Defending against false data injection attacks in power systems: techniques for securing state estimation and distance protection

Abstract

The digitalization of power systems—enabled by technologies such as digital substations and Wide-Area Monitoring, Protection, and Control (WAMPAC) systems—has improved automation, visibility, and system control. However, this increased reliance on data and communication networks has also increased the system’s vulnerability to cyber threats. Among them, False Data Injection Attacks (FDIAs) are particularly concerning due to their stealth and potential to disrupt core grid functions. Their far-reaching impact highlights the urgent need for comprehensive vulnerability assessments and robust defense strategies to protect digitalized power systems. In response to these challenges, this thesis investigates two high-impact FDIA scenarios: (1) coordinated, stealthy attacks targeting Phasor Measurement Unit (PMU)-based state estimation, and (2) falsification of protection signals targeting distance relays. For each case, the thesis first conducts a detailed vulnerability analysis to assess attack feasibility and impact. Building on these insights, it then develops defense strategies to enhance the cyber-physical resilience of modern power systems. The first part of this thesis evaluates the vulnerability of PMU-based state estimation to multi-step, stealthy FDIAs, in which adversaries coordinate sequential manipulations of PMU measurements not only to evade bad data detection but also to amplify the cumulative impact on system operation. To model this attack process, a vulnerability assessment framework is proposed based on a Markov Decision Process (MDP) integrated with bilevel optimization. The MDP, solved using Q-learning, models the attacker’s sequential decision-making and yields a vulnerability index that enables operators to assess system impact and identify critical attack stages for targeted defense. This analysis highlights a key insight: while stealthy FDIAs on state estimation typically require coordinated manipulation of multiple correlated PMUs—an operationally complex task—compromising a single Phasor Data Concentrator (PDC), which aggregates data from these PMUs, allows an attacker to simultaneously alter all associated measurements. This significantly increases the feasibility and potential impact of the attack. Yet, most defense strategies remain focused on individual PMUs, overlooking the critical role of PDCs as centralized aggregation points and high-value attack targets. To address this overlooked threat, the second part of this thesis proposes a tri-level defender–attacker–operator optimization framework for redesigning PMU-to-Super PDC (SPDC) assignments as a defense mechanism against stealthy FDIAs targeting state estimation. The objective is to minimize vulnerability to such attacks while accounting for communication constraints such as transmission delays. Leveraging Software-Defined Networking (SDN), the framework enables dynamic reassignment of PMUs to SPDCs without additional cost, providing system operators with a practical and scalable defense strategy. To further strengthen data aggregation–based defense strategies, it is crucial to consider not only the assignment of PMUs to PDCs but also the cyber-layer structure—including communication paths—as both a source of system vulnerability and a target for defense strategies. Building on this, the thesis analyzes the often-overlooked role of the cyber layer in vulnerability to stealthy FDIAs and introduces a Cyber-Physical Risk Metric (CPRM) that combines both the likelihood and physical impact of attacks. The CPRM quantifies risk by combining the physical consequences of losing a transmission line with the probability that such a loss results from a stealthy FDIA. This probability is estimated by identifying minimal critical PMU sets whose compromise could stealthily overload transmission lines, using an algorithm that solves multiple bi-level optimization problems. Next, Bayesian Attack Graphs (BAGs) are developed for each substation and communication link to model potential access pathways and calculate the probability of compromising the identified critical PMU sets. The thesis then proposes an optimization-based data aggregation reconfiguration scheme that leverages SDN to dynamically reconfigure both PMU-to-PDC assignments and their communication paths, minimizing the risk quantified by the developed metric and serving as a defense mechanism against stealthy FDIAs. Finally, this thesis addresses FDIAs targeting distance protection and demonstrates that falsified measurements can severely compromise fault detection and isolation, thereby threatening power system security and stability. To defend against such attacks, a cyberresilient protection scheme is proposed, which activates during cyber threats and temporarily backs up distance relays to maintain system integrity. The proposed protection scheme mimics the zone-based fault detection of distance relays but leverages traveling waves (TWs)—which are the natural signatures of real faults—along with dedicated hardwired current measurements and a Random Forest (RF) classifier to identify faults in each zone. The RF classifier is trained on the attenuation patterns of TW frequency components as they propagate from fault locations to the line terminal. Since attenuation patterns depend on both frequency and travel distance, the RF classifier can accurately determine the fault zone by extracting frequency-related features from the first TW using a wavelet transform and analyzing its attenuation characteristics.