CFDI: Coordinated false data injection attack in active distribution network

The active distribution network (ADN) can obtain measurement data, estimate system states, and control distributed energy resources (DERs) and ﬂexible loads to ensure voltage stability. However, the ADN is more vulnerable to cyber attacks due to the recent wave of digitization and automation efforts. In this article, false data injection (FDI) attacks are focused on and they are classiﬁed into two types, that is, type I attacks on measurement data and type II attacks on control commands. After studying the impact of these two FDI attacks on the ADN, a new threat is revealed called coordinated FDI attack, which can maximize the voltage deviation by coordinating type I and type II FDI attacks. From the attacker’s perspective, the scheme of CFDI is proposed and an algorithm is developed to ﬁnd the optimal attack strategy. The feasibility of CFDI attacks has been validated on a smart distribution testbed. Moreover, simulation results on an ADN benchmark have demonstrated that CFDI attacks could cause remarkable voltage deviation that may deteriorate the stability of the distribution network. Moreover, the impact of CFDI attacks is higher than pure type I or type II attacks. To mitigate the threat, some countermeasures against CFDI attacks are also proposed.


INTRODUCTION
It is a global trend to facilitate the low-carbon transformation of energy structures by introducing large quantities of distributed energy resources (DERs) and flexible loads into smart grids [1].With a high penetration rate of DERs and flexible loads, the distribution network is facing great security threats.For example, the uncertainty in photovoltaic and wind power gen- eration has a great impact on the supply-demand balance of the power system [2], while uncoordinated plug-in electric vehicles (EVs) on a residential distribution grid can cause problems including power losses and voltage deviations [3].To increase the distribution network's reliability and robustness, the active distribution network (ADN) is being developed rapidly, which can obtain measurement data, estimate system states, and make decisions to control DERs and flexible loads automatically via the supervisory control and data acquisition (SCADA) system [4,5].
Voltage stability is one of the most important security indicators for distribution networks.If the voltage exceeds the allowed deviation range, it can cause some electrical appliances to malfunction, decrease the torque and speed of electric motors, and affect the efficiency and quality of manufacturing activities [6].
In severe cases, it can cause generator failure or even voltage collapse [7].To guarantee the voltage stability, researchers have revealed the principles of voltage regulation and proposed some voltage regulation methods using DERs and flexible loads [8][9][10].Specifically, voltage regulation methods that utilize optimization algorithms for coordinated control of multiple DERs have emerged [11,12], whose optimization objectives include optimal power flow, optimal power quality, and minimum power losses [13][14][15].EV charging schedules are optimally coordinated to support voltage and energy regulation [10].
The deep coupling of cyber networks and power grids has expanded the attack surface, thus aggravating the threats of cyber-physical attacks.Specifically, attackers can launch false data injection (FDI) attacks from the cyber network, inject false commands or measurements to disturb the system operation, leading the power grid to an unstable operation state [16][17][18][19].For instance, dynamic load altering attacks are introduced against smart grid demand response programs, which can make power system's frequency unstable [20].A cyberphysical coordinated attack against protection relays is studied in [21], which can cause cascading failures via cyber-attacks on protection relays followed by physical attacks on the transmission line.Although FDI attacks have been well studied, most researchers focus on the security of the transmission network, while few researchers have considered the threat of FDI attacks in ADN.Moreover, the threat of compromising flexible loads and DERs on a large scale in ADN has not been thoroughly studied.
In this paper, we explore the impact of coordinated FDI (CFDI) attacks on the voltage security of ADNs, where voltage deviation is caused by both false measurements impacting DERs (i.e.type I FDI attack) and false commands on flexible loads like EVs (i.e.type II FDI attack).We present a method that can indirectly manipulate the reactive power output of DERs by injecting false measurement data into the SCADA system, thus misleading its control decision.Furthermore, we develop an iterative optimization algorithm to find the optimal CFDI attack strategy.Based on the voltage regulation timeline in ADNs, we propose an attack scheme that changes the active power of flexible loads and the reactive power of DERs synergistically.Results from simulation experiments demonstrate that, with limited attack resources, CFDI attacks could lead to larger voltage deviations when compared to pure type I or type II FDI attacks.We also propose some defense strategies against such attacks.Our main contributions are summarized as follows: • We revealed the threat of CFDI, where attackers can leverage flexible loads and DERs via the optimal collaborative attack strategy, thus causing distinct voltage deviations by manipulating the active and reactive power in ADNs, respectively.
• We introduced an indirect control method where attackers can manipulate the reactive power output of DERs by influencing the SCADA system's state estimation and control decisions through FDI attacks on measurements.• We have demonstrated the possibility of CFDI on a real smart distribution testbed, where FDI attacks could be launched to inject false commands and measurements.• We validated the feasibility of CFDI through extensive simulation experiments and demonstrated its advantages compared to single-sided attacks.Moreover, several defense strategies are proposed based on the analysis of experimental results.
The remainder of this paper is organized as follows.Section 2 reviews relevant works in this field.Section 3 presents the algorithms for CFDI attacks.Section 4 validates the feasibility of CFDI attacks on the smart distribution testbed.Section 5 validates the proposed attack through simulation experiments and analyzes the influencing factors.Section 6 provides some defense strategies, and Section 7 concludes the paper.

RELATED WORK
This section summarizes related works in the fields of ADN and FDI attacks based on the principles and methods of the proposed attacks.
In recent years, there has been a growing emphasis on the physical stability as well as network and data security of ADNs.ADNs have great potential in coordinating high penetration of renewable energy and improving the reliability of power supply.Compared to traditional distribution networks, ADNs have enhanced two-way communication and active control capabilities.SCADA system is one of the important technologies to achieve these functions, which performs optimization based on measurement data.Researchers have proposed many optimization models that leverage SCADA systems such as optimal power flow [14], optimal voltage regulation [15], and power losses minimization.Among them, the optimization of voltage quality has received widespread attention.In addition to traditional on-load tap changers (OLTCs) and reactive power compensators (RPCs), voltage regulation in ADNs can also be achieved by controlling the reactive power output of DERs.The linear relationship between DERs and distribution network voltages was explored and the voltage regulation calculation was simplified in [8,9].An intelligent method for voltage control in distribution networks using distributed generators was proposed in [22].Multiple distributed generators were coordinated with conventional voltage control devices in a centralized system in [11] to optimize line losses while regulating voltage.The voltage control problem was decomposed into several local sub-problems using graph partitioning and -decoupling in [12,23], reducing the dimensionality and system communication cost of the optimization problem.Taking into account the radial topology characteristics of distribution networks, the distributed generator management system was integrated into the decentralized Volt/Var management system, and the distribution network was divided into regions with separate voltage regulation and reactive power support schemes in [24].However, the SCADA system is vulnerable to malicious attacks in obtaining measurement data, performing state estimation, and achieving optimal control.Also, these voltage regulation methods are dispersed throughout the distribution network, allowing attackers to exploit the same principle to manipulate energy output and achieve reverse voltage regulation remotely.Obviously, these capabilities of ADN introduce new threat scenarios for security.
FDI attacks directly undermine the perception and control capability of SCADA systems, thereby affecting other functionalities.The FDI attack was first proposed in [25], allowing the constructed attack vector to bypass residue-based bad data detection of state estimation.The topology FDI attack was demonstrated in [26], which could cause misjudgment of the system topology.To make FDI attacks more realistic, some researchers modeled them as optimization problems that consider limited resources and covert attacks [27][28][29][30], and used solvers or heuristic algorithms to construct optimal attack vectors.Furthermore, researchers are also working on reducing the difficulty of designing FDI attacks and reducing reliance on complete power grid parameters.An FDI model that only requires the admittance of all lines connected to the target bus was presented in [31], and was further simplified to only require admittance in [32].Using principal component analysis and geometric methods, the FDI attack that does not rely on network information was proposed in [33].However, due to the DC approximation, it is unsuitable for launching attacks with large deviations.An approach that relies only on a few phase measurement units was introduced in [34], which enables FDI attacks against AC state estimation.FDI attacks that can bypass the distribution system state estimation (DSSE) program were discussed in [32,35,36], where attackers have to simultaneously compromise multiple measurements to remain undetectable [37].However, these studies focus solely on the cyber network when analyzing the threats posed by FDI attacks.Also, they overlook the potential effects on the physical network and do not consider the possible impact of inaccurate decision-making by SCADA systems on ADN.
Overall, while the aforementioned studies have elaborated on the threats of FDI attacks to both the cyber and physical layers of ADNs, they have not revealed how threats on the cyber layer can affect the physical layer.To fill this knowledge gap, we have developed a CFDI attack strategy based on voltage regulation principles and, for the first time, proposed a method to indirectly manipulate the control command through FDI on measurements.This CFDI attack leverages the resources from both cyber and physical networks by launching two types of FDI attacks, and finally accumulates voltage deviations on a specific bus.Note that if the over-voltage and under-voltage relays have been deployed, they may cause load shedding and partial outage, which could be regarded as a subsequent result of a successful CFDI attack.

COORDINATED FALSE DATA INJECTION ATTACK
In this section, we propose CFDI to cause voltage fluctuations by leveraging the variation of active and reactive power in ADN.First, we introduce the voltage regulation process and how to affect voltage by changing power.Second, we introduce the type I FDI attack (FDI Attack on Measurement data), and design Algorithm 1 to determine the target measurement data injection based on the desired change on reactive power.Third, we introduce the type II FDI attack (FDI Attack on Control Command) and illustrate how to conduct it for desired change on active power.Then, we propose CFDI and design Algorithm 2 to coordinate two types of attacks.Finally, we analyze the timeline of the CFDI attack during the periodic active voltage control process.

Preliminaries
The process of voltage regulation by the SCADA system can be divided into two steps: i) state estimation based on measurement data, and ii) executing a voltage regulation algorithm based on the state to adjust the reactive power output of DERs.
In this article, we propose CFDI to cause distinct voltage deviations by manipulating the active and reactive power injection of the system.The relationship between these physical quantities can be described by the power flow equation in the form of polar coordinates as: ALGORITHM 2 Optimal CFDI attack strategy.

Input
where P i , Q i represent the active and reactive power injected into bus i, respectively.V i represents the voltage magnitude of bus i. A(i ) represents the set of adjacent buses of bus i. G i j , B i j ,  i j represent the conductance, susceptance and phase difference between buses i and j , respectively.Let x = [V , ] denotes system state, z = [P, Q] denotes measurement data.z = j(x) holds when the measurement error is ignored.j(⋅) is the power flow equation shown in ( 1) and ( 2).
As a high-dimensional non-linear system, the system state x and the power flow on transmission branches cannot be obtained analytically.Therefore, iterative methods are usually used to obtain the numerical solution of the power flow in a certain state.The Newton-Raphson method is one of the most used methods in power flow calculations.During the calculation process, it is iterated by linearizing the relationship between physical quantities.The linearized power flow equation is as follows: where J is the Jacobian matrix, which is calculated by ( 7) and quantifies the impact of voltage changes on the power injection of the system in a given state.Since the voltage magnitude and voltage angle generally fluctuate within a small range, the relationship between voltage and power can be approximated as linear and its coefficients are the elements in the Jacobian matrix.Correspondingly, the impact of power changes on voltage can be expressed as: where ∧ is the sensitivity matrix, that is, the inverse matrix of J.
∧ can be split into four sub matrices.Each of them represents the relationship between corresponding physical quantities, for instance, ∧ VP represents the impact of active power changes on voltage magnitude.

Type I FDI attack: FDI attack on measurement data
The SCADA system will directly and accurately control some power equipment in ADNs, such as DERs [38] and OLTCs [39].The reactive power output of DERs is especially actively managed by the SCADA system to participate in voltage regulation.Therefore, we consider using type I FDI attacks to mislead the SCADA system's perception and decision-making through FDI attacks on measurement data, thereby indirectly manipulating the reactive power output of DERs.
In the voltage regulation process, the control command u = [ΔP, ΔQ] is determined by x as: where h is the voltage regulation algorithm.After regulation, the measurement data will be shifted to z new = z + u.Accordingly, the system state x will reach a new state x new and could be estimated using the least square method as: The safe domain of the system state is denoted as  s , which is the set of all states where the voltage remains within the operation limits.Thus, the control command u is determined to make x new ∈  s .Since the voltage magnitude of the power system is mainly related to reactive power, the indirect manipulation for DERs uses the desired control command u I att = ΔQ att as input to obtain the measurement data injection z att .From ( 6) and ( 7), we can obtain: where FIGURE 1 The i-th iteration of Algorithm 1. Two blue arrows are control command vectors.Black dashed lines represent the mutual conversion between vector spaces of x and z.The green dashed arrow indicates that the points at both ends are symmetrical about the midpoint.The i-th iteration starts from z i−1 and reach x ′ i along the direction of the arrow according to Line 3 of Algorithm 1.Then, it finds x i in the direction of the green arrow according to Line 4 of Algorithm 1.According to ( 9), ( 10) and (11), Therefore, after conducting the type I FDI attack by injecting z att according to these formulations, we can ensure that: (a) The real voltage after attack is out of the safe domain according to ( 9); (b) The voltage regulation algorithm would think it has regulated the voltage back to the safe domain under the misguided system state j −1 (z att ) according to (10); (c) The regulation output h( j −1 (z att )) is close to the desired control command u I att according to (11).
However, it is hard to solve (8) directly as the voltage regulation algorithm h is usually an optimization problem and h −1 cannot be explicitly expressed in a closed form.To address this issue, we propose Algorithm 1 to determine z att that satisfies (11), whose main idea is illustrated in Figure 1.Specifically, two planes in the figure represent the space of system states and system measurements, respectively.In the (i-1)-th iteration, If there is still a gap between u i−1 and u I att , we perform the i-th iteration beginning from z i−1 .First, assume that control command u I att − u i is exerted on the system and calculate the corresponding state x ′ i at Line 3.Then, we find x i that is the symmetry point of x ′ i about x i−1 at Line 4. These two steps could make u i = h(x i ) closer to u I att than u i−1 .The iteration is terminated when ‖u I att − u i ‖ <  u at Lines 6-9.If u i doesn't converge to u I att within m iter iterations, then we consider that u I att can not be reached at Lines 12-14.

Type II FDI attack: FDI attack on control command
As the integration of intermittent DERs introduces greater variability and uncertainty, more flexible loads are introduced as demand response (DR) resources [40,41] and controlled by automatic response technologies like OpenADR [42].There-fore, attackers could launch type II FDI attacks to change the power output of flexible loads by injecting false control commands.
The most promising flexible loads for demand response regulation include EVs, aggregated thermostatic loads and energy storage etc. [43,44], which may also be exploited by attackers.The simplest attack is to plug in and out a considerable number of flexible loads like EVs by injecting false control commands simultaneously.This could be easily achieved if the relevant load aggregators or cloud controllers are compromised [45].Among those flexible loads, EVs are interruptible loads with great threats from cyber attacks on charging piles, charging stations or load aggregators.In addition, as the penetration rate increases gradually, EVs will have a greater impact on the distribution network [3].Although changes in active power have a smaller impact on voltage magnitude than reactive power, the centralized switching of large-scale controllable loads can still have a considerable shock on voltage magnitude.Thus, we can choose the active power of EVs charging as the attack target.According to (5), the deviation of voltage caused by the change of active power u II att = ΔP att is ∧ VP ⋅ ΔP att .To cause a nontrivial impact on the voltage magnitude, u II att = ΔP att in the type II attack should satisfy

Strategy of CFDI attack
To maximize the voltage deviation with limited attack resources, we propose an optimization method to obtain the optimal CFDI attack strategy.The schematic diagram of the overall attack is shown in Figure 2. Since both types of FDI attacks regulate voltage by changing power injection, we can build an optimization model by quantitatively analyzing the impact of power changes on voltage.As the elements reflecting the impact of node j on node i may not necessarily lie in the i-th row and j -th column of the sensitivity matrix, let the mappings e(i ) and g( j ) represent the rows and columns representing nodes i and j , respectively.The voltage variation at node i can be approximated by where  e(i ),g( j ) and  e(i ),g( j ) are impact coefficients representing the elements in the e(i )-th row and g( j )-th column of Λ VP and Λ VQ , respectively.With limited resources, attackers need to determine whether attacking node i is worth it and derive the optimal coordinated attack strategy.To address this, we use an optimization model to describe the problem and get the solution as follows: where w P and w Q are weight coefficients representing the cost of manipulating the active power and reactive power, respectively.L represents the set of load nodes.S represents the set of buses with DERs.ΔN j represents the increased number of controlled EV charging operations at bus j .N max represents the total number of EV charging stations that the attacker can control.N max j represents the maximum number of EVs that can be compromised at bus j .N j represents the number of EVs currently being charged at bus j .ΔV target represents the target voltage deviation for the attacker and V re f = 1 p.u. represents the reference voltage.The objective function (14a) is the cost of manipulating the power.Equations (14b) and (14c) describe the upper limit of EVs that can be compromised in the whole system and at bus j , respectively.Equation (14d) describes the relationship between the number of EVs and their charging power, where P unit represents the charging power of each EV.Equation (14e) limits the reactive power generated by DER, where Q min k and Q max k represent the lower and upper limits at bus j , respectively.Equation (14f) ensure that the voltage deviation could at least reach ΔV target .It is worth noting that the threat of voltage deviation is manifested on the load side, so the attacked bus i should also be included in the set L.
Since the sensitivity matrix is a linear approximation, the solution to the above equation does not guarantee that the attack will achieve the target voltage deviation.Therefore, we use an iterative method to obtain an attack strategy that can accurately achieve the target voltage deviation.The algorithm is depicted in Algorithm 2. In the body of the loop, Lines 3-6 solve ( 14) and obtain the attack strategy [ ΔP, ΔQ ] of each iteration, and if ( 14) is unsolvable, we deem that the attack cannot reach the target.Then we update ΔP att , ΔQ att and z to execute power flow calculation for new system parameters in Lines 7 and 8.The calculated voltage deviation is compared with the target ΔV target .If the target value is not reached, another iteration is performed.If the algorithm converges as described in Line 9 within m iter iterations, we can obtain the attack strategy as in Lines 10-12, which are the attacks on measurement data and control commands, respectively.Otherwise, we also regard that the attack cannot reach the target, which indicates that the bus is not worth attacking.

Timeline of CFDI attack
The existing control strategy of the active distribution network is mainly based on quasi-real-time optimization, and the interval between two consecutive active regulations is usually more than 10 min [46].Let t n denote the time of the system's n-th active voltage regulation, and Δt represents the interval between two consecutive active regulations.The timeline for a sample CFDI attack is illustrated in Figure 3.The n-th CFDI attack executes around t n .Type I FDI attack can be launched with counterfeit data at any moment between t n−1 and t n , and consequently lets the system perceive a false state based on the counterfeit data and make false control decisions for the reactive power of DERs at t n .After t n , the type II FDI attack is initiated by manipulating the active power of flexible loads in the power grid, and the effects of both types of attacks on the voltage will add up and continue until t n+1 .When the occurrence of the type II attack is close to t n , the duration of CFDI's attack effect reaches the maximum value of nearly Δt .

FEASIBILITY ANALYSIS ON DISTRIBUTION NETWORK TESTBED
The requirements for a successful FDI attack are as follows.
• Network access rights: Attackers should have access to the target network, so that attackers can eavesdrop on the network and inject false data accordingly.The network access right can be obtained via either network penetration [47], near-source penetration [48] or physical intrusion [49].• Detailed device information: Attackers should get the information about measurement devices and control devices, which could be obtained from device scanners like Shodan, Censys, ZoomEye [50], or through comparing eavesdropped data with known devices' signature database.• Devices' security vulnerabilities: Attackers should know devices' vulnerabilities before exploiting them for launching FDI attacks.These vulnerabilities could be obtained from published common vulnerabilities and exposures (CVE) records [51], or dug by fuzzing technologies [52].
To validate the feasibility of CFDI attacks, we have built a smart distribution testbed with six circuit branches.As shown in Figure 4, for each branch, the SCADA system monitors the energy consumption via the smart meter and turns the circuit on/off via the smart switch.An illegal device is attached to the communication fieldbus network and controlled remotely by the attacker, which can eavesdrop on the network and launch FDI attacks.This illegal device is an off-the-shelf wireless serial port transmission device [53,54], which could convert serial data in the serial communication line to TCP data from/to the wireless receiver (i.e. the attacker).With this device, attackers could eavesdrop on the communication line and inject false data remotely.With this testbed, we will validate the feasibility of type I and type II FDI attacks by analyzing devices' vulnerabilities, and CFDI attacks could be conducted via their combination.

Feasibility analysis for type I FDI attack
There are three types of smart meters, that is, Siemens PAC4200, Schneider PM810 and GE EPM5500P, all of which commu- nicate using the Modbus protocol.All three meters have a password field to protect the system, and a four-digit password (0,000-9,999) is required to enter the parameter setting mode.
After exploration, we have found several security flaws on their password protection mechanisms as follows: • Protection missing in remote access: For Schneider PM810 and GE EPM5500P meters, the password is only effective when we want to change the critical parameters locally on the device panel.If we access PM810 and GE EPM5500P through the communication interfaces remotely, the critical parameters (even including the password field) can be changed directly.• Unsecure communication during authentication: For the Siemens PAC4200 meter, we need to provide the password when we want to change critical parameters.As the password is transmitted in plain text using the Modbus protocol, it can be easily eavesdropped by attackers.• Weak password without brute force attack prevention: The four-digit password for Siemens PAC4200 can be cracked easily, as there are no measures against the bruteforce attack.Specifically, we tested the Siemens PAC4200 meter in the testbed and found that all 10,000 possible passwords could be tried exhaustively within 78 s.
After cracking the password protection mechanism, attackers can compromise them with malicious firmware via online updates.Alternatively, attackers can inject false data by changing the parameter settings.For example, we can change the CT ratio (i.e.CT Primary/CT Secondary) and PT ratio (i.e.PT Primary/PT Secondary) to manipulate the data.The relevant registers for these meters are shown in Table 1.Specifically, If we change the CT ratio from 25:5 to 250:5, the current readings in the meter would be magnified tenfold (e.g.switched from 1A to 10A).Accordingly, all the measurements related to the current readings (e.g.active power, reactive power etc.) would be affected.Thus, for the type I FDI attack (i.e.FDI attack on measurement data), attackers can inject false measurement data via these compromised smart meters.

Feasibility analysis for type II FDI attack
The smart switch in the testbed communicates using a simple private protocol, and the commands for controlling the smart switch are transmitted in plain text.For example, for switch#1 (device address:07H), the query commands for open and close circuit#1 are as follows.
• Turn off circuit#1: Note that the only difference between these two commands is at the penultimate byte, which represents the desired state of open (00H) or close (01H) for the specified switch.The detailed illustration of each byte from the query and response frames for open switch#1 can be found in Figure 5.As all bytes are transmitted in plain text, it is easy for attackers to capture and replay these control commands.Thus, for the type II FDI attack (i.e.FDI attack on control command), attackers can inject false control commands to compromised smart switches via eavesdropping and replay attacks.

EVALUATION
In this section, we evaluate the threat of CFDI attacks on distribution networks through simulation experiments.First, we confirm that attacks can be successfully launched on the experimental system and achieve attack objectives under certain load/generation conditions.Then, we compared them with unilateral attacks to demonstrate that the attack capabilities of CFDI attacks are significantly higher than those of ordinary unilateral FDI attacks.Finally, we conducted multiple experiments by changing the experimental parameters to analyze the factors influencing the effectiveness of the attacks.

Simulation setup
The simulation experiments are conducted on the DTU-7k Bus ADN (DTU-ADN) [55].As shown in Figure 6, DTU-ADN utilizes the topology and parameters of a real Nordic grid at the 60kV level, and lots of DERs are connected at 10 kV buses.Bus 1 is the substation bus, buses 20, 21 and 22 are DER buses connected with controllable wind power plants, buses 27-48 are load buses containing loads and uncontrollable DERs, and the rest are connection buses.The simulations are implemented in MATLAB on a PC with 1.10-GHz Intel(R) Core(TM) i7-10710U CPU and 16 GB of RAM.The MILP subproblem is modeled and solved by Gurobi.The major simulation parameters are chosen as follows.
• We choose 2,000 different load/generation conditions from actual hourly load and generation data for about three months [55].For each condition, 22 load buses can be regarded as the attack target separately, resulting in a total of 44,000 different CFDI attacks.• Based on the installed capacity of the wind power plants in the case study, we constrained the reactive power output of each DER bus within ±12 MVar.• Considering the limitation on attack resources, we assumed that only a portion of EVs could be compromised.That is there are up to 500 compromised EVs in total and at most 100 compromised EVs per load bus, and each EV's charging power is set to 50 kW.• m iter is set to 10 to ensure low latency of attack strategy generation.Considering that the control command will converge to a region instead of a point as mentioned in Section 3.2, we set  u to 0.01MVA.And  V is set to 0.0001p.u. to ensure an accuracy of 1%.• The typical voltage deviation limitation is ±5% [56], and motors may stop working when the voltage deviation is beyond ±10% [57].Therefore, we set the target of voltage deviation ΔV target as 8%, 10% and 12% in most experiments, respectively.

Feasibility verification
Section 4 has already demonstrated the feasibility of carrying out CFDI attacks.In addition, the algorithms and strategies used in CFDI attacks also need to be verified.In this subsection, we analyze the ability of Algorithm 1 in type I FDI attack to indirectly control DERs and the feasibility of Algorithm 2 in optimal CFDI attack strategy.The purpose of type I FDI attack is to falsify the system state x att such that the system control command u is misled to attack target u att .However, in Algorithm 1, u i does not necessarily converge to u att , resulting in the inability to obtain x att and thus unable to implement the attack in practice.Therefore, we use the percentage of cases of successfully obtaining x att to demonstrate the feasibility of this algorithm.Let n att represent the total number of conditions in which attack strategies can be obtained for the 22 load buses, and let n succ represent the total number of conditions in which x att can be successfully obtained.The success ratio for different target attack voltages ΔV target is shown in Table 2. From the table, type I FDI can successfully implement attacks according to the attack strategies in most conditions, indicating that this algorithm has a high level of feasibility.
The optimal attack strategy is designed to generate significant voltage deviations in CFDI attacks.We set the target voltage deviation ΔV target as 8%, 10% and 12%, respectively, and conduct optimal CFDI attack strategies in Algorithm 2 under 2000 different load/generation conditions.The number of success conditions on each load bus is shown in Figure 7. Specifically, when ΔV target = 8%, successful attacks could be launched in many conditions on most buses.When ΔV target = 10%, successful attacks can be achieved under certain conditions.When ΔV target = 12%, attacks can still be completed in a few  conditions and on a small number of buses.Thus, this attack could cause significant damage to the distribution system.

Comparison of threats posed by different attacks
In this subsection, we compared the threats posed by type I FDI attacks, type II FDI attacks, and CFDI attacks in 2,000 conditions, and the distribution of maximum voltage deviations (MVDs) on each bus is shown by the violin plot.As shown in Figure 8, the overall distributions of MVDs caused by coordinated attacks are higher than those of unilateral attacks on all 22 load buses, indicating that coordinated attacks can cause greater voltage deviations.Moreover, under the same ΔV target , the violin shapes of MVDs caused by coordinated attacks are wider on all buses, indicating that coordinated FDI attacks have less stringent requirements on the load/generation conditions.

Changes of threats on different time periods
Typically, the changes of loads and DERs within 24 h cause the network states to show certain regularity over time.For example, the power of photovoltaic generation reaches its peak around 12:00 a.m.(noon time) and is 0 at night; residents' power consumption reaches its peak from 7:00 p.m. to 11:00 p.m.This leads to varying levels of vulnerability for ADN at different times of the day.We analyzed the experimental results corresponding to the first 80 days in Section 5.3 according to time periods.The distribution of the MVDs caused by attacks on all buses in different time periods is shown in Figure 9.It is clear that the distribution from 7:00 a.m. to 13:00 a.m. is generally higher than that of other time periods, and is the lowest at night.

Impact of RPC and OLTC on CFDI attacks
In ADN, there are still some passive voltage regulation devices which are regulated by local controllers for Volt/Var control.In this section, we consider some local RPCs and OLTC as passive voltage regulation devices and evaluate their impact on CFDI attacks under different regulating abilities.Without loss of generality, we choose the MVD on bus 38 as the evaluation metric.
First, we consider the impact of local RPCs on CFDI attacks.On some vulnerable buses, we placed RPCs and varied the total regulation capacity from 0 to 3 MVar.The variation of MVDs on bus 38 under different capacities of RPCs is shown in Figure 10.From the figure, although the MVD caused by CFDI attacks could be alleviated by local PRCs, a significant voltage deviation (11%) still exists when the capacity of 3 MVar is exhausted.
Second, we test the OLTC's impact on CFDI attacks.To ensure that the ADN can regulate itself within the allowable range of voltage deviation, we increase the gear of OLTC from -1% to 6%.The variation of MVDs with the gear of OLTC is shown in Figure 11.From the figure, the OLTC can effectively alleviate CFDI attacks, limiting its MVD to around 7%.However, the number of OLTC operations is limited considering   the operation cost and equipment wear [11].Hence, the OLTC cannot meet the regulatory requirements if CFDI attacks are conducted frequently.

Influential factor
In the first two experiments, we found that buses are more vulnerable to attacks, meaning they can achieve the target voltage deviation or reach a higher voltage deviation on a higher number of load/generation conditions.To develop some prevention and defense methods, we analyzed the factors that influence the magnitude of coordinated attack threats on different buses.It is obvious that the amount of attack resources and the load condition (heavy load/light load) are important influencing factors, but they are not the causes of the differences between buses.By analyzing the topology of the system and simulation results of the experimental cases, we identified some key influential factors.The following discussions are conducted separately on type I and type II FDI attacks.Type I FDI attacks are based on active control of DERs.Therefore, we adjusted the position of DER buses and only performed type II FDI attacks to observe and compare the magnitude of attack threats on each load bus.We found that the distance between the attacked bus and the DER buses is an important factor.If we consider the topology of the distribution network as an unweighted graph, the distance between two buses is the length of the shortest path in the graph.Let D i j represent the distance between bus i and DER bus j , and ΔV i represent the average of MVDs on 2,000 conditions.The correlation coefficients between D = { ∑ j ∈S   throughout the entire distribution network.However, by analyzing the attack strategy mentioned in Section 5.2, we found that the manipulated load buses of which the active power is changed are often concentrated in a few fixed buses irrespective of operation conditions and which bus is attacked, as shown in Figure 12.This indicates that the load fluctuations on these buses have a stronger impact on the voltage level of the entire network and are not significantly affected by changes of operation conditions.Additionally, as shown in Figure 8, some buses are less vulnerable to FDI attacks and remain in a relatively secure state under most operation conditions.In conclusion, for the type I attack, the threat of each DER bus on the load bus will decrease as the distance between them increases.For the type II attack, the threat of flexible loads on each load bus is affected by the mutual influence between load buses, which is mainly determined by the network topology and parameters of the ADN and has little relation to load/generation conditions.

COUNTERMEASURES
Extensive research has been conducted on defense methods against FDI attacks.However, most defense methods pertain to transmission systems, and few have considered FDI attacks in distribution systems.Moreover, CFDI attacks utilize some new features of ADNs, which may render traditional methods ineffective.Therefore, based on the experimental analysis presented earlier and the functionalities of SCADA systems, this paper offers insights into the prevention, detection, and mitigation strategies for CFDI attacks.System hardening and data protection: With strategies such as encryption and continuous monitoring [58,59], we can identify critical buses that need enhanced monitoring and provide pre-incident plans for the operation of distribution networks.In addition, it is also important to strengthen the distribution grid with effective detection methods for complicated cyber attacks.Moreover, attacks on physical systems usually require attackers to have comprehensive information about the system [60].Therefore, methods such as data obfuscation can disrupt attackers' access to information [61].Furthermore, existing works propose intrusion detection methods for fieldbus networks [62], which can help prevent SCADA systems from being eavesdropped and deceived.
Proactive detection strategy: The efficacy of CFDI attacks heavily depends on the attacker's knowledge of the system (e.g.network topology, lines' impedance).Recently, the concept of moving target defense (MTD) has been introduced into the power system security field.This approach involves dynamically perturbing lines' impedance [63,64] or encoded meter outputs [65] to impede the attacker's ability to acquire up-to-date system knowledge.Recently, the application of MTD within distribution systems has garnered significant interest.Leveraging the substantial presence of flexible AC transmission devices within the grid, this method can detect most FDI attacks at a very low cost.
System resistance improvement: This approach consists of two aspects: (1) Enhancing system's resilience.CFDI attacks often require significant changes in several buses' power.Therefore, limiting the power injection and fluctuation of buses would be an effective measure [66].Also, reactive power compensation devices like RPCs can be added at the load bus to replace the reactive power output of partial distributed energy supply, and convert part of the voltage regulation capability of active control into passive control.(2) Reducing the impact of attacks on critical loads.If the attack cannot be completely eliminated, securing critical loads can indirectly enhance the system's resilience to attacks.It is pointed out in Section 5.6 that the degree to which a bus is threatened by attacks is negatively correlated with the distance to the DER bus.Therefore, some important loads can be placed in safety regions that are far away from the DER bus and are not susceptible to active load fluctuations.Similarly, when placing DERs in ADN, the DER buses should be located at a small distance from each other.This will help enlarge security regions and reduce the impact of attacks on the entire network.We conducted the following experiments to confirm this recommendation.We connect DERs into the network with 100 different location cases, and then calculate the average distance between the three DERs and the average value of the MVDs on 2000 conditions.The relationship is shown in Figure 13.Obviously, as the concentration degree of DERs increases (i.e. the average distance of DERs increases), the average value of MVD decreases in the entire network, making ADN face a less severe attack threat.

CONCLUSION AND FUTURE WORK
In this paper, we propose a coordinated FDI attack that induces significant voltage deviations in ADNs.This attack exploits the impact of power change from DERs and flexible loads on voltage deviation, which can be achieved through two types of FDI attacks, that is, type I attack on measurement data and type II attack on control commands.For the type I attack, we also present a method for indirectly controlling the reactive power output of DERs by false measurements.
To enhance the attack capability, we propose an algorithm to generate the optimal coordinated attack strategy under limited attack resources.Experimental results on the DTU-ADN benchmark demonstrate that the CFDI attack can cause significant voltage deviation and is stronger than pure type I or type II FDI attack.Finally, we analyze the influential factors on CFDI attacks and propose countermeasures against CFDI attacks.
In the future, we will further investigate the CFDI attack in two directions.First, we will consider the impact of indeterminate factors like charging behaviors of EVs and the power fluctuation of DERs on attack resources, and study the threat under these factors.Second, we will explore the threat when information, including network topology, parameters, and regulation strategies, is incomplete.

Yang
Liu and Chenyang Yang contributed equally to this work.This is an open access article under the terms of the Creative Commons Attribution License, which permits use, distribution and reproduction in any medium, provided the original work is properly cited.© 2024 The Author(s).IET Generation, Transmission & Distribution published by John Wiley & Sons Ltd on behalf of The Institution of Engineering and Technology.

FIGURE 2
FIGURE 2The CFDI attack consists of type I and type II FDI attacks.Type I FDI attacks can change reactive power ΔQ on DERs, while type II FDI attacks can change active power ΔP on flexible loads, DERs etc. Finally, the coordinated change of active power ΔP and reactive power ΔQ can cause significant voltage deviation ΔV on the target node.

FIGURE 3
FIGURE 3Timeline of the CFDI attack.The active voltage regulation is performed every Δt .For the n-th CFDI attack, the change of reactive power ΔQ att is introduced by the active voltage regulation at t n , which has been misled by the type I FDI attack z att conducted before t n .Meanwhile, the change of active power ΔP att is directly introduced by the type II FDI attack u II att

FIGURE 4 A
FIGURE 4A smart distribution network testbed with six circuit branches, each containing a smart switch, a smart meter and a power plug, respectively.All smart devices are monitored and controlled by the SCADA system via the RS485 communication line.

FIGURE 5
FIGURE 5 Query and response frames for open smart switch#1.The frame checksum is the sum of all bytes from the frame starter to the data content, truncated to lowest 8 bits.

FIGURE 7
FIGURE 7The number of success CFDI attacks that could be conducted on each load bus in 2000 conditions.

FIGURE 8
FIGURE 8 Violin plots of MVDs caused by FDI attacks on 22 load buses.The Violin plot is a hybrid of a box plot and a kernel density plot, depicting summary statistics and the density of each variable.

FIGURE 9
FIGURE 9 Box plots of MVDs over the 24-h period corresponding to 80 days.The line at the top of the figure represents the change in maximum value of MVDs.

FIGURE 10
FIGURE 10 MVD on bus 38 under different total capacity of RPCs.

FIGURE 11
FIGURE 11MVDs on bus 38 under different gears of OLTC.
L} and ΔV = {ΔVi |i ∈ L} under different DERs' location cases are shown in

FIGURE 13
FIGURE 13Location of DERs' impact on the voltage deviation threat.

TABLE 1
Register settings of CT ratio and PT ratio in three smart meters.

TABLE 2
Feasibility of Algorithm 2 for DERs under different ΔV target .

Table 3
, indicating that the MVD has a strong positive correlation with the average of the distances' reciprocal.Type II FDI attacks rely on controlling EVs' charging on a large number of load buses, which are often distributed

TABLE 3
The correlation coefficients between D and ΔV under different connection points of DERs.