## 1 Introduction

Smart grid is a typical cyber physical system (CPS) [1, 2] which integrates a physical power transmission system with the cyber process of network computing and communication. It supplies electric power from generators through power transmission and distribution networks to large geographical areas. In a power grid, *supervisory control and data acquisition (SCADA) systems* collect the real time information of power field and report the collected information to the control center. To provide reliable and secured electricity service operations, real-time monitoring is essential for both system operators and customers, as it provides rich and pertinent information on the condition of a power-grid based on the measurements of meters deployed at critical locations of power grid.

State estimation is a very critical component in smart grids that monitor and control the grid operation. The traditional state estimation mainly reflects the static state characteristics of power systems, denoted as the static state estimation. The static state estimation uses telemetered data from the supervisory control and data acquisition system per several seconds and applies the weighted least squares (WLS) to obtain the best fit estimation of static state variables, for example, bus voltage magnitudes and phase angles. One shortcoming of these static estimation techniques is the accuracy, posing the missing detection of abnormal behaviors. Differently, dynamic state estimation can obtain complete, coherent, and real-time dynamic states, including the generator speeds, rotor angles, and others.

Kalman filtering techniques have been widely used in the dynamic state estimation of power systems. The traditional state estimation of power systems is based on the steady system state model [3] that only reflects static states. With Kalman filtering, the dynamic state estimation can be used to dynamically predict system states and control the system. Kalman filter can not only provide the prediction through the dynamic system model and previous estimation of system states but also obtain the optimal estimate of power systems through meter measurements deployed in the field. In particular, measurements can be conducted through phasor measurement units (PMU) and processed by the dynamic state estimator to filter measurement noise and detect gross errors. The output of dynamic state estimation can be used by other grid applications at the control center, including the contingency analysis, optimal power flow, economic dispatch, and others [4].

The dynamic state estimation was initially developed in 1970s [5] when Kalman filtering was applied to improve the computational performance of steady state estimation in power systems. After that, a number of techniques to conduct the dynamic state estimation in power systems have been developed [3, 6-14]. In particular, the linear extended Kalman filter (EKF) [10] is a popular one that provides the optimal state estimation for power systems. However, once the system is encountered, measurement errors or large load changes, the performance of EKF could decline noticeably. To overcome this limitation, the enhanced EKF [15] and M-estimation and unscented Kalman filter (UKF) [12] were proposed to incorporate with nonlinear measurement functions. We would like to point out that although a number of research efforts have been made on improving the performance of Kalman filtering such as robustness to deal with random noise [15], little effort has been conducted on cyber attacks such as false data injection attacks against Kalman filtering.

To address this issue, in this paper we investigate false data injection attacks against Kalman filtering in the dynamic state estimation of power systems and develop countermeasures to defend against those attacks. Note that the adversary can inject false measurement reports to the controller through compromised nodes and disrupt system operation. Those attacks that are generally denoted as false data injection threats could pose dangerous threats to the smart grid. To this end, we first review and compare several representative Kalman filter techniques and formalize the anomaly detection problem in the Kalman filter. Based on our modeling results, we then investigate five attack approaches that can bypass the anomaly detection. In addition, we discuss the impact of false data injection attacks on other key functional modules of smart grid.

We conduct extensive experiments on IEEE 14-bus, 30-bus, and 118-bus systems to validate the effectiveness of our investigated attacks. Our data shows that our proposed attacks can effectively reduce the performance of Kalman filtering. To mitigate such attacks, we develop two defensive mechanisms: one is enhancing UKF technique to improve the resilience of Kalman filter, and the other is adopting the temporal-based detection algorithm. We implement our proposed countermeasures on IEEE 14-bus, 30-bus, and 118-bus systems. Our experimental data shows that the enhanced UKF technique achieves the best performance than other Kalman filtering techniques to deal with random benign noise and reduce the impact of attacks to some extent. Our experimental data show that our temporal-based detection can identify compromised meters accurately and quickly.

To the best of our knowledge, our research is the first on studying the impact of false data injection attacks on Kalman filtering in the dynamic state estimation of power systems. The remainder of this paper is organized as follows: In Section 2, we review the related work. In Section 3, we briefly discuss smart grid and state estimation and introduce threat model. In Section 4, we review and compare the three representative Kalman filtering techniques. In Section 5, we formalize the anomaly detection problem in the Kalman filter and investigate five attack approaches that can bypass the anomaly detection. In Section 6, we analyze the deviation of state estimation under these attacks. In Section 7, we develop two countermeasures against false data injection attacks. In Section 8, we show the experimental results of those attacks and corresponding countermeasures. Finally, we conclude the paper in Section 9.