }}_m)}^T}{\frac{1-\alpha }{\alpha }+{({\mathbf{z}}_m-{\mathsf{\mu }}_m)}^T({\mathbf{z}}_m-{\mathsf{\mu }}_m)}}\right]$$

(33)

According to Starke et al. [36], the threshold value ${\tau }_m$ for each local cross-layer CorrDet detector is modified using Equation (34), which considers the updated values of ${\mathsf{\mu }}_{thr,m,-\beta }$ and ${\sigma }_{thr,m,-\beta }$. Here, the term $-\beta$ indicates that the threshold is updated based on the past $\beta$ number of samples.

$${\tau }_m={\mu }_{thr,m,-\beta }+\eta \ast {\sigma }_{thr,m,-\beta }.$$

(34)

The framework is designed to facilitate a streamlined and cohesive approach across different components of the SG. The authors highlight the efficacy of the framework through a case study, which exhibits a classification accuracy of over 98% in countering the aforementioned multifaceted cyberattacks. It is crucial to ensure the dependability and robustness of contemporary power systems; therefore, the proposed method provides a proactive and all-encompassing strategy for SG cybersecurity. CECD-AS is an extension of our prior research and employs machine learning techniques [56,57,58], which will be further elaborated.

The CECD-AS algorithm, which enabled multi-pronged cyberattack detection, built upon the Ensemble CorrDet with Adaptive Statistics (ECD-AS) algorithm and the research efforts described in [57,58]. Nagaraj et al. [56] introduce the ECD-AS approach for identifying FDI attacks in the IEEE 118-bus system [162]. Their study introduces a technique that uses adaptive statistics to identify erroneous data in power systems, considering the typical or abnormal attributes of the constantly evolving state of a power system. The ECD-AS algorithm is based on the research carried out in the CorrDet algorithm [57] and the ECD algorithm [58]. ECD-AS is a set of CorrDet detectors that collect adaptive statistics for each local CorrDet environment. The method proposed in this research for detecting bad data is based on data-driven methods. It utilizes adaptive mean, adaptive covariance, and adaptive anomaly threshold, which are derived using a sliding window approach. This allows the technology to adapt to changes in the system state when processing incoming data. Through thorough experimentation with the hyperparameters of the ECD-AS process, in the case study of the IEEE 118-bus system, an optimal solution was achieved. These results highlight that this method outperforms the state-of-the-art ML algorithm in terms of accuracy, precision, recall, and F1 score when it comes to detecting bad data. A shortcoming of this work is that it does not investigate how well the method can be scaled to larger grid sizes, which is yet to be determined because it was tested solely on the IEEE 118 system. Further research should explore this topic.

Algorithm 1: Cross-Layer Ensemble CorrDet with Adaptive Statistics (CECD-AS) Algorithm from Aljohani et al. [17]

1: Train a Cross-Layer Ensemble CorrDet classifier: Input:  $\mathbf{Z}$, $\mathbf{Y}$, $\tilde{\mathbf{Z}}$ 2: for Every local Cross-layer CorrDet classifier $m=1:M$ do 3:     Initialize the mean ${\mathsf{\mu }}_m$ and covariance ${\Sigma }_m^{-1}$ of normal statistics using the sample mean and covariance of normal samples in the training set with selected triple elements associated with ${\varphi }_m$ 4:     Initialize the squared Mahalanobis distance ${\delta }_{Z,m}$ using Equation (30) 5:     Initialize the threshold ${\tau }_m$ using Equation (31) 6: end for   7: Test using the Cross-Layer Ensemble CorrDet classifier with Adaptive Statistics:   8: for Every test sample $k=1:K_2$ do 9:     Compute the squared Mahalanobis distance ${\delta }_{{\tilde{z}}_k}$ using Equation (30) 10:     if $\forall m,{\delta }_{{\tilde{z}}_k}<{\tau }_m$ then 11:         Classify ${\tilde{z}}_k$ as normal sample: ${\tilde{y}}_k=0$ 12:         Update the mean ${\mathsf{\mu }}_m$ and covariance ${\Sigma }_m^{-1}$ using Equations (32) and (33) 13:         Update the sliding window by adding ${\delta }_{{\tilde{z}}_k}$ to $\mathbf{B}$ and removing the oldest value from $\mathbf{B}$. 14:         Update the mean ${\mu }_{thr,m,-\beta }$ and variance ${\sigma }_{thr,m,-\beta }$ of squared Mahalanobis distances in the updated sliding window of each local cross-layer CorrDet detector 15:         Update the threshold value ${\tau }_m$ for each local cross-layer CorrDet detector using Equation (34) 16:     else 17:         Classify ${\tilde{z}}_k$ as abnormal sample: ${\tilde{y}}_k=1$ 18:     end if 19: end for Output:  $\tilde{\mathbf{Y}}$

A cross-layered cyber–physical power system state estimation framework was implemented by Aljohani et al. in [17] using the Cross-Layer Ensemble CorrDet with Adaptive Statistics (CECD-AS) method. The framework utilizes data from the physical layer and communication layer to assess the condition of the power system. It synchronizes the measurements for the CECD-AS machine learning algorithm, as demonstrated in Algorithm 1. The results highlight that the real-time CECD-AS approach surpasses other advanced state estimation methods in terms of F1 score when dealing with various cyberattacks. This is due to its capability to learn from the data collected across multiple layers of the SG and adjust to dynamic spatiotemporal changes in measurement data. A shortcoming of this technique is that data synchronization is required. Any errors or discrepancies can lead to unanticipated adverse outcomes in the classification process. Hence, it is crucial to guarantee that the sliding window has the same duration for both layers of the grid. Future research should explore a more resilient sliding window approach to address synchronization difficulties.

Agnew et al. [5] further develop the SDN architecture layer of the CECD-AS method, presenting a flat, distributed design for enhancing resilience against DoS cyberattacks. The proposed architecture depicted in Figure 11 utilizes a set of open network operating system (ONOS) controllers [163]. These controllers have a distributed control and decision-making control plane for the SD-SG, which is referred to as D3-SDN for the three-controller system. In the study conducted by Agnew et al. [76], a benchmarking analysis was carried out to compare the performance of the proposed architecture with the POX controller, which is a commonly used controller solution in SD-SG research [43,164,165]. The purpose of this comparison was to highlight that, when compared to the POX controller architecture, the D3-SDN framework improved throughput and reduced latency during DoS attack scenarios. A shortcoming of this research is that we have not yet determined how well the controller framework performs in comparison to other widely used controllers such as RYU or Opendaylight. Future analytical studies should conduct performance comparisons between the ONOS framework and other modern controllers.

6.2. Machine Learning

The investigation conducted in [59] reveals that cyberattack detection solutions relying on a single machine learning model face challenges such as limited ability to adapt to different scenarios and inadequate detection of all sorts of attacks. Zakaria et al. [59] propose BoostIDS, a new framework that utilizes ensemble learning to effectively identify and address security threats such as DDoS, probing, fuzzers, and backdoor attacks in SD-SG. BootIDS is implemented as an application within the application layer of the SDN architecture and comprises two components. The authors’ study employs the NSW-NB15 and NSL-KDD datasets. These datasets contain many sorts of real attacks based on SG technology, including fuzzers (24,246 attack data samples), DDoS (16,353 attack data samples), analysis (2677 attack data samples), reconnaissance (13,987 attack data samples), backdoors (2329 attack data samples), and other types of attacks. The NSLKDD dataset is an enhanced iteration of the KDD’99 dataset that includes genuine SG-based assaults like probe (probing) and DDoS. Attacks are randomly generated and occur within the data plane of the network. The initial module uses the boosting feature selection algorithm to identify pertinent SG characteristics. The second module employs a lightweight boosting algorithm to efficiently identify intrusions in an SD-SG. The empirical findings highlight that BoostIDS exhibits superior precision, accuracy, detection rate, and F1 score in comparison to pre-existing machine learning intrusion detection systems. A shortcoming of this work is that it is only meant to be utilized for a single controller framework. Nevertheless, if a malicious actor successfully infiltrates the controller, the framework would be rendered inoperable. Further work should integrate a distributed strategy or failsafe.

Unlike the previous studies, deep learning is considered in [60] for the anomaly detection of multi-pronged cyberattacks since it has great feature learning capabilities. Penpeng et al. [60] present a hybrid convolutional neural network (HYBRID-CNN) to detect irregular flow caused by various attacks, including scan, DoS, root-to-local (R2L), probe, and user-to-root (U2R) assaults, that are randomly initiated in the data plane of an SD-SG. The proposed approach employs a deep neural network (DNN) to store and recall global characteristics, while the convolutional neural network (CNN) is utilized to generalize local features, resulting in enhanced feature learning skills. After combining the features for each sample, the authors utilize a fully connected layer to perform detection and classification. This implies that there is a complete and direct connection between every neuron in the preceding layer and every neuron in the current layer. The fully connected layer of the authors is located before the output layer. After converting the retrieved characteristics into a one-dimensional feature vector, they are connected to each neuron in the current layer to accurately represent the high-level properties in a specific way, which is as follows:

$$\begin{array}{c}\hfill x_i^{\prime }=f({\displaystyle \sum _{i=1}^n}{w}_{i,j}{x}_i+b_1).\end{array}$$

(35)

While the HYBRID-CNN approach highlights the successful detection of anomalous data flows with a high detection rate, a limitation of this study is its tendency to favor certain attack classes. This is a result of using unbalanced datasets in the implementation. Nevertheless, it yields superior outcomes compared to conventional and deep learning approaches. Future research should aim to employ a dataset that is more unbiased and equitable for the purposes of training and testing.

6.3. Summary and Lessons Learned

This section provides an overview of the taxonomy of multi-pronged cyberattack solutions for the security of SD-SG networks. The performance and benefits of each solution were examined and analyzed during our discussion. We observed that the main focus of each solution is to gather measurements from the communication layer and the power grid in a cross-layered manner to boost overall security. Nevertheless, it is imperative to acknowledge that certain domains still need further investigation in subsequent research efforts. The discussion regarding the optimization of these solutions has not yet occurred. The presented articles do not thoroughly address the added complexity caused by the requirement for consistent timestamped measurements from each physical and network layer, as well as each communicating device in the forwarding layer. Furthermore, their methodology necessitates extracting comprehensive data from both layers of the SD-SG and fails to yield adequate results in the absence of either. Future research endeavors should focus on the development of optimized systems that can effectively minimize overhead and offer versatile multi-attack capabilities, functioning independently in each layer without reliance on the other.

7. Grid Balancing Attacks

Another growing area of concern that is becoming increasingly important is cybersecurity research related to SG demand response (DR) and frequency stability (FS). Power fluctuations present a potential hazard to the secure functioning of power systems. Nevertheless, DR provides a solution by modifying the power usage of adaptable loads on the demand side. This efficiently resolves power oscillations, ensuring an equilibrium between power supply and demand in power systems. Therefore, distributed renewable energy is expected to play a progressively vital role in modern power systems in the near future.

Frequency stability refers to the power system’s capacity to keep the system frequency within the predetermined operational boundaries. Maintaining the system frequency at its prescribed value is crucial for the secure and steady operation of the power system. Any departure from this frequency could lead to substantial harm or possibly the complete failure of the system. Therefore, frequency regulation and stability are considered to be among the most crucial operational functions for the power system. The system achieves this by modifying the production or usage of electricity to match the frequency variation, thus keeping the system frequency within the specified range. Adversaries may employ many methods to disrupt the demand response (DR) and frequency (FS) stability of SD-SG by launching cyberattacks such as deception cyberattacks (DCAs), DoS attacks, delay attacks, and replay attacks [61]. Therefore, in this section, we will examine the current advances in both fields.

7.1. Demand Response

Yang et al. [61] emphasize the crucial importance of DR in power systems, highlighting its capability to provide operating reserves by utilizing variable demand-side loads. They emphasize the transformation of disaster recovery into a cyber–physical system enabled by progress in communication, information, and control technology. Nevertheless, they warn that this extensive integration of cyber and physical systems increases vulnerability to cybersecurity threats, particularly deception cyberattacks (DCAs), which put the effectiveness of disaster recovery and the overall safety of power system operations at risk. Their study suggests implementing a secure distributed control mechanism to strengthen the defense of DR against DCAs. The core of their strategy is creating a cyber–physical demand response community that is based on a decentralized control architecture. The goal is to enhance the available reserves for power systems. The authors rigorously measure the effects of different DCA patterns on DR, clarifying potential outcomes such as power deviation, delayed response, and power fluctuation. Additionally, they provide an anti-attack secure distributed control architecture specifically developed to reduce the impact of arbitrary DCAs. The effectiveness of this control technique is thoroughly verified using Lyapunov theorem-based demonstrations, guaranteeing stability and convergence in demand response power regulation even in the presence of malicious cyberattacks.

Their case studies provide evidence supporting the effectiveness of the suggested control technique, demonstrating notable improvements in demand response performance across several attack situations. The effectiveness of the suggested ASD control is confirmed in a DR community consisting of 10 buildings. Each building is equipped with an inverter-based HVAC system, specifically the LSBLX650SVE model. This model is capable of regulating the temperature of an entire building. Each HVAC unit has the ability to communicate with nearby units in its vicinity. The HVAC characteristics, including the COP (coefficient of performance) and rated power, are determined through realistic testing conducted in accordance with the ARI550/590-2003 standard operating circumstances. It is worth highlighting that the suggested anti-attack secure distributed (ASD) control can significantly reduce the detrimental effects of DCAs, as indicated by a dramatic rise in the average CR of DR from 29.18% to 99.67% during testing under linear attack settings. The authors present evidence demonstrating that the ASD control paradigm is highly effective in protecting against DR in hostile cyber environments, hence improving the resilience and security of power systems. A potential shortcoming could arise from the difficulty of creating and maintaining a secure distributed control system. Given the complex combination of digital and physical elements in DR and the always-changing cyber risks, setting up and maintaining such a system may necessitate significant knowledge and adjustments for implementation. Future research should focus on ensuring the generalizability of their system to accommodate legacy systems as efficiently as possible.

Similarly, Yang et al. [62] explore the use of DR mechanisms, namely by utilizing heating, ventilation, and air conditioning (HVAC) loads, as a crucial method for maintaining power system balance. The HVAC loads, which account for a major proportion of overall power usage, have considerable potential for regulation that justifies additional investigation. Distributed control approaches are crucial for managing scattered HVAC resources within the DR framework because of their inherent flexibility and scalability. Nevertheless, the decentralized structure of DR systems makes them vulnerable to cyberattacks, particularly FDI attacks, which endanger the proper functioning of DR. In order to mitigate this vulnerability, their study presents a robust distributed controller specifically designed to protect HVAC systems from FDI attacks. The first implementation of an HVAC-based demand response system using distributed control lays the groundwork for further analysis and mitigation techniques. Mathematical calculations demonstrate that even small FDI attacks can cause substantial changes in power output, emphasizing the importance of strong security mechanisms. Therefore, a distributed controller that is impervious to FDI attacks has been developed to ensure that grid operating reserve needs are met even in the presence of adversarial intrusions. The effectiveness of the suggested controller is supported by thorough mathematical demonstrations, utilizing the Laplace transform and final value theorem to illustrate convergence.

The case study provides evidence that supports the theoretical predictions, demonstrating the disruptive impact of FDI attacks on DR performance. The use of the robust distributed controller significantly improves the completion rates of DR tasks, increasing them from 58.63% to 100% even when facing FDI attacks. This demonstrates the controller’s efficiency in reducing cybersecurity threats in HVAC-based DR systems. The case study utilizes Intel Core i7-10700 CPU, running at a clock speed of 2.90 GHz, and the simulation environment employed is Matlab R2022a. There are two categories of cyberattacks that are replicated: single-action cyberattacks and series-of-action cyberattacks. The former strategy entails a sustained attack for the whole 15-min duration of the DR period, whereas the latter consists of five distinct attack rounds, with each round lasting 3 min. During a succession of cyberattacks, the system is targeted with dynamic false data, which poses different obstacles. Notwithstanding these challenges, the suggested robust distributed controller guarantees agreement on the control of HVACs’ power and comfort levels. The DR system highlights exceptional resistance against cyberattacks, attaining a flawless 100% completion rate without any power fluctuation. This highlights the efficacy of the suggested controller in reducing negative impacts and fulfilling the power system’s need for operational reserves, even when confronted with advanced cyber threats. One possible shortcoming is that the attack protection architecture is only evaluated using two distinct attack patterns: single-action cyberattacks and series-of-action cyberattacks. During a sequence of consecutive cyberattacks, each attack occurs in succession to the previous one. Nevertheless, the manner in which the suggested architecture manages simultaneous cyberattacks remains to be implemented. The attackers may initiate dynamic cyberattacks, which need further investigation in future research.

7.2. Frequency Stability

Su et al. [63] emphasize the importance of enhancing the dynamic performance in secondary frequency control for islanded microgrids (MGs) to guarantee stability, especially with synchronous distributed energy supplies. Their paper presents a control technique that utilizes membership functions (MFs) to achieve a compromise between transient frequency regulation and error elimination. A proposed solution to address time-varying communication delays in control loops is an adaptive delay compensator, which successfully minimizes negative impacts. The method’s advantages are demonstrated by numerical simulations conducted on IEEE 34-bus and common 40-bus islanded MG systems. Three synchronous distributed energy resources (DERs) are utilized for secondary frequency regulation in the IEEE 34-bus test system. These DERs are located at nodes 800, 816, and 840. Two inverter-based DERs, located at nodes 828 and 848, are currently operating in the PQ mode. In a standard 40-bus MG system, three synchronous DERs are assigned the task of regulating the frequency, while three DERs based on inverters operate in the PQ mode. Every synchronous DER is fitted with a digital phasor measurement unit (D-PMU) to give precise synchronization measurements with timestamps. After the first stabilization of primary regulation, the MF-SFR method enhances the settling time by 21.07% and 13.92%, minimizes the frequency overshoot by 95.78% and 93.95%, and reduces the mechanical power overshoot by 26.44% and 2.68%, respectively. Conducting both primary and secondary frequency control at the same time while experiencing a 30% rise in power demand results in a 65.17% and 57.43% reduction in the settling time, a 96.76% and 94.19% drop in frequency overshoot, and a 23.29% and 5.02% reduction in mechanical power overshoot. In addition, when compared to situations involving unpredictable communication delays, the suggested delay compensator enhances the time it takes for the system to stabilize by 66.46% and decreases the occurrences of excessive frequency and mechanical power by 69.41% and 21.14%, respectively. A possible shortcoming of this research is that the suggested framework exclusively concentrates on the IEEE 34-bus system and does not address the scalability of the framework for microgrids of different sizes. Subsequent research should assess the performance of this approach considering this aspect.

Similarly, Yang et al. [64] address the critical issue of managing multiple emergency events in modern power systems, which can lead to frequency deterioration and threaten energy security. They propose a robustness-enhanced frequency regulation (REFR) scheme based on coordinate transformation and the Lyapunov theorem. The scheme reconstructs the power system frequency regulation model to accommodate various emergency events and utilizes a virtual auxiliary surface for control reference, enabling a robust controller to maintain system frequency stability and ensure minor frequency deviations and faster recovery speeds even during emergencies. The stability of the proposed controller is rigorously proven, and case studies highlight significant improvements in the maximum frequency deviation and recovery time, up to 61.11% and 46.40%, respectively, compared to original values. The testbed is constructed using the Simulink module of Matlab R2021a. For the case study, the authors set the electricity system to have a generation capacity of 800 MW and operate at a planned frequency of 50 Hz. The time constants of the speed governor ($T_g$) and the steam turbine ($T_t$) are 0.1 s and 0.3 s, respectively. The drooping characteristic (R) has a value of 0.05, while the integral control gain ($K_e$) is 21. The inertia constant ($T_p$) and damping coefficient ($K_d$) have values of 10 and 1, respectively. Once the setup and configuration are complete, the power system operation center continuously monitors the system frequency in real time. During emergency occurrences, such as unplanned generator failures, sudden increases in electricity demand, and unforeseen communication delays, the system frequency will diverge from the planned frequency. In real-world scenarios, when the frequency deviation $\delta f$ surpasses the frequency deviation threshold, ($f_{thr}$ = 0.001 Hz), the system operator will issue a frequency control order that includes the observed parameter regarding the frequency deviation. Upon receiving the command, the frequency regulation is initiated using the proposed REFR scheme based on the detected parameter, which may be subject to inaccuracies caused by communication time delays. The REFR scheme effectively mitigates frequency fluctuations and enables convergence to scheduled frequency within a short time, even in complex scenarios with multiple emergency events. Overall, the proposed method shows promising results in enhancing frequency regulation and addressing power energy security concerns. An inherent limitation arises when employing a robust controller for their framework since any malfunction or misinterpretation of the controller’s frequency could impede the proper functioning of their proposed framework. Hence, further research should explore a decentralized, localized approach for reading and decision-making on frequency correction to ensure enhanced resiliency.

Comparably, Su et al. [65] present a hierarchical control technique for inverter air conditioners (IACs) that aims to enhance the frequency performance of islanded microgrids (MGs) while also assuring user comfort and equitable power distribution among IACs. The occurrence of an emergency might be attributed to either cyberattacks or natural disasters during the operation of the grid. The strategy comprises a localized layer and a supervisory layer, each dedicated to unique control objectives. The local layer utilizes a decentralized controller that is based on normal-form-based nonlinear control theory. It uses system frequency and indoor temperature signals to improve frequency dynamic performance while ensuring user comfort. Meanwhile, the supervisory layer utilizes a consensus-based distributed controller to guarantee equitable power involvement among IACs, taking into account the varying power levels of isolated MGs. A membership function resembling a trapezoid is introduced to automatically swap between the dominant roles of the two controllers. The simulation results conducted on the IEEE 34-bus system illustrate the efficacy of the suggested hierarchical control technique across several scenarios, encompassing varying amounts of power deficit and ongoing critical contingencies. The proposed hierarchical control strategy is validated using the IEEE 34-bus system, a commonly used system for studying islanded microgrids.

The strategy is shown to improve the system frequency performance while ensuring user comfort requirements and fair power participation of inverter air conditioners (IACs). The nominal power of the test system and the standard frequency of the system are 100 kW and 60 Hz, respectively. The comprehensive system parameters are determined. The modeling and simulation are conducted using MATLAB/Simulink. Distributed energy resources (DER1 and DER3), which are part of the simulation system, are assigned the task of regulating the frequency of the MG system. These distributed energy resources have assured regulatory reserves. In addition, the controllable loads selected for providing frequency regulation service are buses 808, 820, 830, 844, 860, and 890. These loads consist of IACs, which contribute to 10% of the total active power. The control center serves as the primary node in a leadership role. Bus 808 is connected to the control center in order to receive the consensus index, which is the power adjusting ratio. Then, the index is exchanged among IACs to ensure fair power participation. The implementation of the hierarchical control approach highlights favorable outcomes in enhancing the performance of system frequency, diminishing frequency overshoot, and expediting the settling time in comparison to other strategies. In a situation where there is a 40% shortage of power, the suggested plan greatly enhances the lowest point of frequency, decreases the amount by which the frequency exceeds its target, and speeds up the time it takes for the system to stabilize when compared to alternative methods. Furthermore, the technique successfully promotes equitable power involvement among IACs while also prioritizing user comfort, suggesting its potential suitability in practical microgrids. In addition, the control mode demonstrates robust user privacy protection capability and offers plug-and-play and scalable functionality. The authors point out a potential shortcoming of the work that an increase in communication delay would negatively impact the dynamic performance of the system frequency. However, the researchers did not delve into the development of the proposed hierarchical technique to mitigate these communication delays, since it falls outside the scope of their research. The authors conducted tests to measure the performance of their framework for delays of 0 ms, 30 ms, 60 ms, and 100 ms. Frequently, in communication, the delays exhibit greater variability and are influenced by the level of traffic demand. Future studies should focus on investigating not only the impact of increased delay magnitude on this framework but also the consequences of delay variability.

7.3. Summary and Lessons Learned

This section provides an overview of the taxonomy of demand response and frequency stability solutions pertaining to the security of SG networks. Demand response (DR) and frequency stability (FS) are emerging areas of cybersecurity that focus on ensuring the security of smart grids. Adversaries might use several techniques to disrupt the demand response and frequency stability of SD-SG by initiating coordinated attacks such as deception cyberattacks (DCAs), DoS attacks, delay attacks, and replay attacks. The present research has established frameworks for ensuring the security and stability of grids and microgrids. Subsequent research should aim to build upon these findings in order to enhance the grid further. SDN can be utilized for resource allocation in the mentioned DR and FS defensive models. Future research on SD-SG security should consult these review articles to guide the integration of DR and FS for SD-SG security.

8. Emerging Security Threats to SD-SG

This section focuses on analyzing developing possible risks to SD-SG network security in the form of cyber assaults that have not been studied in the context of SD-SG. We also present potential remedies that have been identified in earlier research on SDN security. Figure 4 illustrates the rising threats to SD-SG network security research, which include low-rate denial-of-service (LDoS) attacks, controller botnet attacks, controller impersonation attacks, and black hole attacks.

8.1. Low-Rate Denial-of-Service (LDoS) Attacks

LDoS attacks are a more covert iteration of the forceful character exhibited by distributed denial-of-service (DDoS) attacks [166]. Advancements in network security technology have made it easier to quickly identify and minimize denial-of-service (DoS) attacks. To evade detection and improve their effectiveness, other kinds of DoS attacks, such as LDoS attacks, have emerged. Unlike DoS attacks, LDoS attacks utilize a focused approach by exploiting vulnerabilities in network protocols to cause significant harm with minimal effort. LDoS attacks are characterized by periodic surges of activity rather than continuous data streams, resulting in a lower average attack rate. Their periodic habit enhances their ability to remain undetected by conventional security systems, making them more elusive and adaptable. Multiple network platforms such as software-defined networks (SDNs) are increasingly vulnerable to LDoS attacks [167,168]. LDoS attacks utilize network bandwidth, processing power, and memory resources to impair the performance or availability of the target. LDoS attacks aim to evade detection and prevent overwhelming the target system or network with excessive traffic. LDoS attacks can circumvent intrusion detection systems and other security measures that detect large-scale attacks by transmitting small amounts of traffic in quick bursts of packets over a period of time. LDoS attacks are aimed at long-term disruption. Over time, this will degrade the QoS of affected businesses, service providers, and end users while avoiding detection by existing solutions.

Presently, the strategies employed to counter LDoS assaults encompass the implementation of filtering mechanisms, enhancing network parameters, and reallocating resources [166]. Researchers employed comb filter-to-filter LDoS attacks from TCP traffic by evaluating the amplitude spectrum and determining the periodic characteristics of the LDoS attack [169]. Other researchers have utilized the random early detection (RED) algorithm, an active queue management (AQM) technique implemented on the router. The RED algorithm proactively discards packets before the router’s buffer reaches its maximum capacity in order to prevent congestion. Researchers [170,171] have implemented modified versions of random early detection (RED) and active queue management (AQM) techniques on routers to identify LDoS assaults. Previous studies [172] have utilized Q-learning-based machine learning models to allocate resources dynamically according to requirements. The incorporation of these algorithms and methodologies could prove valuable in the field of SD-SG network security research. One possible challenge in transferring these techniques is the high computing cost and the lack of evaluation on larger systems such as power grids. The system’s overhead and latency are increased when network traffic is filtered at the controller or application layer; this can have a significant negative influence on grid performance. Future research should explore methods of implementing these solutions or alternative approaches to enhance the communication performance of the SD-SG grid without compromising its efficiency. A potential solution is to transfer the processing to the data plane layer in order to decrease communication latency and alleviate the computational burden on the controller.

8.2. Controller Botnet Attacks

Botnets are networks of compromised computers that have been infected with malware and are under the control of a single individual known as the botmaster. A botnet consists of three main components: bots, a botmaster, and a command and control channel (C&C) [173]. Bots are computers that are infected with malware and are part of a network called a botnet. The number of bots in a botnet can reach hundreds of thousands. The C&C channel functions as a server that is tasked with distributing commands and collecting information for further retrieval by the botmaster. By gaining control of the botnet, the botmaster can begin cyberattacks, distribute spam or malware, carry out extortion attacks, steal personal information, and cause significant financial losses, among other malicious activities [173]. Figure 12 illustrates the structure of a botnet. In addition, botmasters may provide compromised systems to other hackers for utilization in their own assaults. Due to their significant role in network governance, as previously indicated, SDN controllers are attractive targets for botmasters seeking to gain control of them for their own benefit. The utilization of an impacted controller has the potential to propagate malware from the botnet to other devices inside the network, impacting all interconnected nodes on the network. In addition, the individual in possession of the botnet could employ the controller to initiate various cyberattacks, such as launching denial-of-service (DoS) attacks on additional networks. Moreover, the controller can be employed to collect network statistics in order to identify additional vulnerabilities within the network. Compromised controllers may cause network disruptions and outages that affect businesses, service providers, and end users.

Recent studies have employed diverse techniques, including honeypots, intrusion detection systems (IDSs), and machine learning, to identify botnets [173]. Honeypots serve as deceptive nodes inside a network, enticing attackers to focus their efforts on them. In response, defense frameworks have been created to incorporate the usage of honeypots [174,175,176]. When the device is targeted by attackers, network operators can obtain information about the size and strength of the botnet without compromising the security of the legitimate network nodes [177]. Previous studies have devised techniques to identify botnet command and control (C&C) server bots through the analysis of Domain Name System (DNS) requests [178,179,180]. The botnet command and control (C&C) servers commonly utilize Dynamic DNS (DDNS) providers. In addition, scientists have developed intrusion detection systems (IDSs) to identify botnets [181,182,183]. A potential challenge in transferring these strategies to the SD-SG is the need to manage the additional overhead and optimize the placement of honeypot instances, as well as the machine learning (ML) and intrusion detection systems (IDSs). Honeypot systems must be disguised as typical grid buses, necessitating the use of unnecessary communication to create the illusion. This will result in additional communication overhead. In order to ensure the optimal performance of the grid, it is necessary to integrate ML and IDS into existing legacy systems. However, it is important to be cautious and avoid any negative impact on the grid’s performance. This integration will include analyzing all traffic on the grid, which may require some adjustments to enhance the grid’s efficiency. One potential option could be to occasionally utilize existing buses as honeypots while also operating them as ordinary buses at other times. This will enable the integration of honeypots into network operations without incurring any additional expenses for network operators or communication costs. Implementing a distributed approach at the data plan layer for ML and IDS solutions has the potential to decrease communication latency and limitations. By implementing the necessary adjustments, these methods could be applied in SD-SG defense frameworks.

8.3. Controller Impersonation Attacks

Controller impersonation attacks targeting SDN controllers pose a major threat to current SD-SG networks. During these attacks, a malicious entity pretends to be the SDN controller. The attacker can manipulate the SD-SG communication network by impersonating the SDN controller, issuing false commands, altering network traffic, and compromising the network’s security and availability. This form of attack has the potential to result in unauthorized entry, data breaches, and disruptions in service [184,185]. The dynamic and centralized nature of SDN increases its susceptibility to vulnerabilities, as the controller’s function is crucial for managing network operations. Therefore, safeguarding the SDN controller from impersonation is crucial for maintaining the overall security of the network. This involves deploying robust authentication techniques, ongoing surveillance, and the utilization of anomaly detection to promptly detect and address such threats.

In order to tackle this problem, researchers have suggested authentication models to validate controller communications [184] or have suggested employing IDSs and ML algorithms to identify these assaults [186]. Controller impersonation attacks warrant additional research in SD-SG network security due to the potential for an impostor controller to disrupt the network topology and consequently compromise the power grid layer. This would result in the disruption of QoS for enterprises, service providers, and end users, potentially leading to significant financial losses for providers as they endeavor to mitigate the danger. A challenge that may develop when transferring the solution to SD-SG is the positioning of the authentication service. The distance between controllers may be significant, resulting in increased latency and overhead while transmitting authentication codes to the authentication or ML module. One such approach is determining the most efficient position for the authentication module, taking into account both the minimum distance and latency between all controllers. Additionally, the security of this module against prospective attackers should be considered.

8.4. Black Hole Attacks

A black hole attack is a type of cyberattack where a hostile node, such as an SDN-enabled router or switch, intentionally discards or absorbs all incoming packets, resulting in a network disruption referred to as a “black hole” [187,188]. Black hole attacks are highly destructive attacks that pose a significant threat to wireless sensor networks (WSNs) [189]. Wireless sensor networks (WSNs) have been created and suggested in the current SD-SG paradigm [9]. There is a possibility that an assailant may seize control of these nodes in order to manipulate their behavior in this manner. In addition, the attacker can enhance this attack by taking control of a controller and manipulating the flow tables of the forwarding devices to redirect network communications to a black hole, causing them to be dropped. This would eventually lead to network disruptions and the disruption of QoS for businesses, service providers, and end users.

The potential costs associated with addressing the consequences of this attack may vary depending on factors such as the ability to identify the attacker and the specific switches that have been compromised. Various detection methods for black hole attacks have been suggested in research, including IDs [190,191], clustering [192,193], cryptography [194,195], and trust-based voting schemes [196,197]. These strategies are designed to reduce, identify, and/or stop these techniques. While black hole attacks are more prevalent in wireless networks compared to wired networks, SD-SG systems can utilize both wired and wireless connections. Therefore, it is imperative to build security measures for these attacks, as a black hole attack can lead to data loss and the disruption of quality of service. One possible challenge that could occur when transferring these solutions to SD-SGs is the potential complexity of managing keys or trust-based voting schemes, which may be particularly challenging for larger systems like grids and could result in delays while waiting for authentication. Clustering has demonstrated effectiveness in MANETS. A possible solution could involve employing a distributed SDN approach, where the controllers themselves implement anti-black hole attack methods for their section of the grid. This approach would enhance the performance of these techniques by assigning each controller a smaller portion of the grid to monitor.

8.5. Summary and Lessons Learned

It is recommended that future research on network security in the context of SD-SGs concentrate on the development of countermeasures against the attacks that have been stated previously. Localized software-defined networking (SDN) networks, mobile ad hoc networks (MANETs), and software-defined data centers (SDDCs) are some examples of the SDN applications and research disciplines that have developed specialized security frameworks to combat these attacks [78]. The solutions include trust-based voting mechanisms, filtering, network monitoring, intrusion detection systems (IDSs), and machine learning. Within this particular area of research, the strategies for defending against these attacks are undergoing significant progress and development, as new methods are being introduced to safeguard these networks.

On the other hand, there is a lack of comprehensive research and ongoing exploration in these areas of SD-SG research. It is problematic that existing specialized solutions for other applications do not take into account the design or behavior of the communication layer of SD-SG. This is the reason why this situation is problematic. Consequently, the specialized solutions that are now available for various domains will not be suitable for SD-SG security applications. If these vulnerabilities are discovered in the security of SD-SG, hackers may take advantage of them in order to disrupt the quality of service that SD-SG users receive. It is vital to develop security strategies that are unique to SD-SGs in order to safeguard the grid from the intrusions that these threats provide.

9. Open Challenges

The importance of SD-SG as a vital infrastructure for providing electricity and energy to clients will continue to increase. In this section, new emerging challenges are outlined, including network resiliency, the privacy of network data, the reliability of network defense mechanisms, and the adaptability of network solutions.

9.1. Network Resilience after Cyberattack

An important challenge in network security is the notion of resiliency, which pertains to the network’s capacity to quickly restore compromised nodes and restore connectivity for end users after a cyberattack. According to [198], the robustness of communication networks has a significant influence on society. This is especially clear in the context of SD-SG infrastructure, where the presence of communications is vital. The SD-SG infrastructure, which is highly dependent on a robust communication network, has a crucial function in ensuring uninterrupted and dependable energy supplies. Given the presence of external dangers, it is crucial to promptly reinstate network functionality and guarantee the smooth functioning of the SD-SG. This resilience not only ensures the continuation of operations during cyberattacks but also serves as a vital protective measure against major disruptions in energy services for both public and private enterprises. Thus, it is crucial to improve the resilience of communication networks in order to safeguard important infrastructure and maintain the stability of essential services.

As mentioned in Section 4, DoS attacks provide a substantial threat to the robustness of SD-SG networks. Research has primarily concentrated on utilizing the characteristics of SDN, such as the controller’s comprehensive understanding of the network, to identify and counteract attacks. Although these strategies are successful in identifying and minimizing these assaults, they are incapable of restoring nodes that have malfunctioned as a result of DDoS/DoS attacks or have been hijacked and utilized to initiate DDoS/DoS attacks. There is still a need for an SD-SG controller solution that can recover nodes that have failed. Alternative approaches have employed dynamic defensive methods that prioritize the randomization of link paths in order to achieve success in DDoS/DoS attacks. Nevertheless, there is currently no solution that has been devised to enable both mobile target protection and node recovery. The unresolved challenge of recovering nodes that have failed and restoring them with minimum impact on the SD-SG network infrastructure persists. Previous methods would fail in future SD-SG security applications because they would be unable to recover fallen nodes, resulting in a drop in the quality of service. An inherent technical challenge that may occur in an MTD system with node recovery is the determination of whether the node is successfully recovered to a secure state and is no longer compromised. One possible solution is to implement a probationary period for the node, during which it is closely watched by the “probationary module” in a local controller under the supervision of the network operator for a predetermined amount of time. The duration should be sufficiently long to observe traffic patterns and employ machine learning techniques to assess the probability of the node being still compromised. An efficient method is required to monitor the node without significantly burdening the controller. As previously stated, a probationary period could be established to oversee the nodes that have been identified as compromised and have regained access. Another potential solution is to create a history-based voting scheme that keeps track of nodes that are successfully attacked and feeds that information to an ML model that can use that information as a feature for future ML classifications to identify if a compromised node is compromised again faster than before, reducing the time of data leakage.

9.2. Privacy of Network Data

Ensuring the confidentiality of data transported within the SD-SG is a significant challenge, necessitating enhanced data privacy measures [113]. Controller attacks significantly amplify the privacy concerns of these networks. As stated before, these attacks can lead to the unauthorized takeover of the SDN controller, which has complete control over the whole network. Malicious individuals that exploit the SDN controller have the ability to observe data traffic and perhaps reroute it to harmful servers, so compromising the confidentiality and security of the data. Furthermore, the existing state of security technology lacks a dependable approach for detecting both a compromised controller and accurately identifying the criminal accountable for the attack. The lack of security capabilities creates a challenge in immediately and effectively addressing these intrusions. An effective mitigation approach involves dynamically modifying the network’s structure to perplex attackers. This can be accomplished by employing software-defined ways to consistently modify the ports of the controllers and relocate the controllers. By regularly adjusting these network parameters, it becomes more difficult for attackers to establish a strong position or sustain long-term control, thereby improving the overall security and resilience of the SD-SG against controller-based attacks.

However, this would require regular synchronization of routing logic across the network to ensure proper communication delivery, as the communication links are constantly changing. Moreover, there is currently a lack of awareness regarding the capability of a moving target defense to identify a compromised controller and/or the attacker. The major objective of these solutions is to prevent the issue; however, the problem of determining which controller(s) are compromised and identifying the attacker remains unanswered. Previous methods would fail in future privacy strategies because they fail to identify which controllers or forwarding devices are affected and instead focus solely on the detection of attacks. As a result, infected devices may still be present on the network, posing additional security threats like leaking the private data of users.

9.3. Reliability of Network Defense Mechanisms

SD-SG systems must prioritize the establishment of a reliable communication infrastructure by minimizing the success rate of cyberattacks. Furthermore, the attacks that do succeed should have little to no impact. Efficient, quick recovery strategies should be explored to ensure the uninterrupted and ongoing provision of services. Additional effort is needed to not only identify intricate cyberattacks but also effectively address these attacks within an ideal timeframe to ensure reliability in time-sensitive SD-SGs. Considering the machine learning techniques for detection or identification, a common challenge is the unavailability and imbalance of SD-SG datasets for implementation and evaluation. This makes it difficult to ensure that model designs will be robust in real systems. There is a further requirement to investigate methods that alleviate the limitations associated with the availability or imbalance of training data, such as transfer learning, federated learning, and data augmentation. Another concern involves the characterization of communication network traffic that exhibits dynamic patterns, which may indicate alterations in the network’s structure or the demands of its users. The ongoing process of training data in machine learning and/or deep learning approaches requires regular updates to ensure that the training can effectively adapt to the changing network traffic. Researching innovative online training algorithms and automated updates based on network traffic patterns is crucial for ensuring reliability in SD-SG systems. One technical challenge when creating a dependable solution for SD-SGs that can respond quickly to attacks and enable recovery is that disabling forwarding agents (i.e., switches and routers) might result in service disruptions; another challenge is the need to educate customers about the quality of service (QoS). Hence, the accuracy and effectiveness of these predictions must be appropriately elevated, which poses a challenge owing to the constantly changing cyberattack landscape. Therefore, an optimal resolution requires a synthesis of machine learning solutions and models that can cross-validate each other’s decisions rather than depending solely on a single detection and mitigation solution.

In addition, research that has been evaluated primarily focuses on using a single SDN controller to update flow rules. This creates vulnerabilities where a single point of failure can lead to a complete shutdown of the communication network. However, employing multiple SDN controllers enhances the dependability of the SD-SG. Nevertheless, this approach introduces fresh obstacles, including the need to minimize SDN controller signaling and management overhead, strategically position SDN controllers, efficiently allocate resources to SDN controllers, synchronize network states across SDN controllers, and designate a cluster head from a cluster of SDN controllers. The effectiveness of previous solutions in ensuring the reliability of future SD-SGs is likely to diminish due to the presence of singular controller frameworks. These frameworks introduce vulnerabilities by creating single points of failure and bottlenecks that might negatively impact network performance. To address these challenges, it is imperative for upcoming solutions to incorporate evenly distributed SDN control layers. One potential technical challenge is determining the segmentation of the SD-SG and finding the most optimal location for SDN controllers throughout the process of replacing legacy systems. An interim approach could be to create a cloud-based, evenly dispersed SDN controller architecture that can be quickly implemented until the ideal physical locations for the controllers are determined.

9.4. Adaptability of Network Solutions

Providing the adaptability of network solutions is an essential challenge for researchers as they work to develop novel models and defense strategies for SD-SG networks against cyberattacks [71]. Adaptability, in this sense, pertains to the ability to design defense mechanisms that are flexible and can adapt to changing threats. In order to provide thorough safeguarding against cyberattackers, researchers must assess the adaptability of their remedies to various attack types, varied quantities of attackers, and diverse assault scenarios. A significant amount of current research is focused on building specialized strategies to protect against particular sorts of attacks in the SD-SG domain. Nevertheless, these models frequently rely significantly on pre-collected data and necessitate regular updates with meticulously monitored information from numerous sources. To implement effective security methods, it is essential to consistently gather and analyze data from both the power grid and network layers. The collection of data in two separate layers is essential for ensuring a precise and current comprehension of the threat environment. Nevertheless, this method also generates more responsibilities and possible delays to SD-SG operations. The requirement for instantaneous data gathering and processing might exert pressure on network resources and affect the overall efficiency of the smart grid. Researchers must strike a balance between the necessity for thorough security and the operational requirements of the SD-SG. They must ensure that the protective measures do not unintentionally undermine the efficiency and dependability of the grid. The continued objective of protecting smart grid systems from increasingly complex cyber threats requires the development of flexible, efficient, and fast security solutions.

A comprehensive defense mechanism that can effectively identify and respond to new or unexpected cyberattacks has not been developed yet. The efficacy of previous solutions in addressing future smart grid security challenges may be limited due to their exclusive focus on specific attack types. The previous solutions have been tailored to address specific attacks, and the effectiveness of combining these solutions has not been fully explored or evaluated. There exist various alternative solutions for a given attack. An ongoing technical challenge is the dynamic nature of cyberattacks, which constantly evolve and often exhibit unique behavioral patterns. In order to tackle this challenge, future research endeavors should focus on developing a framework that can anticipate the intended actions of the communication nodes, rather than relying solely on pre-existing training data, as demonstrated in a recent study [199] that utilized communication state estimation to forecast the states of the communication layer. This framework could be efficiently included in the SDN architecture, allowing machine learning solutions to compare the expected communication metrics with the obtained metrics to detect attacks.

10. Conclusions

Current smart grid systems require time-consuming manual network management and are vulnerable to both physical and network security issues due to hardware and software anomalies. Mirroring other modern networks, SDN has been proposed as a way to automate the monitoring and control of SG communication networks, resulting in a software-defined smart grid (SD-SG) to improve network administration, visibility, control, and security. However, just as with other modern networks, cyberattacks are constantly evolving, requiring evolving defense and security techniques. This survey provides a comprehensive analysis of different cyberattacks that impact SD-SG cybersecurity, including distributed denial-of-service (DDoS)/denial-of-service (DoS), SDN controller, multi-pronged, and grid balancing cyberattacks. We provided an overview of the existing attack vulnerabilities, strategies for defense, and methods for mitigating the impact of each attack. We reviewed the lessons learned from the literature for each cyberattack defense. In addition, we offered an analysis of the unresolved challenges of existing solutions in the literature, including the ability of networks to recover from cyberattacks, the protection of network data privacy, the dependability of defense systems, and the flexibility of network solutions. We provided an analysis of upcoming risks and possible strategies to counter them in future research on SD-SG security. These threats include the possibility of low-rate denial of service (LDoS), attacks by controller botnets, controller impersonation attacks, and black hole attacks. This manuscript enhances state-of-the-art research by providing a thorough and up-to-date survey that examines the literature on network security for software-defined smart grids. It also highlights emerging threats and identifies the limitations of current approaches. In contrast to other surveys that only briefly touch on SD-SG security or focus on specific types of attacks or defenses, this survey comprehensively covers the research on security for SD-SG, including discussions on emerging threats and current limitations.