Strategy for distributed controller defence: Leveraging controller roles and control support groups to maintain or regain control in cyber ‐ adversarial power systems

Distributed controllers play a prominent role in electric power grid operation. The co-ordinated failure or malfunction of these controllers is a serious threat, where the resulting mechanisms and consequences are not yet well ‐ known and planned against. If certain controllers are maliciously compromised by an adversary, they can be manipulated to drive the system to an unsafe state. The authors present a strategy for distributed controller defence (SDCD) for improved grid tolerance under conditions of distributed controller compromise. The work of the authors’ first formalises the roles that distributed controllers play and their control support groups using controllability analysis techniques. With these formally defined roles and groups, the authors then present defence strategies for maintaining or regaining system control during such an attack. A general control response framework is presented here for the compromise or failure of distributed controllers using the remaining, operational set. The SDCD approach is successfully demonstrated with a 7 ‐ bus system and the IEEE 118 ‐ bus system for single and coordinated distributed controller compromise; the results indicate that SDCD is able to significantly reduce system stress and mitigate compromise consequences.


| INTRODUCTION
The smart grid initiative has facilitated increasingly sophisticated systems of sensors, algorithms, and controllers that are involved in widespread communication and online decisionmaking. These systems, which improve the operating efficiency of the grid, can also make the grid more susceptible to unsafe operation under attacks or failures. In this work, distrusted control is a situation where one or more controllers are compromised and under the command of a sophisticated adversary. Such an adversary is able to craft commands in a legitimate format and thus have them successfully executed in the system. Furthermore, these alterations can be invisible to the operator and automated security systems; about 59% of power and utility companies reported a recent significant cybersecurity incident in EY's Global Information Security Survey for 2016-2017 [1]. The threat of physical consequences resulting from these cyber-attacks is a serious concern, raising attention through demonstration in [2,3]. One of the first publicised large-scale attacks on a power grid occurred in December 2015 in Ukraine. This attack led to disconnection of seven substations and power outage for more than 200,000 customers for several hours [4]. A second Ukraine attack in by obscurity' does not exist. A motivated adversary need not possess deep knowledge of a specific utility system to launch a successful attack [6]. In preventing and mitigating attacks, it is essential to consider feasible attack vectors, adversary capabilities, trusted entities, and the impact of these on system controllability and stability.
Existing research in the distributed control domain focuses predominately on methods to control diverse sets of resources such distributed energy resources (DERs) for microgrids [7]. Additionally, methods to divide global control tasks among DERs and other units are of great interest. Distributed control is also being investigated for specific goals such as frequency control or voltage support using agent-based technologies [8,9]. These efforts are integral for modernising and achieving a smarter grid, but the focus is on the control architecture and tasks. Here, we present a general method for characterising a controller set and utilising those characteristics to respond to system disturbances, including controller compromise.
This paper presents the systematic formulation of controller-based defences against controller-based attacks in power systems. In particular, a strategy for distributed controller defence (SDCD) is developed that leverages power system interconnectivity and controllability knowledge to enable operators or automated defence solutions to restore the control capability of a system following such an attack. SDCD employs the residual set of functional controllers in proactive distributed controller response strategies where controllers reinforce other controllers by taking advantage of the naturally occurring redundancy in the meshed transmission network to maintain or regain control of the system given coordinated compromise or failure.
The high-level architecture and background for SDCD is presented in Section 2. The distributed controller role and interaction discovery (RID) analysis utilised in SDCD is provided in Section 3, and its application for offline analysis is detailed in Section 4. The online SDCD method is presented in Section 5, demonstrating its ability to respond to controller compromise. In Section 6, the state dependence of the results is analysed. Section 7 provides results and discussion for the 7-bus and IEEE 118-bus systems for single and coordinated distributed controller compromise. Section 8 concludes the paper.

| OVERVIEW OF SDCD FRAMEWORK
An overview of SDCD is given in Figure 1.
The strategy leverages the distributed controller RID algorithm [10,11] to classify controllers into control support groups and controller roles which are then applied to maintain control of the system during an attack, where the attacks of interest are those that manipulate the output of other controllers. The contribution of this paper is to close the loop by using these roles and groups to develop a coordinated response strategy to distributed controller compromise, as shown in Figure 1. This work addresses a critical need for coordinated response in achieving cyber-physical intrusion tolerance by providing a strategy for distributed control response that involves study of how often roles/groups need to be calculated, mapping equivalent line flows, ranking redundant controllers, computation of control settings, and demonstration and evaluation of coordinated distributed controller response on the presented test systems. The sensitivity-based roles in SDCD provide both (1) ahead-of-time controller placement to avoid loss of system controllability as well as and (2) online algorithms to formulate the most effective response with the non-compromised controllers. The application of SDCD is illustrated with a set of 10 distributed controllers in Figure 2.

| Motivation
Multiple strategically compromised and manipulated controllers can cause severe impact, and they may be able to drive the power system to an unsafe or unreliable operating state. While conventional attacks on the grid observed so far have primarily been forms of disconnection of key elements to force the grid to shut down, sophisticated attacks, such as the ones discussed in this paper are possible by a more knowledgeable and motivated attacker. For example, an insider threat may have goal(s) that are not to just make the grid succumb to an attack, but to degrade operation steadily, primarily motivated by economic factors. Such attacks could be developed to make system operation more expensive, increase congestion at desired locations, or spoof misoperation of specific devices so as to influence decisions such as vendor selection.
Distributed controller attack vectors include execution of malicious commands to damage to sensitive equipment, forced controller settings, or topology changes that intentionally create overloads as well as prevention of necessary relay tripping. If unmitigated, these scenarios can lead to equipment damage and/ or blackout. While coordinated compromise could potentially cripple the system, whether and how this is possible depends on the specific power system, including its topology and state. Intentional and effective use of controllers in these situations is critical. For example, dynamic reactive support is known to make a difference between an operational system and a blackout [12,13], and compromise of a certain powerful controllers such as a static var compensator (SVC) can destabilise system voltage [14]. SDCD is a proactive defence against controller compromise that works by identifying and reconfiguring the operating points of select functional controllers in the system based on the system's unique sensitivities and control theory concepts.

| Offline defence
In the absence of an attack, SDCD is an offline planning mode tool for stakeholders to study the amount of flexibility and redundancy provided by available controls for any network and controller configuration. This analysis should begin before an attack occurs because SDCD will reveal control weak points that can inform how to allocate new controllers and measurement devices. The offline, planning stage is a critical time to develop and evaluate online control algorithms that will address natural failures and combat cyber attacks while maintaining operational requirements.

| Online defence
During or after a compromise, SDCD defends the system under attack by using its framework of controller roles and groups to rapidly determine as well as implement the most effective use of the system's remaining control capabilities. In a distrusted control scenario, the remaining set of controllers needs to quickly respond to ensure that operational reliability (with no violation of limits [15]) is maintained. Additionally, the controller roles and groups can be recomputed with real-time sensitivities to reflect actual system conditions for adaptive control scenarios.
The framework is flexible in that it supports customisable intrusion detection/recovery and stability control strategy mechanisms. During its implementation, appropriate stability control strategies must be deployed, either intrinsically or via an outer control loop as shown in Figure 1. The stability of the power system must be assessed both after compromise or failure and during control response by the distributed controllers. If the system approaches instability, appropriate stability control strategies must be deployed. Such strategies are beyond the scope of this work but can be used in conjunction with the overall framework, as will be discussed in later sections.

| Related work
The distributed controller RID algorithm that we introduced in [10] identifies the role of each controller, partitioning controller devices into sets that are either critical, essential, or redundant for control of the system, and the control support groups that indicate which controllers are most effective in obtaining some control objective together are obtained.
In contrast to existing literature that mostly focuses on overall system controllability measures [16][17][18][19], our work provides individual controller roles as well as the formalisation and application of their interactions for system controllability. SDCD provides an analytical foundation for how to restore or maintain system control under controller attacks using these relationships. Additional review on power system controllability analysis is provided in [20]. This paper presents an innovative approach using control support groups and controller roles for planning and response as part of an overall framework for distributed controller defence.

| SDCD: DISTRIBUTED CONTROLLER ROLE AND INTERACTION DISCOVERY
The distributed controller RID algorithm presented in [10] and summarised in Figure 3, identifies essential, critical, and redundant controllers for controllability of the system and identifies control support and line flow groups by processing sensitivity matrices: � Essential controllers are a minimal set of devices required to maintain system controllability; all devices that occur in a minimal-cut set for system controllability are considered essential controllers. � Critical controllers are essential controllers that are irreplaceable and mandatory for system controllability, that is, critical controllers are essential controllers that occur in every minimal-cut controllability set of the system. � Redundant controllers are the devices that reinforce the control capability of essential controllers and can be removed without affecting system controllability. � Control support groups contain devices that are highly coupled in terms of impact on the control objective and with each other. � Line flow groups contain sets of transmission lines where flows in each group can be controlled independently with respect to flows in other groups.
Sensitivity matrices are derived from the nonlinear system model and then utilised to conduct the controllability analysis that identifies the aforementioned roles and groups.

| Obtaining sensitivity matrix A″
A system's sensitivity matrix A″ is used for control design and stability analysis [21]; contents depend on the control objective.
The methodologies developed in this paper are generic in nature and can be suitably applied to any dynamic control support device in the grid. In [10], distributed flexible AC transmission system (D-FACTS) devices are used as the example distributed controllers. We will use this example in this paper for continuity but it is important to note that the RID and SDCD methods can be applied to any distributed controller; the main impact is the construction of the sensitivity matrix.
D-FACTS are currently deployed by SmartWires Inc. [22,23] in five continents to support grid operation. They include distributed series reactors (DSRs) and distributed static series compensators (DSSCs). Each DSSC acts as a synchronous voltage source in series with the line, changing the line's effective impedance and thus its power flow [22,24,25]. The D-FACTS scenarios use total power flow to impedance sensitivities based on the AC power flow equations, topology, and state. The sensitivities are computed analytically as detailed in [26] and reflect both direct (i.e. change in impedance of a line and its direct impact on that line's power flow) and indirect (i.e. change in impedance of a line and its indirect impact on alright other lines' power flows) sensitivities. The sensitivity matrix A″ is found from Ω, where ΔP flow are the changes in the line power flows and Δx are the impedances. These matrices can be calculated efficiently even for large systems.

| Finding controllability-equivalence sets
The line flow groups, which are of specific interest for D-FACTS devices that are performing power flow control, are found by clustering the sensitivity matrix rows to reveal how lines are affected by each other. Cosine similarity between row vectors v i and v j of A″ or coupling index CI (2) is used to find coupled sets of lines as clusters that are approximately orthogonal to each other [27].
Within each group, it is only necessary to control one line flow (the target lines) because controlling one such flow impacts the others in a predictable way. A″ is reduced to include F I G U R E 3 Controller role and interaction discovery (RID) method [10] applies clustering and factorisation to categorise controller sensitivities HOSSAIN-MCKENZIE ET AL. only these target lines. SDCD also identifies how the controllers are related to each other by finding the control support groups [28]. These controllability-equivalence sets are determined through clustering using the CI. A well-known challenge for clustering algorithms (e.g. k-means or k-mediods) is the selection of the number of clusters k [29,30]; therefore, hierarchical agglomerative clustering is chosen as it groups data by creating a cluster tree or dendogram. This is elaborated upon in [10]. The line flows within a cluster are decoupled from flows in other clusters. Flows within a cluster are coupled and mutually dependent.

| Finding critical, essential, and redundant sets
The critical, essential, or redundant status of a controller is determined based on the coupling of the columns of A″ (rows of A ″ � � T ). Essential controllers are linearly independent and have the best control range/influence to meet the objective. While some essential controllers are exchangeable with redundant controllers, other essential controllers are critical controllers that lack redundancy. Particularly, Chen et al. [31] defined a critical measurement as a measurement whose elimination from the measurement set results in an unobservable system. A similar approach is applied to identify critical controllers. lower-upper (LU) factorisation is applied on A ″ � � T to obtain the change of basis, decomposing the transposed sensitivity matrix to lower and upper triangular factors [32]. The following decomposition of A ″ � � T is obtained: Using the Peters-Wilkinson method [32], A ″ � � T is decomposed (Equation 3); P is the permutation matrix and L b and U b are the lower and upper triangular factors of dimension n, respectively. M is a sparse, rectangular matrix with rows corresponding to redundant controllers. The new basis has the structure: The new basis, shown in (5), must be full rank for a controllable system and this requires the m £ (n − 1) matrix to have a column rank of (n − 1) to be a controllable n-bus system with m-measurements. Since, L b and U b will be nonsingular for a controllable system, the rank of A ″ � � T can be confirmed by checking the rank of the transformed factor L T F . Also, L b has full rank and with (5) multiplied by L −1 b from the right, the row identities will be preserved in the transformed matrix L T F . Each row of the matrix will, therefore, correspond to the respective controllers [31].
Rows of I n correspond to essential controls that are sufficient to assure independent controllability of the equivalent line flows. Non-zero entries in the rows of R correspond to redundant controls. Columns correspond to the equivalent flows which can easily be mapped back to the original flows using the permutation matrix P obtained from the LU decomposition step. The LU decomposition approach preserves and applies the control theory principles that the matrices must have full rank to be controllable/observable.

| Mapping equivalent line flows
The equivalent line flows are a linear mapping of actual line flows, visualised in Figure 4, and the actual system values can be obtained by traditional back-substitution solution techniques. Thus, the equivalent line flows provide insight into how actual line flows are distributed within the equivalence to better understand how the controller roles are computed. The formulation of the transformed sensitivity matrix L CER is visualised in Figure 5.
Next, to assess the composition of the equivalent line flows, a 7-bus system with D-FACTS devices on all lines is considered [28]; the transformed basis of this system is shown in Figure 6. The remainder of this section demonstrates the implementation of the RID methodology for this 7-bus F I G U R E 4 Visual representation of LU factorisation of transposed sensitivity matrix where U maps the original line flows to equivalent line flows in the transformed basis F I G U R E 5 The LU factorisation of the transposed sensitivity matrix is illustrated, ultimately resulting in the transformed basis system. The 7-bus system is a demonstrative case from the Glover et al. textbook, as well as a PowerWorld Simulator public test case [33]. The 7-bus system is used as a simple casestudy in presenting the SDCD strategy in an understandable way. Results from the SDCD method will also be demonstrated with the same 7-bus system in Section 7.
Using the analysis techniques described above, the transformed basis L CER is obtained for the 7-bus system as shown in Figure 6. An example result from the transformed basis, highlighted in purple in Figure 6, shows that by studying the transformed sensitivity of the redundant controller C R2 to the equivalent line flow 4, one can easily map back to obtain the original line flow composition of EQ.L4.
The entries in U F ( Figure 5) are weightings of the original line flows in the equivalent line flows. U F for the 7-bus system is shown in Table 1, where its entries determine the composition of the equivalent line flows as linear combinations of the original target line flows T j , where j is the index over alright target lines, as shown in Equations (6)- (12). The target line flow, T j is defined for the purposes of this analysis as the real power flow of the target set of transmission lines that can be independently controlled.

| Ranking redundant controllers
The transformed basis in Figure 6 also reveals how the redundant controllers labelled C R1 − C R4 should be ranked. When compromise or failure occurs for any essential controllers (in I n ), the redundant controllers should respond. The entries of R give the sensitivity of each equivalent line flow to each redundant controller.
If the essential controller of EQ.L4 is compromised, from the transformed basis it is clear that redundant controller C R2 has the highest impact on EQ.L4 and is thus of the highest importance for responding to that compromise. C R4 has the next highest sensitivity and can be used in conjunction with or subsequent to C R2 . Both C R1 and C R3 have low sensitivities and would not be effective if used alone. Based on the specific compromise or failure situation, these rankings can be used to employ the most sensitive redundant controllers or utilise all controllers such that highly ranked controllers are prioritised. Table 2 summarises the ranking of the redundant controllers for the six equivalent line flows computed for a selected operating point of the system.

| Improving controller placement
When no other controller can provide needed control of the corresponding equivalent line flow (i.e. Critical Controller), the decomposition reveals where to add a redundant controller.

Equivalent line
Effective controllers Ineffective controllers HOSSAIN-MCKENZIE ET AL.
Relevant techniques have been developed for phasor measurement unit (PMU) placement and observability, and these can be extended to controllers [34]. In the 7-bus example, Controller 5 corresponding to EQ.L3 of the transformed basis is critical, as shown in Figure 7. The composition of EQ.L3 is shown in (9), where T 3 provides the most significant contribution to EQ.L3. The target line selections are T j , and the mapping to the actual line indices in the 7-bus system is the following: T 1 : L 1 , T 2 : L 3 , T 3 : L 5 , T 4 : L 7 , T 5 : L 9 , and T 6 : L 10 . That is, T 3 corresponds to L 5 in the 7-bus system, and is based on the selection of target line flows. After another controller is added to be redundant to Line 5, the transformed basis after re-factorising the matrix is obtained (Table 3). Controller 6 shown in Figure 8 is redundant to EQ.L3 and converts controller 5 from critical to essential-with magnitude 1 in the transformed basis, Controllers 5 and 6 are now interchangeable for controlling EQ.L3. By eliminating critical controllers, the risk of loss of system controllability is now reduced.
This type of study can be performed as a planning tool for placing distributed controllers such that there exist no critical controllers, while unnecessary controllers are avoided. The compositions of the equivalent line flows in terms of the original line flows aid controller placement to avoid critical roles and eliminate excessive redundancy. Rankings of redundant controllers from the transformed sensitivities during essential controller compromise or failure can be used to give the most effective redundant controllers and to avoid using controllers that have little or no impact.

| SDCD: RESPONDING TO CONTROLLER COMPROMISE
Once compromise of a distributed controller is detected, that is, by an intrusion detection system (IDS) or basic detection of rapid or unnecessary controller settings changes, the optimal response process can be deployed with the remaining distributed controllers.
In systems without IDS or the security features needed to identify a compromised controller, a deteriorating system state may be the only indication of abnormal behaviour. In these cases, physical controls can respond immediately while cyberside abnormalities are investigated and repaired. It should be noted that control support group responses cannot always completely mitigate the effects of distrusted controllers. In some cases, there may simply be no support group for the affected lines. In other cases, the control support groups might not be able to manipulate the power flow in their lines sufficiently to offset the undesired system behaviour. These circumstances can be averted in the offline planning stage (Section 4) through careful attention to optimal controller placement and redundancies.
When the compromise of any distributed controller occurs, the appropriate response of the remaining controllers must be formulated, using the SDCD algorithm, to minimise stressed conditions and prevent damage to sensitive equipment. Recurrent sets (sets of controllers that frequently occur together in transformed sensitivity analyses taken over time), can be used to select controllers that maximise controllability across a range of operating points. An optimisation framework and control algorithm is applied, using the generic objective function f 0 in Equation (13) to minimise the differences between the actual and desired quantities, s:t: f ðp;qÞ ðs ðθ;V Þ Þ ¼ 0 ð15Þ x ≤ x max ð16Þ where N represents the number of lines to be targeted for control. The constraints are AC power balance and device limits. The formulation is solved using the reduced gradient method and described in more detail in [28].

| STATE DEPENDENCE OF ROLES AND GROUPS
The previous sections discuss the insights gained from the transformed sensitivity matrix basis and show how that information can be leveraged. In order for control systems to take advantage of these results, it is necessary to examine the extent to which the controller roles and control support groups change with varying operating states of the power system. The 7-bus system was studied with different settings of the D-FACTS controllers. The effective impedance of each device, was varied to ±30% of the line impedance where the ±30% variation is based on the real-world D-FACTS device limits [35]. In the 7-bus system, 10 lines have D-FACTS devices, and each is given one of three different settings [x DF,LOW x DF,0 x DF, HIGH ], where x DF,0 indicates the controller is not in use and the line is at its original impedance. The first scenario uses two D-FACTS at a time and considers 900 setting states. The second scenario uses combinations of four controllers in the same manner, resulting in 81,000 setting states. Four device combinations are the maximum considered for this study due to the computational burden. With these operating points and device combinations, controller role and control support groups are recalculated and compared. Figure 9, in the labelled #1 and #2 plots, shows the number of occurrences (y-axis) of each controller (x-axis) as essential or critical over all the operating points. Results indicate that a pattern of recurrent essential controllers and recurrent critical controllers emerges. Controllers 1,2,3,8,9 frequently appear as essential over all the operating points. Similarly, plots #3 and #4 of Figure 9 show the number of occurrences for each controller as critical over all operating points, for both two and four device combinations.
These results highlight two main points: (1) the controller roles can change as the operating point varies; and (2) some controllers frequently appear in a certain role. Then, to further explore these observations, the effective impedance of each device was varied ±90% of the line impedance to study dramatically different operating points.
For two D-FACTS combinations, a pattern broadly emerges, with Controllers 8, 9 increasing in frequency for critical role assignment.
For four D-FACTS combinations, the results have higher variation. Controllers 1, 2, 3, 8, 9 retain high frequency as essential or critical and Controller 5 retains the highest number of occurrences as critical. However, Controllers 4, 6, 8, 9 exhibit higher numbers of occurrences as critical. This provides the insight that it may be necessary to factor in the operating point of the system during remedial actions.
Cluster membership in control support groups was also tracked in the above experiments to measure how frequently the controllers changed clusters, with the results summarised in Figure 10.
The IEEE 118-bus system was tested using this procedure with varying operating points, for both ±30% and ±90% changes in x LINE . D-FACTS were presumed to be on every line (186 lines) and a change in a single device was considered at a time. As the operating point changes, the resultant controller roles remain the same for both ±30% and ±90% changes. More significant changes such as line outages and faults may impact the groups, even in a large system. When recurrent sets of controller roles exist, they can be used to aid a priori response calculations. In the 118-bus system, the analysis showed that of the 186 lines in the system, none were critical, while 96 were found to be essential, and 90 were found to be redundant to system controllability, with 91 control support groups for the system.
The main observations from studying cluster membership over different operating points are the following: (1) For the different scenarios of D-FACTS combination cases, the results are similar and show distinct cluster membership.
F I G U R E 8 The 7-bus system with lines coloured according to cluster group and labelled with essential and redundant controllers. Highlighted in the yellow box is added controller C6 which converts C5 from critical to essential HOSSAIN-MCKENZIE ET AL.
(2) For large variations in line impedances, cluster membership patterns become less distinct, though the same controllers still appear dominant.
(3) For small changes in larger systems, controller roles often stay the same.
These frequencies of occurrences and operation points of the controllers are used to develop various controller selection techniques for mitigation. Namely, the Recurrent CE and Recurrent R selection methods use controller roles with the highest frequency of occurrence (over the operating points), for critical/essential roles and redundant roles, respectively. These selection techniques factor in sensitivity computations made over various operating points of the system to form control support groups. The Current CE, Current R, and Ranked R selection methods are calculated with the current operating point of the system. These selection methods and their impact in mitigating controller compromise is demonstrated in the next section for both the 7-bus and IEEE 118bus systems using the SDCD approach.

| RESULTS AND DISCUSSION
The selection algorithms discussed above were implemented for two test cases; the 7-bus system detailed in previous sections, and the IEEE 118-bus system. SDCD results use power system metrics to measure performance and to optimise response using distributed controllers. The megavolt-ampere (MVA), a measure of apparent power, percentage loading of lines is used as a metric for power system tolerance. The MVA limits of lines are a common indicator of physical power system impact, for example, in optimal power flow formulations. Other performance metrics may also be applied when implementing SDCD, where the equations used in the algorithm would be modified accordingly. Calculating response and measuring performance with these metrics, cyber-physical intrusion tolerance of the power system is improved by minimising the impact of a compromise or intrusion with the deployment of coordinated controls.

| 7-bus system
While the use of 10 controllers could be considered superfluous for this system, it is designed to illustrate the possibilities of various support groups that can be used to mitigate controller compromise and to highlight controller locations that cannot be mitigated using support group selections.
In the 7-bus system, Controller #2 was compromised, with the compromise causing an increase in Line 2 power flow. Table 4 presents the results. The compromised controller is mitigated through the various selection methods, and for this scenario, the effectiveness of the algorithms is based on the % MVA flows for all lines in the system.Based on this metric, the best performing selection scheme was found to be Recurrent CE, while Current R selection F I G U R E 9 Occurrences of each controller as critical/essential (C/E) or just critical (C) overall operating points for different number of D-FACTS combinations (2 or 4 D-F). Results for line impedance, x LINE , variation of ±90% is also shown in plots #5 and #6. The controller # is on the x-axis and the number of occurrences is on the y-axis 88provided the least effective results under this scenario. While the Current CE and Current R techniques (that factor in the present operating point) provide a better reduction of powerflow in Line 2 (the compromised line), when the measure of effectiveness is changed to the mean system MVA, selection techniques that depend primarily on the system topology perform better. Table 5 presents the results for various compromised controller scenarios using only the Recurrent CE controller set, where original, compromised, and response % MVA is given for each targeted line. The settings for the response set C # Resp. , which excludes compromised controllers, are computed using Equations (13)- (17). In most cases, the response set is able to significantly reduce the line flow % MVA.
These results indicate that the SDCD algorithm's flexibility is effective in either restoring a system's overall line flows to the original state before a compromise, or restoring that of a particular line solely. Depending on the objective, an appropriate selection technique can be used.

| IEEE 118-bus system
The methodology was also tested on the larger IEEE 118-bus system shown in Figure 11. In this system, the controller on Line 63 (illustrated in orange in Figure 11 is selected as the compromised controller, with Controllers # 50, 68, 69, and 117 selected using the Recurrent R method, acting as the support groups, highlighted in blue in Figure 11.
Under the selected scenario, at  the other controllers, the power flow improves to 84.6% of the limit. The results of the line flows are summarised in Table 6. It is observed that the failure of the controller on Line 63 increased the overall real power transmission loss by 4.03% and the reactive power transmission loss by 57.71%. After the recalculation of settings of the other controllers, the real power transmission loss did not improve greatly. However, the reactive power transmission loss improved by 11% over the operating state of the system during failure, with the postmitigation loss being a significantly lower 40.6% decrease over the pre-failure operating state of the system. These results are presented in Table 7. The results for the IEEE 118-bus system provide multiple key insights: (1) Results reiterate observations from the 7-bus system that the line clusters and support groups do not need to be localised, and they are highly dependent on system topology as well as the distribution of loads and generators across the system.
(2) Results indicate how to utilise knowledge of the system to generate remedial schemes that ensure grid operation without limit violations using distributed controllers in the system rather than merely using localised elements/devices in the immediate neighbourhood.
Following the single attack cases, the SDCD strategy is also tested for a scenario of coordinated attack, where several essential controllers on Lines 14, 63, 81, and 117 are compromised. The aim of this attack is to reduce power flow on lines with high capacity and force it to be routed through lines with low capacity. The SDCD recomputes settings of controllers in other high capacity lines to mitigate this event. In this scenario, the high capacity lines have functional D-FACTS devices that enable higher power flow. When these devices are compromised, they can reduce the overall system efficiency by manipulating the effective impedance of the lines with compromised D-FACTS devices and, consequently, cause line overloading.
Under this scenario, other controllers in the concerned support groups are selected and their settings are reconfigured to redirect power flow through them and improve system efficiency while reducing the loading on lines that were affected by the attack. Table 8 provides data pertaining to overall system efficiency that indicates how SDCD strategy can be used to move the system closer to its original operational state during times of an attack, with the metric of system losses being used.
It is pertinent to note from the results that SDCD is effective even in scenarios where only controllers with lower impact (Recurrent R selection), that is, redundantly ranked devices, are available for mitigation. Additionally, the Recurrent R selection controllers are not recalculated using current system state and can be computed offline, in advance. Using more effective techniques such as Current CE, Recurrent CE etc. can provide more benefit with current system state, but may not be necessary for all scenarios. Thus, the SDCD approach can be used flexibly for different systems, controller sets, and operational needs. The results of these other selection techniques are compared in Table 8.

| CONCLUSION
This paper presents a process to restore control and reliable steady-state operation using the SDCD method, given the compromise or failure of distributed devices on the grid. In summary, the core contributions of this paper are as follows: (1) Discovering the equivalent sensitivity parameters to identify redundancies by using the transformed basis that is obtained by decomposition and factorisation of desired system sensitivities.
(2) Aiding controller placement to avoid critical roles, avoid excessive redundancy, and rank redundancies based on their effectiveness to the selected parameter.
(3) Exploring system state (operating point) dependence of role and group recurrent behaviour exhibited in the results.
(4) Development of a control response framework for the compromise or failure of distributed device(s) in a system based on a desired objective. This was demonstrated for a 7-bus and the IEEE 118-bus systems with both single controller and coordinated attack.
The response mechanisms highlighted in this paper are designed to be deployed during an incident to reduce system stress and mitigate compromise consequences while the actual cause and removal of the compromise is investigated by intrusion detection and recovery methods, or other security mechanisms.
T A B L E 7 Summary of the real and reactive power flow losses in the IEEE118-bus system for a single controller attack scenario with the objective to reduce target line's flow -91