This article has been accepted for inclusion in a future issue of this journal.
Content is final as presented, with the exception of pagination.
IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS: SYSTEMS
A Survey on Security Communication and Control
for Smart Grids Under Malicious Cyber Attacks
Chen Peng , Senior Member, IEEE, Hongtao Sun, Mingjin Yang, and Yu-Long Wang , Member, IEEE
Abstract—Smart grids (SGs), which can be classified into a
class of networked distributed control systems, are designed to
deliver electricity from various plants through a communication
network to serve individual consumers. Due to the complexity of
environments, the distribution of the spatial locations and vulner-
ability of the communication networks, cyber security emerges
to be a critical issue because millions of electronic devices are
interconnected via communication networks throughout critical
power facilities. This paper addresses a comprehensive security
understanding of the SGs framework, attacks scenarios, detec-
tion/protection methods, estimation and control strategies from
both communication and control viewpoints. Also, some poten-
tial challenges and solution approaches are discussed to deal with
the threat issues of SGs. At last, some conclusions and highlight
future research directions are presented.
Index Terms—Attacks detection, cyber security, cyber-physical
systems, security control, smart grids (SGs).
I. I NTRODUCTION
NERGY and its delivery infrastructure play a very impor-
E tant role in the human activities. Under the ground of
global energy shortage and environmental damage, a large
number of renewable energies will be incorporated into the
grids in order to supply for homes, offices, and factories. It is
predicted that average annual electricity demand is expected
to increase from 1.3% per year in 2015 to about 2.8% by
2020 (Smart Grid Top Markets Report 2017) [1], and the
electricity demand will increase 150% around worldwide by
2050 (International Energy Agency, 2010) [2]. Since the tra-
ditional power exploitation is heavily depended on fossil fuels
which may bring severe degradation of the environment, the
fundamental energy management paradigm is expected to be
Manuscript received August 27, 2018; accepted November 17, 2018. This
work was supported in part by the National Natural Science Foundation of
China under Grant 61833011, Grant 61673255, Grant 61633016, and Grant
61873335, in part by the Key Project of Science and Technology Commission
of Shanghai Municipality under Grant 10JC1405000, in part by 111 Project
under Grant D18003, in part by the Outstanding Academic Leader Project of
Shanghai Science and Technology Commission under Grant 18XD1401600,
and in part by the Program for Professor of Special Appointment (Eastern
Scholar) at Shanghai Institutions of Higher Learning, China. This paper
was recommended by Associate Editor D. Yue. (Corresponding author:
Chen Peng.)
The authors are with the Shanghai Key Laboratory of Power Station
Automation Technology, Shanghai University, Shanghai 200444, China, and
also with the Department of Automation, School of Mechatronic Engineering
and Automation, Shanghai University, Shanghai 200444, China (e-mail:
c.peng@shu.edu.cn).
Color versions of one or more of the figures in this paper are available
online at http://ieeexplore.ieee.org.
Digital Object Identifier 10.1109/TSMC.2018.2884952
2168-2216 c 2018 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
1
developed urgently [3], [4]. Smart grids (SGs), as the typi-
cal representative of next-generation energy Internet, capture
a complex infrastructure of delivering their power through
advancing information and control methodologies which inte-
grated with communication and electric flows. Because of
inherent requirements of decarbonization, operation efficiency,
and clean distribution, SGs have drawn more and more atten-
tion from both governments and the engineering communities
in recent years [5], [6].
By tracing back to the original concept of SGs, it is first
proposed by the Electric Power Research Institute which is
the form of “IntelliGrid” in 2001, and the USA Government
officially started the construction of SGs in 2003. The defini-
tions of SGs may be slightly different from country to country,
for example, “E-Energy” in Germany, “FREEDM” in USA.,
and “Digital Power Grid” in Japan. However, the most pop-
ular framework of SGs was provided by the USA. National
Institute of Standards and Technology in 2010. In order to sup-
port the development of SGs, some policies from state-level
which including, just mention a few, USA, Europe, Japan,
and China, have been launched for facilitating further develop-
ment and implementation of SGs [7]. Nowadays, applications
of SGs can be found everywhere, such as Internet of Things,
Industry 4.0, new energy automobile, etc. [2], [8], [9].
With the ever-increasing availability of advanced meter-
ing infrastructure (AMI), various information communication
technologies (ICTs), and intelligent demand-side management
(DSM) techniques, the flexibility, resilience, and robustness
for monitoring and control of SGs have been greatly improved.
Just because of the integration of such methods, the current
dilemma in SGs is that we have difficulties in trading-off
the factors between efficiency, reliability, security, and opti-
mization when facing such a large scale complex networked
systems. In fact, such large scale automated and widely dis-
tributed supervisory control and data acquisition (SCADA)
systems are potential to suffer from many uncertain factors and
vulnerable to various malicious attacks. Also, SCADA systems
can be typically characterized by cyber-physical systems with
the deep integration between cyberspace and physical systems.
The strong dependence on ICT and Internet in SGs leads to
new security concerns which differ from traditional IT security.
Numerous security threats range from the thefts, cyber-attacks
or natural disasters will result in power supply failures, false
visualizations, cascade failures, damaged consumer devices,
energy market disorders, endangered human safety, etc. As
for security in SGs, representative accidents are highlighted
as reports on multiple power blackouts in Brazil, the SQL
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
2 IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS: SYSTEMS
Slammer worm attack on the Davis–Bessel nuclear plant, the
StuxNet computer worm and various industrial security inci-
dents [10]. According to the 2014 McAfee report, 80% of
the surveyed electric utilities went through at least one large-
scale Denial of Service (DoS) attack to their communication
networks [11], and 85% of the utilities suffered from network
infiltrations. World Bank reported that electricity theft reaches
up to 50% in some jurisdictions in developing countries. The
feature of these attacks is that they launched on information
networks, but the physical infrastructure is seriously damaged.
It thus appears that the security of the communication network
plays a very important role in protecting the reliability of SGs.
Since wired or wireless networks are applied in SGs commu-
nication, the unreliability and complexity of data transmission
impose a real threat on power systems. Thus, SGs are sensitive
to the unpredicted transmission, such as noises, interferences,
even various attacks. On the one hand, traditional IT security
strategies supply an effective protection for communication.
However, due to the development of various intelligent attacks,
traditional IT protections are far from enough for securing
SGs which highlighted in the feedback control characteristic
via communication channels. When such IT safety guarding is
invalid, serious results will be induced. Moreover, some mali-
cious attackers not only focus on communication networks but
also on AMI, controllers, etc. This leads to extra vulnerability
of SGs which differs from traditional IT security. In addition,
traditional IT protections merely concern the confidentiality,
integrity, and availability (CIA), some common attacks from
physical systems are often neglected. These attacks may be
demonstrated as concealed disturbances and uncertainties in
the physical world. Although the disturbances or uncertain-
ties attenuation can be handled by using the control-theoretic
method, it is not applicable for the covert attacks when they
make some differences on physical systems in a sneaking way.
Therefore, the interconnection between cyberspace and
physical power systems implies that the critical security issues
are not independent. The drawback of current studies is shown
as the separation design between IT security tools and con-
trol implementations. In this survey, we will mainly focus on
review of the security problems for SGs from different per-
spectives. We attempt to summarize the recent studies on such
promising topics on the security of SGs in order to identify the
current technologies, the research gaps and the future research
trends for attaining reliable, efficient, and intelligent power
systems. For the purpose of better understanding of security
problems in SGs, this paper attempts to summarize related
works which include the following.
1) The comprehensive theories, strategies, technologies
on the security framework of SGs are reviewed and
analyzed from both IT protection and secure control-
theoretic viewpoints.
2) Some challenging directions, especially in security
strategies from control-theoretic solutions, are presented
in this survey.
The rest of this paper is organized as follows. Section II
gives the preliminaries on security framework of SGs. In
Section III, IT-based attacks and security schemes are summa-
rized. Section IV discusses the effects of malicious attacks on
Fig. 1. Basic structure of SGs.
SGs. In Section V, some security control strategies are summa-
rized for SGs under DoS attacks. In Section VI, some detection
and estimation approaches are surveyed for malicious cyber
attacks. The last section concludes this paper by identifying
some potential research directions.
II. S ECURITY I SSUES OF SG S
In this section, we will start our literature reviews from the
security framework of SGs. A typical SG is shown in Fig. 1. It
portrays a scenario that the SGs fill the gap between traditional
power systems and communication networks which allows
remote access by a large number of consumers. Through this
integration of communication and control layers, local data
processing, distributed control, and reliability-based driven
response should be realized. Resort to advanced control and
optimization strategies, SGs will distribute power energy auto-
matically by engaging and empowering customers in utility
management. Then, SGs will give a comprehensive informa-
tion regarding the energy consumption to all consumers in
real time when delivering electricity to them. Also, it will
expose customers’ fine-grained electricity utilization informa-
tion to utilities through the AMIs. It shows that the utilities
are used by power suppliers to apply different prices for power
consumption according to a certain time duration.
By considering the interaction between the cyberspace and
physical world, communication and control issues, threats exist
all aspects of SGs but not limited to security problems. For
examples, besides time delay, packet dropouts, or bandwidth
limitation of their own challenges for communication net-
works [12], a security transmission manner is required so as to
avoid malicious jamming or tamper [13]; besides the accuracy
or intelligence requirements, fabricating smart meter readings
and manipulating energy costs will impose extra limitations
for AMIs which are wildly used in SGs [14]. In addition,
DSM techniques will increase the management complexity
while bringing some flexibilities; harmonics injection by a
large number of electronic devices will lead to the voltage
distortion problems [15]; communication and computing bur-
den of big data in SGs is on the rise due to the limitations of
conventional data management technique [9], etc.
Based on the framework of SGs which including generation,
transmission, distribution, and consumption, the intelligence of
distribution, the flexibility of communication and the resilience
of control are of the main three SGs connotations [16].
However, it is not easy to achieve such goals, especially in
unsafe environments. Different cyber threats and challenges
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
PENG et al.: SURVEY ON SECURITY COMMUNICATION AND CONTROL FOR SGs UNDER MALICIOUS CYBER ATTACKS
TABLE I
C LASSIFICATION OF T HREATS IN SG S
TABLE II
ACTIVITIES OF ATTACK IN D IFFERENT S TEPS
have been discussed in [10], [14], and [17]–[19] and the refer-
ences therein. In general, these threat sources from generation
to the customers which is depicted by Table I.
In general, four steps, which include reconnaissance, scan-
ning, exploitation, and access should be conducted when
an attacker wants to get over SGs [20]. In different steps
for attacks, different activities for attackers can be given by
Table II. Taking security requirements into consideration, the
basics security requirements (CIA) should also be satisfied in
SGs which are similar to traditional IT security requirements.
First of all, we will focus on the security issues from the per-
spective of network protocols in SGs. Commonly, ZigBee or
Z-wave protocols are often used in home area network; IEEE
802.11, IEEE 802.15.4, and IEEE 802.16 standards are often
adopted in neighborhood area network, and distributed net-
working protocol 3.0 and Modbus are often founded in a wide
area network and SCADA systems. Also, cognitive radio based
on IEEE 802.22 is advised to be used in SGs [21]. However,
these protocols are very vulnerable to attacks because of the
deficiency of the protection schemes. In industrial architecture,
these protocols are designed without restriction of authen-
tication, encryption, or any excessive overhead due to ease
of use and ease of exploitation of these protocols by vari-
ous attackers [22]. In fact, contemporary security strategies,
such as virtual private networks (VPNs), intrusion detection
systems (IDSs), public key infrastructure (PKI), anti-virus
software, firewalls, etc., have been widely used in commu-
nication protection in order to protect the IT infrastructure.
However, they may be not applicable to SGs due to their
different requirements. Different from traditional IT security
3
issues, data availability for securing a control system is much
important than that for traditional IT requirements. In addi-
tion, SGs highly restrict on transmission delay or failures while
these uncertainties will be tolerated by IT systems [23]. Thus,
security concerns of SGs will focus on different ways to IT
protection.
Second, we will discuss the effects of cyber security on con-
trol systems. Still, for a distributed and networked SGs, the
relationship between cyberspace and physical grids are often
considered as a direct graph with every node has associated
state information which is governed by dynamical differential
equations or functionalities [10]. These graph-based models
couple the states of physical grids and information dynamics of
SGs. The information availability will affect both a single area
power system and all power grids due to their connections.
Based on the reliability and security considerations of the dis-
tributed SGs, the following three questions raised by [24] are
stated.
1) Which cyber components, if compromised, can lead to
significant power delivery disruption.
2) What grids are topologies inherently robust to classes of
the cyber attack.
3) Is the information available through advanced cyber
infrastructure worth the increased security risk.
According to the above questions, it is necessary to further
address the potential impacts of physical grids from cyber
attacks. This mainly includes analysis of cascading failure
within and between cyber and physical subsystems. In order
to quantize the effects of cyber threats, a series of activi-
ties are initiated by the Department of Energy Infrastructure
Assurance Outreach Program. These activities are composed
of the following aspects [25].
1) Characterization of cyber security threats with different
quantized nations, such as finance lost, assets damages,
environmental harms, etc.
2) Communication analysis and design to identify cyber
assurances.
3) Penetration testing to identify network vulnerabilities
associated with different network architectures.
4) Physical system operations effects analysis due to unau-
thorized access to cyberspace.
That means cyber attacks impose real threats on SGs which
will lead to more serious losses than Internet security acci-
dents. As an example, when the attacker deliberate hack into
the power grids and launch a false data injection (FDI) attacks,
the energy management system at the remote control center
may be misled by these fake meter data and make wrong
decisions on power dispatch, or even fake billing without any
perceived. For this case, the objective of an adversary may not
be just gaining unauthorized but crippling the power system
from physical meter units which are originated from estimation
or control perspectives.
Moreover, the requirements for securing SGs should be pre-
sented in view of both communication security and control
resilience. However, we refer to these security requirements
of SGs as that the restrictions on communication for con-
trol requirements rather than the single information protection.
Progressively, we discussed such restrictions for information
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
4 IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS: SYSTEMS
protection in networks to communication constraints in control
requirements for SGs [26].
1) Information Security: As the first line of defense, one
must secure the information exchanges between every
unit of SGs. Therefore, the security scheme of data pro-
tection should be well designed in order to avoid data
jamming and tamper which may give rise to the grids
misoperation. Related encryption algorithm can be seen
MD-5, SHA-1, Compliance Checks [27], [28].
2) Communication Reliability: Data transmission schemes
must be designed with a reliable fashion. When com-
munication failures occur, retransmitting or discarding
schemes will be decided to cope with communica-
tion unreliable cases. For example, TCP/IP, UDP, TOD
protocols [29], [30].
3) Transmission Delay: Different from the IT infrastruc-
ture, control of SGs may be sensitive to transmission
time delay which requires that there is a maximum
allowable time delay in which a particular message
should reach its destination. Alternatively, the physical
grids may face corruption or de-stabilization [31].
Through the above analysis, one should tradeoff between
information security and control performance for SGs. In fact,
some encryption solutions will introduce an extra time delay in
the control loop which usually degrades control performance.
Therefore, defense-in-depth-like security strategies are only
partial solutions for SGs. How to deal with the security con-
trol issues when the defensive line is invalid should be also
highlighted in SGs.
III. IT-BASED ATTACKS AND S ECURITY S CHEMES
Tradition IT security schemes devote themselves to keep-
ing the security of cyberspace or device data which include
encryption, secure communication, sensor data protection, and
cryptographic algorithms [32]. Considering the inherent weak-
ness of IT infrastructure and distributed phasor measurement
unit (PMUs), several attack scenarios with their attack schemes
and countermeasures will be illustrated from the perspective
of cyberspace.
A. Network Detection of DoS Attacks
Most security problems will focus their targets on the
Internet, wireless networks, and sensor networks. As a
representative of cyber attacks, DoS attacks launch their
attacks from communication networks with exhausting net-
work resources. DoS attacks may block network transmission
with a large volume of useless data to deliberately consume the
limited resources, such as CPU cycles, network bandwidth, or
packet buffers. Several methods are often used to implement
these attacks, for example, SYN attacks, teardrop attacks pup-
pet attacks or smurf attacks. It is reported that Modbus/TCP
is vulnerable to SYN DoS attacks and 10%∼20% packet
dropouts are caused by puppet attacks [33].
In SGs, because DoS attackers always try to send the fake
request to server or network against various grid components
including smart meters, electric utilities, communication links,
and service providers, the control center is unable to update
its control input in time without feedback measurements.
Similarly, devices cannot communicate under such attacks due
to the changed routing protocol [34]. Also, distributed DoS
(DDoS) attacks act on many malicious sources to spread mul-
tiple hosts while DoS attack is a single source of attacks in
a distributed network environment of SGs. For example, the
attacker wastes the bandwidth and system power of smart
meters in the AMI network for several hours, days or even
weeks [35]. These result in a harmful impact on the perfor-
mance of the power system. Another type of DoS attack in SGs
is the so-called intermittent DoS (IDoS) attack. When IDoS
attack starts, the attacker adjusts the request number dynam-
ically. At the same time, the arrival rate of burst sequence is
changed with the ineffective requests and a fixed time period
impulse (Generally, IDoS impulse is considered as Dirac sig-
nal). Then the arrival request is overloaded in the short time of
a period while the actual admission speed is decreased dramat-
ically, where IDoS attack is initiated in the microgrid system.
Consequently, the admission controller shuts off the legiti-
mate request for a long time. Attacker repeats this process
to reduce the system stability. As a result, the communication
channel is blocked [36]. However, the aforementioned works
on DoS attacks are result-oriented. In order to characterize the
dynamics of the attack sides and defense sides, game theory
framework supplies an effective way to model this interactive
decision-making process between the two sides as well as FDI
attacks [37], [38].
DoS detection is the premise of applying appropriate migra-
tion countermeasures. From IT security level, some detection
methods which include flow entropy, signal strength, sens-
ing time measurement, transmission failure count, etc., have
been exploited to identify DoS attacks. Accordingly, pushback,
rate limiting, filter, reconfiguration, and clean center are the
common countermeasures to migrate DoS attacks [39].
B. Prevention From FDI Attacks
Devices like PLCs, remote terminal units (RTUs), and IEDs
are widely distributed in power delivery systems for facil-
itating regulation of dispatch functionalities from a remote
location [40]. As a class of attacks from devices, FDI attacks
can modify the data exchanged among different SGs’ com-
ponents which can cause cascading effects. Intuitively, FDI
attackers inject malicious packets to smash network services
and compromise the sensor nodes or hijack the communica-
tion channel between the sensor networks and the physical
power system [41]. For instance, an attacker will send any
false signal after hacking the RTUs, such as sensors in SG
systems. As a smart attacker, the following two knowledge
should be well understood in order to make successful attack
implements. One is that the attacker can access the current
power system configuration information and manipulate the
measurements of meters at physically protected locations; and
the other one is that attackers will try his best to tamper the
data of SGs without detection. Therefore, FDI attacks impose a
real threat on state estimation which is difficult to be detected.
Just take the ac state estimation for example, attackers decrease
real power flow measurement to damage system stability [42].
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
PENG et al.: SURVEY ON SECURITY COMMUNICATION AND CONTROL FOR SGs UNDER MALICIOUS CYBER ATTACKS
Actually, the smart attacker should systematically know about
system knowledge and effectively construct their attack vectors
to escape detection, or they will be found out very quickly.
Although IEEE 1686-2007 standard proposes some security
requirements for these devices, statistics show that typical
IEDs are much far from complying with this standard [23].
In contrast, state estimation is used in SG system monitor-
ing to get the best estimate of the power grid state which
analyzes meter measurements and power system typologies.
Hence, FDI attacks can affect monitoring and state estimation
integrity by tampering measurement and/or control data and
either of them, which will lead to instability of the power
system [43]. Form IT security level, several data aggrega-
tion algorithms have been proposed for securing data from
being compromised. Per-hop and end-to-end communication
protocols are designed for the tradeoff between security and
efficiency in [44]. Also, AES and DES encryption algorithms
are exploited to protect local devices [27].
C. Identification of Replay Attacks
Generally speaking, steal energy and physical damage are
the main reasons for the replay attack. Similar to FDI attacks, a
replay attack is a type of FDI which repeats the stealthy data in
the sensor within a certain time. In order to implement replay
attacks in SGs, one must hijack PMUs at first. Then observe
and record their readings within a certain time duration. At
last, attackers will repeat them afterward when they carry out
attacks such that they can deceive the control center. In fact, it
is difficult to detect this attack due to the capability of passing
the examination of cryptographic keys [34]. For this reason,
attackers can create a wormhole tunnel or communication link
between the two SGs’ terminals in order to launch their replay
attacks [34]. This attack acts as a time-varying delay which
may exist in the absence of system’s real information for the
control center. Then routing protocol is interrupted and false
representation of the recorded data may be created to fool
control center. For instance, an attacker can record and analyze
the smart meter data in order to inject a false control signal
to the system in a repeated display style [45].
IV. E FFECTS OF M ALICIOUS ATTACKS ON SG S
Without loss of generality and for purpose of clear expres-
sions, load frequency control (LFC), which characterize a
typical representative of networked control framework in SGs,
is selected to illustrate the attack and defense schemes due
to various threats from both cyber and physical systems.
Generalized cases are valid to other control problems in SGs.
As well known, a large-scale power system usually consists
of several control areas interconnected through tie-lines. LFC
in a power system is used to sustain the system nominal fre-
quency (for example, 60 Hz in North America and China)
and tie-line power by modifying power generation references
to generators when loads change. Generally, the closed-loop
structure of LFC for the ith control area is shown in Fig. 2.
Notice that the measurement signals are transmitted from
a remote telemetry unit to the controller over networks for
LFC system. Thus, LFC system is a typical networked control
5
Fig. 2. Load frequency control in SGs.
systems (NCSs) in which the control loops are closed via com-
munication networks [46]–[48]. When representing generators
in one control area by an equivalent single-machine-single-
load system, one can establish the power system dynamics by
the following state-space form [49]:
x(k + 1) = Ax(k) + B
u(k) + Ew(k)

y(k) = Cx(k) + Fv(k) (1)
where x(k) ∈ Rn represents the state of SGs at time k, while
u(k) ∈ Rp and 
 y(k) ∈ Rq indicate the actual output and con-
trol input, respectively, which may be polluted by malicious
attacks. Moreover, w(k) ∈ Rn , v(k) ∈ Rq indicate the noise,
disturbance/fault, or attacks. All the constant matrices are of
appropriate dimensions. To achieve great generality, the above
model is used to represent generalized control issues of SGs
in this survey. For a controller, it is assumed that the feedback
input is y(k) and the output of controller is u(k). Similarly,
the sensor output and actual input for a power plant are  u(k)
and y(k), respectively. More detailed information on modeling
of cyber-physical security scenarios in network environments
can be seen in [34] and [50]–[52]. In general, all malicious
attacks can be classified by the following two categories and
further discussions are presented as follows.
A. Data Absence Attacks
Data absence attacks are mainly referred to as DoS attacks.
For convenience, denote the controller input from sensor mea-
surements as y(k) and its output as u(k). Similarly, the actual
sensor output is y(k) and the actual control input is 
u(k). Under
the perfect condition, the following equations are satisfied:
u(k) = 
u(k) (2)
y(k) = 
y(k). (3)
However, DoS attacks may lead to (2) or/and (3) being vio-
lated, which indicates that the system is abnormal. Especially,
these DoS attacks have the direct manifestation as that the
controller cannot receive the sensor data y(k) or the actuator
cannot receive the control data u(k). It is mainly embodied
in time delay and packet dropouts. Denote the DoS attack
fashions as the following:
u(k) = u(k) + auk

y

y(k) = y(k) + ak (4)
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
6 IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS: SYSTEMS
y
where auk and ak are the attack sequence for the controller
and sensors, respectively. Then the mathematic model of DoS
y y
attacks can be given as auk = −Sku u(k), ak = −Sk y(k) where Sku
y
and Sk are Boolean diagonal matrices which take values from
(·)
{0, 1}. [Sk ]ii = 1 means that there exists DoS attack, and
(·)
[Sk ]ii = 0 means that there is no DoS attack. Suppose that
there are DoS attacks imposed on the system (1), the deficiency
of control or/and sensor data will induce the open-loop process
operation.
(·)
It is worth mentioning that [Sk ]ii plays an important role
in characterizing the behaviors of DoS attacks. On one hand,
it can represent various features of DoS attacks, such as phys-
ical limitations or scheduling strategy for the kth step. Similar
to [53], denote the set composed of the values of various sen-
(·)
sors and actuators as S = {[Sk ]ii |i ∈ N, i ≤ m + p}. Due
to the physical limitations, not all sensors and actuators data
can be neutralized at the same time. If the cardinality of S
is small, we can define these types of DoS attacks as sparse
(·)
DoS attacks. On the other hand, the subscript k ∈ N in Sk
can also imply the DoS attack with energy constraints. Denote
Ij = [k, k + m] ⊆ N, j, m ∈ N as the jth DoS attack interval,
then m ≤ M indicates the energy constraints of the DoS attack.
However, they can choose any time instant to start their attack
which is independent on external terms. By taking into account
the above factors, a smart attacker will launch an attack in an
optional form without limitations of time-and-space restriction
except for energy constraint.
Considering the packet-type transmission in TCP-based net-
works, if the packet is attacked, all data packeted at the kth
(·)
instant will be lost. So, the [Sk ]ii often takes the same value
from {0, 1} simultaneously for all i. Then, variables γk and νk
can be used to model the actual control behavior of the NCSs,
i.e.,
x(k + 1) = Ax(k) + γk Bu(k)
y(k) = νk Cx(k).
Here, γk ∈ {0, 1} and νk ∈ {0, 1} are independent and may not
follow any rules. It should be noted that if and only if, γk = 1
and νk = 1, the NCSs are in closed-loop style. Otherwise, the
feedback model will be destroyed. In addition, if C = In×n , a
state-art-feedback controller can be designed.
B. False Data Disruption Attacks
In a sense, all FDI attacks, replay attacks, and zero-
dynamics attacks belong to the type of false data disruption
attacks. The essence of these attacks is that the false sam-
pled data and/or control input will be applied to measurement
and operation for SGs. Generally speaking, if there are FDI
attacks on the PMUs, the output of (1) can be chosen as
y(t) = Cx(k) + Fv(k) + ay (k).
y
More generally, if Sku and Sk in (4) take any values except
{0, 1} for a nonzero attack sequence auk and akk , then the fol-
lowing criteria u(k) =  u(k) and y(k) =  y(k) hold which
indicates that FDI attacks occur in power systems (1). The
above inequalities imply that the state and operation data can
be received by controllers and/or actuators but these data are
false.
From the viewpoint of systems’ dynamics, these FDI attacks
can be regarded as a special type of disturbance. However, the
special “disturbances” will hide themselves bypassing detec-
tion more intelligently. In fact, a smart attacker always tries his
best to destroy the system stability without being perceived.
Different from FDI attacks, replay attacks inject their
false data in a periodic fashion. Assume that the replay
attack records the measurements of PMUs from time inter-
val [T0 , T0 + T], where T is a fixed time period. Then the
false measurements are received by the control center as

y(k) T ≤ k ≤ T0 + T − 1
y(k) = (6)
y(kT ) T0 + T ≤ k ≤ T0 + 2T − 1.
Therefore, the real measurements are replaced by these
recorded measurements which can drive the power system
to the unsafe region. As to zero-dynamics attacks, they aim
at designing an attack signal so that the residue r(k) = 0
always holds by 0−stealthy attacks. It is readily seen that
the zero-dynamics attacks will fool the detector and make it
invalid.
As we all know, DoS attacks can be easily implemented
which only need to block networks or deplete computation
resources. Different from data absence type attacks, the false
data disruption type attacks need more system knowledge
which has more elaborate behaviors than the DoS attacks.
V. S ECURITY C ONTROL S TRATEGIES FOR SG S
U NDER D O S ATTACKS
The data absence attacks, which are named as DoS attacks,
imply that the measurements or control signal can neither be
sent nor be received [54]. In fact, there are several DoS attacks
categories, such as periodic, stochastic, and arbitrary styles.
In SGs, the power states are measured by RTU and sent to
the control center through communication networks. When an
adversary jams the communication channels, attacks network-
(5) ing protocols, or floods the network traffic, these data will be
lost. These will lead to the open-loop SGs, even instability.
In the following, we will investigate the security control for
the SGs under periodic DoS attack, stochastic DoS attack and
arbitrary DoS attack.
A. Security Control Under Periodic DoS Attack
Consider another form of (1) for a class of sample-data
system with state feedback controller under an event-triggered
communication scheme
ẋ(t) = Ax(t) + Bu(t) (7)
u(t) = Kx(tk ) ∀t ∈ [tk , tk+1 ]. (8)
For periodic DoS attack, attackers can always jam the chan-
nels in energy-constrained and periodic fashions, and they
often follow the forms of

1 (n − 1)T ≤ t ≤ (n − 1)T + Toff
ujam = (9)
0 (n − 1)T + Toff ≤ t ≤ nT
where T is the action-period of the attacker and n ∈ N is
the period number. Obviously, communication is possible for
t ∈ [0, Toff ] when the jammer is sleeping and communication
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
PENG et al.: SURVEY ON SECURITY COMMUNICATION AND CONTROL FOR SGs UNDER MALICIOUS CYBER ATTACKS
is impossible for t ∈ [Toff , T] when the jammer is activated.
The question is how to find an appropriate control strat-
egy (8) to guarantee the stability of networked power systems.
Since the communication is interrupted during the time inter-
val [Toff , T], we hope that a more frequent control action will
be implemented during [0, Toff ]. Foroush and Martínez [55]
studied the single input system with such periodic DoS attack.
They first stabilize the controlled system with controller Kλ
by pole-assignment method. Similar to the most studies of
event-triggered control scheme [56], let
e(t) = x(tk ) − x(t)
represents the error between the value of the process state at
the last control update and the value of the process state at the
current time. Then, the closed-loop dynamics can be written
as
ẋλ (t) = (A + BKλ )x(t) + BKλ e(t)
where A + BKλ has only one linearly independent eigenvector.
In what follows, Jordan decomposition and triggering strategy
are used to achieve input-to-state stability (ISS)-stability for
the transferred system
ẋλ (t) = Jλ xλ (t) + Tλ−1 BKλ Tλ eλ .
Let x(t) = Tλ xλ and e(t) = Tλ eλ , the following event-
triggering condition:
σ (2λ − 1 − 2||N||
|eλ (t)|2 ≤ |xλ (t)|2
Tλ−1 BKλ Tλ
is exploited to guarantee the asymptotic stability. Here, σ ∈
(0, 1) is a triggering parameter and λ is a positive scalar
related to the place of eigenvalue. The result shows that the
event-triggering condition is related to the eigenvalue λ and
its Jordan decomposition. The joint control and identifica-
tion algorithm for guaranteeing the stability under unknown
DoS attack are presented in [57]. However, the above-studied
system should be narrowed down to standard controllable
form.
It is shown that the event-triggered control scheme is more
resilient to DoS attacks. Moreover, since the energy constraint
and periodic characteristics of periodic DoS attacks, they are
easy to be tackled.
B. Security Control Under Stochastic DoS Attack
Recalling (5), packet dropouts due to the DoS attack can
also be modeled as a stochastic process, such as a Bernoulli
process and queueing process for γk and νk when packets are
jammed by attackers.
In paper [58], two queueing models are used to simulate
the stochastic process of packets delay jitter and dropouts.
In order to identify local network attack and remote network
attack, the average service time μ is used to indicate the
lumped effects of DoS attack. Their experiments show that
the worst performance occurs when the NCSs traffic exhibits
a strong autocorrelation of packet dropouts and delay jitter.
Suppose that the packet dropouts due to DoS attack follow
7
independent identically distributed Bernoulli distribution and
the controller uses the most recently successfully transmitted
packets as a compensation strategy, the available data can be
represented as x(k) = γ x(k) + (1 − γ ) x(k). In [59], the net-
work reliability threshold for stability is derived based on the
proposed method. The left problem of this paper is that the
NCSs will become instable even with smaller percentages of
packet dropouts when the closed loop poles are far from the
imaginary axis with faster response times. Zhang et al. [60]
provided an error function for the NCSs, where the DoS
attacks are well considered. As the discrete time form of (10),
(10) e(k) = x(si ) − x(k) are defined to derive the uniform ultimate
bound for the studied NCSs, where si represents the last suc-
cessful control update. Consider a more sophisticated attack,
Ding et al. [61] defined the output error as e(k) = y(si ) − y(k)
and construct the following output-feedback-based attacked
model:
(11)
 y(k) + νk ξ(k)) + (1 − γk )
y(k) = γk ( y(k − 1) (14)
where γk and νk are Bernoulli stochastic variables. ξ(k) is
the false data injected into the outputs. It is easy to see that
the stochastic DoS attack and FDI attack can be well charac-
terized by the parameters γk , νk and ξ(k) by (14). However,
the above studies fail to depict this energy-constraint key fea-
(12)
ture. In paper [62], they provide a probability characterization
for random packet dropouts due to unreliable link as well
as those caused by the DoS attack under event-based con-
trol scheme. For the above mentioned case, denote si as the
(13) time instants at which the packets exchanges between the plant
and the controller are attempted. The authors characterized the
event-triggering condition by quadratic Lyapunov-like function
V : Rn → [0, ∞] given by V(x) = xT Px. Then, the details
can be represented as
si+1 = min{t ∈ {si + 1, si + 2, . . .}|t ≥ si + θ
or V(Ax(t) + Bu(si ) > σ V(x(si ))} (15)
u(t) = (1 − γi )Kx(si )
t ∈ {si , si + 1, . . . , si+1 − 1} (16)
for i ∈ N, where σ ∈ (0, 1) is event-triggering parameter
which is the same as the corresponding item in (13) and
γi takes value from {0, 1} as a binary-valued process which
implies success or failure of attempted packets exchanges. In
order to describe the fact that energy constraint of DoS attack,
the following non-negative integer-valued process is given by

k−1
L(k) = γi k∈N (17)
i=0
where L(k) represents the total number of failed packets
exchanges attempted. By almost surely meaning such that
P[L(k) > ρ] ≤ k (18)

γk < ∞ (19)
k∈N
where k ∈ [0, 1] and ρ ∈ [0, ∞), the energy constraint of a
DoS attack is well addressed. In fact, conditions (18) and (19)
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
8 IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS: SYSTEMS
provide the characterization of the evolution of the total num-
represents attack strategy to be designed. The
ber of attempts failure in probabilistic. It is worth noting that,
corresponding
 to the average dwell time in switched systems
theory, P[ k−1 γ
i=0 i
D ≤ κ + (k/τ )] gives the average duration
of DoS attack in probabilistic. Similar constraints for packet
dropout in multihop channels can also refer to [63].
Optimal control/estimation approaches are applicable to
evaluate the performance of the NCSs under DoS attack in
regard of both defender and attacker. On one hand, as a
defender, one always wishes to minimize the DoS effects on
the NCSs. As a pioneering work, AminAlvaro et al. [64] con-
sidered the optimal control problem with security constraint
for the system (5) with C = I whose control and measurement
packets are transmitted over a communication network. Then,
a causal feedback controller will be synthesized to minimize
the following finite horizon objective function:
   
  xk T  In
N−1
where γ ∈
optimization problem from an attacker can be transformed into

T
max Tr (23) subject to || γ || = n. (24)
γ ∈
k=0
In addition, they study also how to schedule the attacks to
bypass a given IDS. In [66], the optimal DoS attack strategy
which is expected to maximize the linear quadratic Gaussian
control cost function under an energy constraint is considered.
In this paper, the assumption that the DoS attacker can jam
the communication channel at most n times during the action
period T is still given. Different from [57], the DoS attacker
can take his choice, drop or not drop arbitrarily, to schedule
attack actions during [nT, nT + Toff ]. With the packet dropout
probability P(γk = 0) = γ , the expected DoS attack schedule
strategy is designed to maximize the cost function
1  T

0 x N
JN = E xN PxN +
T
Q k (20)
uk 0 νk Im uk Jγ = E x (k)Qx(k) + uT (k)Qu(k) (25)
k=0 N
k=1
 

Q 0 where
Q and Q are the same as the items (20). In fact, (25) is
where P ≥ 0, Q = ∈ R(n+m)×(n+m) .
0 Q identified to (20) when the terminal constraint is removed.
In fact, if there are no other limitations for Bernoulli Similar to [65], the above optimization problem can be
stochastic variables γk and νk , the asymptotic stability has transformed into
been solved in [59]. The attacked state, different from com-
pensator strategy with the latest successful control update, 
T
max Tr (25) subject to || γ || ≤ n. (26)
is estimated by a Kalman filter. Actually, they impose the γ ∈

k=0
following constraints on the NCSs.
1) Energy Constraint: The state and the control input in an From (24) and (26), it is clear that the separation principle is
expected sense proved once again that estimation and control are independent.
   From the perspectives of both attack and defense, the
T   
xk In 0 x choices of attack and defense strategies in the studies [64]–[66]
E H k ≤ i (21) are all based on the results of competition between the attacker
uk 0 νk Im i uk
and defender, and they fail to describe this interactive decision-
with Hi > 0 for i = 1, 2, . . . , L and k = 1, 2, . . . , N − 1. making process between the two sides. Subsequently, game
Here, i is of the same meaning as the corresponding theory is a good choice for characterizing the dynamic behav-
item in (18). iors between the defender and the attacker. A framework of a
2) Safety Constraint: The state and the control input in a DDos attack with evolution game theory is presented by [67].
probabilistic sense Suppose there is a cooperative network model, where the M
   defenders can collectively enhance their signal to inference
T In 0 plus noise ratio, while the N attackers are launching an attack
P ti ≥ (1 − ε) (22)
0 νk Im to degrade it. Then, an evolutionary game between attack-
ers and defenders in a monomorphic population is defined
with ti ∈ Rm+n satisfied for i = 1, 2, . . . , T and k = over a finite pure strategies set A = {a1 , a2 , . . . , ar , . . .} with
1, 2, . . . , N − 1. r = 1, 2, . . . , |A|, a mixed strategies set S = {ρs : ρs ∈ [0, 1]}
Based on the viewpoint of optimization in (20), Zhang et al. which is the combination of A with its weights being assigned
consider arbitrary attacks schedule with an energy constraint to the pure strategies by the player, and a utility function U(·)
to maximize the cost function for both estimation [65] and is used to indicate the utility of game results. The evolution-
control [66]. Zhang et al. [65] constructed an optimal attack ary stable strategy is achieved by the following conditions:
schedule strategy to maximize the expected average estimation if U(ρ ∗ , ρ ∗ ) ≥ U(ρ ∗ , ρ) or U(ρ ∗ , ρ ∗ ) ≥ U(ρ, ρ ∗ ), then
error at the remote estimator. With a given finite horizon T and U(ρ ∗ , ρ ∗ ) ≥ U(ρ ∗ , ρ ∗ ) for all ρ ∗ = ρ. The replicator dynam-
assumption of packet attacked probability P(γk = 0) = γ , ics are used to show that how players in their population start
 n times attack from k = 1 to k = n can be launched, i.e.,
only to change their strategies over a time period until they reach
|| Tk=0 γ || = n. By defining the average expected estimation a stable state. In this context, each player compares its utility
error covariance matrix with the average utility of the population each time to make a
decision on whether to keep using the current strategy or not.
1
T
Jγ = E[Pk (γk )] (23) However, their study only relates to the network model while
T control or estimation issues are excluded. Ding et al. [37]
k=1
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
PENG et al.: SURVEY ON SECURITY COMMUNICATION AND CONTROL FOR SGs UNDER MALICIOUS CYBER ATTACKS
investigated the scenario that the sensor measurements are
transmitted to a remote estimator over a multichannel network
which may suffer from a DoS attacker. The iterative process
between the sensor and the attacker is modeled as a two-player
zero-sum stochastic game. The remote estimator obtains the
state estimation follows the form as in [68], i.e.,
 s
x (k), if data is received successfully

x(k) =
x(k − 1), otherwise.
A
Accordingly, the error covariance matrix ρk is given as
 the MTOC structure can be obtained by
ρ, if data is received successfully
ρk =
h(ρk−1 ), otherwise.
The two-player stochastic game scenario exhibits opposite
goals that the sensor should make sure that the estimator is
well-informed of the process without wasting energy, while
the attacker will disrupt the reliable communication between
sensor and estimator without expending more efforts. By
simplifying the game framework of DDos attack in [67],
one can define a stochastic game of the six-element set
G = {A, D, S, M, P, F}. Here, A and D represent attacker
and sensor, respectively; S = {A, D} is the action set of
A and D; M denote the state space of the game; the tran-
sition probability P(mk+1 |mk , s) ∈ P : Mk × S → Mk+1
implies the probability of the next state being mk+1 for a
given current state mk and current action strategy S, and
F : M × S → RA◦D denotes the payoff of each player
A and D. At the instant k, an action pair Sk = (Ak , Dk ) is
chosen by the attacker and the sensor according to a mixed
strategy pair. For the purpose of performance improvement, the
dynamic cost-effective strategies based on the real-time infor-
mation of the process is perceived as more meaningful than
a static fashion. The strategy-design is equivalent to finding
the Nash equilibrium of the stochastic game and it is solved
by Q-learning method [69]. Yuan et al. [70] investigated the
resilient control problem for the NCSs under DoS attack via
a unified game approach. They consider the dynamics in the
delta domain as the form of

N
δxk = Aδ xk + γi Biδ uik
i=1
where xk = xkTs with the sampling interval being Ts . Aδ and
Biδ are matrices in the delta domain with appropriate dimen-
sions. The stochastic variable γ i , i ∈ {1, 2, . . . , N} indicate the
effect of DoS attack on control system with P(γki = 0) = γ i
and P(γki = 1) = 1 − γ i for all i ∈ {1, 2, . . . , N}. In fact,
the system (27) in a delta domain is equivalent to the discrete
time style (5) which is widely used in [60], [64], and [66].
Within the framework of the noncooperative dynamic game
for multitasking optimal control MTOC in delta domain, each
controller falls to minimize the cost-to-go function as the def-
inition (20) in a discrete time domain. However, Q in (20) is
replaced by Qi in this cost function according to the game
dynamics between controllers. Define the admissible control
set as uik = uik (Ik ), where Ik is a set related to xk and γk ,
while
 
uik  ui0 , ui1 , . . . , uiN−1 (28)
9
and the collection of strategies of all controllers except
controller i can be obtained by
 
u−i
k  ui
0 , . . . , ui−1 i+1
1 , u1 , . . . , uN−1 .
i
(29)
Then, the optimal control problem under such a unified
game framework is to find the solution of
min (20) subject to (27). (30)
ui
Therefore, the solution of the optimal defense strategies for
min |JG∗ 1 /JG∗ 0 − 1| (31)
D
where G0 = {γk = 0}N k=1 , G1 = {0 < γk < 1}k=1 and the solu-
N
tion of the optimal defense strategies for the MTOC structure
can be obtained by
min γ 1 subject to (31) > S0 , γ 1 = ρ 2 γ 2 = · · · = ρ N γ N
A
where S0 implies the safety zone and ρ k is weighting fac-
tor. Also, the central-tasking optimal control problems can be
solved by a similar method.
The above analysis shows that the Bernoulli-type variables
are significantly exploited to indicate the DoS attack. But, in
order to distinguish from the conventional packet dropouts,
some other constraints, such as conditional probabilities,
energy constraints, will be taken into consideration.
C. Security Control Under Arbitrary DoS Attacks
In practice, communication failures induced by DoS attacks
do not follow a given class of periodic dynamics or probabil-
ity distributions. This raises a new theoretical challenge for
security control of SGs.
Moreover, time delay or packet dropout may be introduced
by uncertainties of a network itself or by a malicious adversary.
For example, in [71], the power systems subject to DoS attacks
are modeled as time delay systems following the form of:
ẋ(t) = Ax(t) + Ad x(t − η(t))
(27)
where Ad = BK and η(t) ∈ [η1 , η2 ] represents the limitation of
the energy of adversaries. By using a Wirtinger-based integral
inequality, a less conservative attack-based delay-dependent
criterion is obtained. Note that the stability of the NCSs can
be guaranteed for all η(t) ≤ η2 and it does not depend on the
distribution of η(t) which is manipulated by a DoS attacker.
However, these systems are difficult to find applications sub-
ject to sample limitation. For a class of sample data system
ẋ(t) = Ax(t) + BKx(kh) for all k ∈ N with ZOH fashion (h
is the sampling period of sensor), an input delay approach
proposed by Fridman et al. [72] can be used to model such
delay and packet dropouts by defining η(t) = t − kh. Then the
sample data system can be transformed into the time delay
system.
Recently, an event triggered control (ETC) gives a novel
way to model such sample-data-based ETC system as a time-
delay system [73]. Peng et al. [13] investigates a resilient
event-triggering H∞ LFC for multiarea power systems with
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
10
energy-limited DoS attacks by introducing the following event-
triggered communication scheme:
 
tk+1 h = tk h + min h|eTik h eik h ≥ σr xT (tk h)x(tk h)
∈N
where eik h and σr are the sampling error in (10) and the trig-
gering parameter in (13), respectively. Then one can model the
DoS attacks as energy constraint with η(t) ≤ η2 . Obviously,
the communication sequence will be destroyed when the event
triggered packets are dropped by DoS attackers. In order
to realize the resilient control under DoS attacks, one can
adjust parameter σ to change the sampling logic. Generally,
the smaller σr is, the more frequency sampling actions are
achieved while the longer DoS duration can be tolerated.
Hence, the triggering parameter σr should be attack-awareness
when we implement the resilient sampling logic. More sig-
nificantly, by using this model, it is convenient to design
event-triggered control parameters and event-triggered con-
ditions in a unified framework. De Persis and Tesi [54]
characterized the frequency and duration conditions of DoS
attacks when the ISS of the closed-loop system can be pre-
served. In order to address the arbitrariness of DoS attacks,
the following DoS sequence is given:
Hn = {hn } ∪ [hn , hn + ηn (t)]
which represents the nth DoS time-interval with duration ηn (t).
If ηn (t) = 0, DoS takes the form of a single pulse at time
instant hn . Thus, all communication possible duration (t)
and interrupted duration (t) can be obtained by
 
(t0 , t) = Hn [t0 , t] (33)
n∈N
(t0 , t) = [t0 , t]\(t0 , t).
As a special case, the NCSs with DoS attacks can be
modeled as switched systems between normal systems and
attacked systems consist of (t0 , t) and (t0 , t). Especially,
it is required that the DoS frequency satisfies the following
assumption:
t − t0
n(t0 , t) ≤ κ1 + (35)
Tf
where κ1 ≥ 0, Tf > 0 with t ≥ t0 , and DoS duration satisfies
the following assumption:
t − t0
(t0 , t) ≤ κ2 + (36)
Td
where κ2 ≥ 0, Td > 0 with t ≥ t0 . In order to implement
the resilient control, periodic sampling logic, self-triggering
sampling logic, and event-based sampling logic can also be
used to tradeoff performance and communication resources. It
is easy to see that the communication scheme in [13] is only
a special case of conditions in [54].
In addition, Pang et al. [74] classified DoS attack into two
types, that is, weak attack and strong attack, where the weak
attack is seen as communication constraint, such as random
delay, packet dropouts, and a recursive networked predictive
control (RNPC) method is exploited to compensate for their
adverse effects. For the strong attack, a multicontroller CLi
switching scheme is presented, in which each controller is
IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS: SYSTEMS
designed based on the RNPC, to construct a new closed-loop
system when Li packets are attacked for the ith subsystem.
However, the switching scheme is depended on a supervisor.
Generally speaking, the DoS attacks are energy-limited and
do not follow any specific rules or distributions [54]. In some
cases, the number of data dropouts induced DoS attacks is
larger than the maximum allowable delay bound, which will
affect the stability of SGs [49]. To tackle this case, model
or model-free prediction methods are developed in [75] to
compensate for data dropouts induced by DoS attacks. More
recently, the distribution of SGs is also received more and
more attention. For example, the risk of SGs is evaluated
in [36] and [76] to analyze the control performance induced by
DoS attacks. When limited communication resources are avail-
able, Peng et al. [13], [77] proposed a method to tradeoff the
security performance and communication efficiency in SGs.
VI. D ETECTION AND E STIMATION FOR
D ECEPTION ATTACKS
To the malicious cyber attacks in LFC, there are two basic
considerations for security design. One is attack detection
which focuses on the perception of malicious attacks, and the
(32) other one is state estimation which focuses on the recovery
of polluted signals. Different DoS attacks on communication,
false data disruption attacks will launch their disruptions on
PMUs in SGs. This attack type aims at compromising the
state estimator of power grids without detection. Attackers’
goal is often characterized by compromising measurements or
(and) control data while an effective attack strategy should
be designed carefully so that it can damage a healthy system
(34) and cannot be detected. Because of the disturbances and errors
in the control system, the attack strategies should hide them-
selves as this normal margin of error and should not trigger the
false alarm. Otherwise, a valid detection strategy will devote
itself to distinguishing the attack behaviors from these normal
disturbances and errors intelligently.
A. Detection of Malicious Cyber Attacks
It is well-known that the output of state estimation is usu-
ally used for contingency analysis and then transmitted to
the control center to implement regulations for power grid
components. In general, the state estimator demonstrates three
typical functions, that is, observability analysis, state estima-
tion, and “bad data” processing in SGs. Since the estimation
state can be tempered by an adversary with bad data, it
will mislead the power grid control performance, and pos-
sibly results in catastrophic consequences, such as blackouts
in large geographic areas [78], [79]. In order to deal with
these cases, some effective techniques have been developed,
such as enhanced static state estimation, hypothesis testing
identification, combinatorial optimization methods, etc.
In the literature, there are some physical-model-based attack
detection methods. For example, Mo et al. [80] considered
the scenario that the FDI attack carried over a sensor network
monitoring the discrete-time LTI Gaussian system. The critical
thing to the attack designer is to hijack the measurement of a
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
PENG et al.: SURVEY ON SECURITY COMMUNICATION AND CONTROL FOR SGs UNDER MALICIOUS CYBER ATTACKS
subset sensors without being detected by the χ 2 failure detec-
tor. Commonly, the χ 2 failure detector calculates the following
condition:
gk = rkT P−1 rk
where P is the covariance matrix of the residue rk . When
gk > threshold
the detector will trigger an alarm. So the gk should be inge-
niously designed. Similar to [80], Kwon et al. [81] discussed
also the condition that the deception attack fails the estimators
while successfully bypass the monitoring system with com-
pound scalar testing [82]. On the basis of (37), the following
condition is used to the χ 2 detector:
 of attacks can also be detected by a χ 2 detector. Different
Accept H0 , if gk ≤ threshold
Accept H1 , if gk > threshold.
An adversary who wants to be undetectable should avoid
a large increase in the power of residuals. These detection
methods can be used in SG [79], [83].
Besides, with the aim to fully utilize the acquired data flex-
ibly, sequential detection theory is considered in [84]. The
sequential detection’s goal is to minimize the number of obser-
vations and it is required to make a decision with a given
probability of false alarm and a given probability of detec-
tion. Suppose the observation zk on the condition of Hj are
generated with a probability distribution pj , the sequential
probability ratio test algorithm [85] is described by
p1 (zk )
S(k + 1) = log + S(k)
p0 (zk )
N = inf{n : S(n) ∈/ [L, U]}
n
starting with S(0) = 0. The decision rule dN can be defined
as
 y(t) = CAt x(0) + r(t).
Accept H0 , if S(N) ≥ U
dN =
Accept H1 , if S(N) ≤ L
where L ≈ ln(b/1 − a) and U ≈ ln(1 − b/a), a is the desired
probability of false alarm and b is the desired probability of
missed detection.
It should be mentioned that the above methods are based
on the same assumption, that is, the “bad measurements” must
have taken place. However, this assumption does not always
hold for stochastic attack scenarios. With the knowledge of
the power system configuration, an intelligent attacker can
systematically generate bad measurements which can bypass
detection. Therefore, how to estimate the real state and identify
these bad data is significant. The objective of the defender is to
reliably detect an injection attack with respect to ay (k) in the
event of an attack. But for the attackers, they will hide them-
selves through disclosure resources of SGs. If ay (k) = Cs(k),
then y(t) = C[x(k)+s(k)]+Fv(k) and the traditional statistical
test is invalid. Hence, such attacks will not be detected [78].
As a matter of fact, statistical test methods only draw their
attention to statistics rather than physical dynamics. From the
perspective of the controlled power system, one can always
establish the relationship between measurements y(k) and esti-
mated state value  x(k). Related estimation methods refer to
11
least squares, minimum mean square error, mixture Gaussian
distribution learning, Kalman filter [43], [86]–[88], etc. Hence,
one can define a residue vector as r(k) = y(k) − C x(k).
Many system-behavior-based detection methods rely on this
(37)
defined residue vector r(k) which is called χ 2 detector with
{g(k) = rT (k)Pr(k) ≥ threshold}. Obviously, χ 2 detection is
a class of event-based method.
Replay attacks will record a sequence of PMU’s measure-
ments and replay the recorded sequence afterward [90]. While
acting on the power grids, the actual control input sequence
is generated by malware with old measurements rather than
the real measurements from PMUs. These attacks belong to a
class of FDI attacks and it can remain undiscovered for sev-
eral months after its release [91]. The detection of such type
from FDI and replay attacks, zero-dynamics attacks will adjust
their target on the χ 2 detector. The key idea of zero-dynamics
attacks is to regulate their attack policy ay (k) such that the
residue r(k) remains a constant [92].
B. Recovery Polluted States
Due to the arbitrariness of attacks, the conventional estima-
tion methods are not applicable under attack scenario. In the
literature, there are some good results on security state estima-
tion. For example, Fawzi et al. [93] considered the following
system dynamics:
x(t + 1) = Ax(t) (38)
y(t) = Cx(t) + r(t). (39)
By reconstructing the initial state x(0) and using the dynam-
ics of the system, l0 optimal decoder is proposed to estimate
system state. For this case, under the first M measurements
y0 , . . . , yM−1 , the initial state x(0) is estimated by
(40)
Moreover, consider the decoder D0 : (Rp )T → Rn defined
by D0 (y0 , . . . , yM−1 ) which can be obtained by solving the
following optimization problem:
min ϒ̂ (41)
x̂∈Rn ,ϒ̂⊂1,...,p
 
s. t. supp y(t) − CAt x̂ ⊂ ϒ
for t ∈ {0, . . . , M − 1} (42)
where ϒ is a set of attacked sensors. If the number of maxi-
mum attacked sensors is less than half, the system state can be
detected and corrected from the pair (A, C). However, the opti-
mization problem (41) is not easy to tackle since it is NP-hard
in general. As an improvement, Lee et al. [94] designed the
individual Luenberger observer for each sensor to estimate
the state correctly by sensing redundancy data under sensor
attacks.
The compressive sensing technique has been used to recon-
struct the real state from the sparse sensing data. For example,
Shoukry and Tabuada [53] proposed a state reconstruction
method when sensors are destroyed by sparse attacks. This
paper can be regarded as the extension of [93] and [96].
The attack model is similar to (38) through constructing
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
12
a delayed version for state x(t − τ + 1), attack vectors
a(t − τ + 1), a(t − τ + 2), . . . , a(t) and measurements y(t −
τ + 1), y(t − τ + 2), . . . , y(t). Then, the state model with
s-sparse attack is written as
Y(t) = Ox(t − τ + 1) + E(t)
where E(t) is the attack vector. Then, by using the event-
triggered technique [89], [95], [97] to improve the computa-
tional efficiency for the proposed algorithms, the triggering
(k,m+1) (k)
condition is given by V(ẑ ) ≥ (1 − ν)V(ẑ ), where
V(ẑ) = (1/2)Y − Qẑ22 . Thus, the estimated state is updated
by the following rules:
 
ẑ+ := ẑ + ηQT Y − Qẑ . (44)
In fact, the event-triggered projected gradient descent algo-
rithm is exploited only one step while scarifying computation
efficiency. This motivates the subsequent study [98] to improve
the estimation efficiency by adjusting the estimation step
adaptively.
The above methods suppose that attackers have little
knowledge of the system. But for an intelligent attacker,
attack processes and results may be various case to case.
Mo and Sinopoli [99] assumed that the attackers have full
knowledge about the true values of system states and mea-
surements. Also, the attacker has limited resources and only
manipulated partial measurements. Then, the problem is
expressed as a minimax optimization problem
 
minimize E max c(x − ϕK (y)) . (45)
{ϕK } |K|=2l
The goal is to design the optimal estimator against all pos-
sible attackers strategies. Consider the case l > m/2. Namely,
the attacker can manipulate at least half of the measurements.
In such scenario, the optimal worst-case estimators should
ignore all m measurements which only the prior distribution
of x is considered. The result is that the optimal estimator f ∗
is given by solving the following optimization problem:
f ∗ = minimize E[c(x − δ)]
δ∈R
where δ ∗ is the solution of (46). For the case l < m/2 which
implies that the attacker can manipulate less than half of the
sensors, they provide the explicit form of the optimal estimator
based on (m/2l) local estimators. Therefore, the search space
of the optimal estimator is reduced from all possible functions
to a special class of functions. The optimal estimator f ∗ has
the following form:
 
f ∗ (y) = min max ϕI∗ ∪J (y) (47)
|I |=l |J |=l,J ∩I =∅
{ϕ ∗
where the K } is a set of (m/2l) local estimators.
For a large scale power system, a centralized solution to
the associated state estimation problem presents tremendous
computational complexity. Generally, distributed state estima-
tion (DSE) [100]–[103] will supply an efficient way to reduce
the computational complexity by applying a local processor
to provide a local state estimation solution. Compared with
a centralized estimation approach, DSE reduces the amount
IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS: SYSTEMS
of data and improves the robustness of the estimation by dis-
tributed processing. The DSE can be sketched that each area
has local measurements formulated by
ym = Cm (xm ) + nm , m = 1, . . . , M (48)
(43)
where xm = [xam T xT ]T is the local state vector of area m,
bm
T
which is further partitioned into internal state variables xam
T . As another example for state
and border state variables xbm
estimation of distributed power systems [103], DSE is formu-
lated as a constrained optimization problem which assumes an
initial set of DG outputs as the equality constraints
 
1 1
argmin rT Cr−1 r + (x − x)T P−1 (x − x) (49)
x 2 2
such that rm = ym − δm (x), δos (x) = 0 (50)
where the vectors with subscript m represent those subvectors
that result from measurements, δos (x) denotes the operational
and structural constraints.
Furthermore, the matrix-based analysis methods are effec-
tive to solve the security space when conduct state estimation.
But it may be ineffective in handling some complex and
distributed problems especially for those with combinato-
rial features [104]. Recently, graphs are used to characterize
the relationships of such large-scale distributed cyber-physical
power systems [105]. However, purely graph-based approaches
are not capable of modeling the state evolutions within the
physical systems [106]. Fortunately, physical power dynamics
can be captured by each node in graphs and this provides
a convenient way to model the cause-effect relationships
between the cyber data and the grid state signals [52], [107].
Then, the cascading effects due to attacks can be represented
which will give a risk characterization of SGs. For example,
graph-based cyber security analysis of state estimation has
been discussed in [105], which provides intuitive visualiza-
tion of some complex problem structures and enables efficient
graphical solution algorithms for both defending and attacking
the ICT system in SGs.
To sum up, the security of SGs is a combination of the phys-
(46) ical grids security and communication security. Different from
matrix-based analysis methods, the support vector machine
and artificial immune system are being used to detect mali-
cious data and possible cyber attacks [108]. With revealing of
the above attacks with respect to control of power system in
SGs, the following issues should be well addressed.
1) How to characterize fundamental attack detection and
identification with its limitations.
2) How to design an estimator/monitors which are capable
of locating attacks and recovery real state timely and
accurately [10].
VII. C ONCLUSION AND C HALLENGES
A number of detection approaches and countermea-
sures have been proposed to deal with attacks on
SGs [17]–[19], [109]. Because of the variability, complicity,
and intelligence of network attacks, the existing security solu-
tions cannot be achieved through one specific solution. In view
of control-theoretic-methods, attacks side always tries their
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
PENG et al.: SURVEY ON SECURITY COMMUNICATION AND CONTROL FOR SGs UNDER MALICIOUS CYBER ATTACKS
best to maximize their damages on control performance while
defenses side will spare no effort to minimize the impacts of
the corresponding attacks [66], [110]. Therefore, we believe
that cyber-physical security of SGs should be considered
from both cyber-security and physical-security. In detail, the
following issues should be further addressed in securing SGs.
1) Security Detection Combined With Advanced Methods:
A huge amount of data generated by AMIs, power dis-
tribution devices, and other intelligent devices impose
lots of difficulties on security analysis and detection in
SGs. On one hand, it is very important to develop some
advanced transmission scheme to improve communica-
tion efficiency; on the other hand, big data and clouding
computing method can provide a new opportunity for
electric load forecasting, anomaly detection, and DSM.
Therefore, security detection combined with advanced
analysis methods is an interesting topic in the future.
2) Modeling the Attacks With More Practical Conditions:
In the existing results, some specific assumptions, such
as periodic, probability distribution are often introduced
in many SGs’ studies. However, these assumptions vio-
late the fact that the attacks are usually arbitrary and
stealthy. For example, packet dropouts induced by DoS
attacks may not follow Bernoulli distribution in SGs.
Some existing results based on such impractical assump-
tions are far from real applications. Therefore, modeling
these attacks in a more realistic way needs to be further
studied.
3) Distributed Detection and Estimation of Attacks: The
complexity and spatial distribution of SGs which
are integrated with cyber-physical-control dramatically
increase the difficulties of detection and estimation,
especially in the distributed environment. Additionally,
there may be multiple attacks at the same time for such
a large scale of SGs. So, how to locate and estimate
different attacks in a distributed way is of paramount
significance.
4) Resilient Control Strategies: As a complement of IT pro-
tection method, security control strategies’ design plays
a very important role in securing SGs. When traditional
IT protections are invalid, the control implementations
will lead to a significant improvement in guarantee-
ing the performance of SGs. On one hand, the control
design should satisfy general requirements when there
are no attacks. On the other hand, it is still valid for
attacks rather than redesigning or changing controller.
Therefore, how to design such a security controller in a
resilient way is a promising direction in the future.
To the end, we have reviewed cyber-physical security issues
which include attacks strategies, detection methods, and con-
trol design for SGs from both cyber layer and physical power
grids layer. Although traditional IT security strategies, such as
VPNs, PKI, IDS, and firewall play an important role in protect-
ing communication networks, there are many limitations for
securing physical power systems and may be not appropriate
for some control scenarios. Moreover, traditional IT security
strategies may be invalid when attacks are becoming more
blended, sophisticated, and complex. Therefore, co-design
13
framework of security control and communication protection
should be well-developed in the future.
R EFERENCES
[1] Smart Grid Top Markets Report 2017. A Market Assessment
Tool for U.S. Exporters. Accessed: Jan. 2017. [Online]. Available:
http://trade.gov/topmarkets/pdf/Smart-Grid-Top-Markets-Report.pdf
[2] M. A. Brown, S. Zhou, and M. Ahmadi, “Smart grid governance: An
international review of evolving policy issues and innovations,” Wiley
Interdiscipl. Rev. Energy Environ., vol. 7, no. 5, pp. 1–26, 2018.
[3] C. Dou, D. Yue, J. M. Guerrero, X. Xie, and S. Hu, “Multiagent
system-based distributed coordinated control for radial DC microgrid
considering transmission time delays,” IEEE Trans. Smart Grid, vol. 8,
no. 5, pp. 2370–2381, Sep. 2017.
[4] Y. Xue and X. Yu, “Beyond smart grid—Cyber-physical-social sys-
tem in energy future,” Proc. IEEE, vol. 105, no. 12, pp. 2290–2292,
Dec. 2017.
[5] F. F. Wu, P. P. Varaiya, and R. S. Y. Hui, “Smart grids with intelligent
periphery: An architecture for the energy Internet,” Engineering, vol. 1,
no. 4, pp. 436–446, 2015.
[6] S. Kakran and S. Chanana, “Smart operations of smart grids integrated
with distributed generation: A review,” Renew. Sustain. Energy Rev.,
vol. 81, pp. 524–535, Jan. 2018.
[7] V. Gomez, C. Hernandez, and F. Martinez, “Energy policies in smart
grids,” Contemp. Eng. Sci., vol. 10, no. 20, pp. 987–999, 2017.
[8] B. Li, S. Lv, and Q. Pan, “The Internet of Things and smart grid,” in
Proc. IOP Conf. Earth Environ. Sci., vol. 113, 2018, pp. 12–38.
[9] H. Jiang, K. Wang, Y. Wang, M. Gao, and Y. Zhang, “Energy big data:
A survey,” IEEE Access, vol. 4, pp. 3844–3861, 2017.
[10] F. Pasqualetti, F. Dorfler, and F. Bullo, “Control-theoretic methods for
cyberphysical security: Geometric principles for optimal cross-layer
resilient control systems,” IEEE Control Syst. Mag., vol. 35, no. 1,
pp. 110–127, Feb. 2015.
[11] N. F. S. Baker and K. Timlin, In the Dark: Crucial Industries Confront
Cyber Attacks, McAfee, Santa Clara, CA, USA, 2012.
[12] C.-K. Zhang, Y. He, L. Jiang, and M. Wu, “Notes on stability of
time-delay systems: Bounding inequalities and augmented Lyapunov–
Krasovskii functionals,” IEEE Trans. Autom. Control, vol. 62, no. 10,
pp. 5331–5336, Oct. 2017.
[13] C. Peng, J. Li, and M. Fei, “Resilient event-triggering H∞ load fre-
quency control for multi-area power systems with energy-limited DoS
attacks,” IEEE Trans. Power Syst., vol. 32, no. 5, pp. 4110–4118,
Sep. 2017.
[14] Z. Elmrabet, H. Elghazi, T. Sadiki, and H. Elghazi, “A new secure
network architecture to increase security among virtual machines in
cloud computing,” in Proc. Adv. Ubiquitous Netw., 2016, pp. 105–116.
[15] I. Colak, S. Sagiroglu, G. Fulli, M. Yesilbudak, and C.-F. Covrig, “A
survey on the critical issues in smart grid technologies,” Renew. Sustain.
Energy Rev., vol. 54, pp. 396–405, Feb. 2016.
[16] M. Hashmi, S. Hänninen, and K. Mäki, “Survey of smart grid con-
cepts, architectures, and technological demonstrations worldwide,” in
Proc. IEEE PES Conf. Innov. Smart Grid Technol., Medellín, Colombia,
2011, pp. 1–7.
[17] S. Goel and H. Yuan, Security Challenges in Smart Grid
Implementation. London, U.K.: Springer, 2015.
[18] A. O. Otuoze, M. W. Mustafa, and R. M. Larik, “Smart grids security
challenges: Classification by sources of threats,” J. Elect. Syst. Inf.
Technol., vol. 5, no. 3, pp. 468–483, Dec. 2018.
[19] E. D. Knapp, Industrial Network Security: Securing Critical
Infrastructure Networks for Smart Grid, SCADA, and Other Industrial
Control Systems. Boston, MA, USA: Syngress, 2014.
[20] P. Engebretson, The Basics of Hacking and Penetration Testing: Ethical
Hacking and Penetration Testing Made Easy. Waltham, MA, USA:
Syngress, 2011.
[21] M. A. Faisal, Z. Aung, J. R. Williams, and A. Sanchez, “Data-stream-
based intrusion detection system for advanced metering infrastructure
in smart grid: A feasibility study,” IEEE Syst. J., vol. 9, no. 1,
pp. 31–44, Mar. 2015.
[22] E. D. Knapp and R. Samani, Applied Cyber Security and the
Smart Grid: Implementing Security Controls into the Modern Power
Infrastructure. Amsterdam, The Netherlands: Elsevier, 2013.
[23] J. Liu, Y. Xiao, S. Li, W. Liang, and C. L. P. Chen, “Cyber security and
privacy issues in smart grids,” IEEE Commun. Surveys Tuts., vol. 14,
no. 4, pp. 981–997, 4th Quart., 2012.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
14
[24] D. Kundur, X. Feng, S. Liu, T. Zourntos, and K. L. Butler-Purry,
“Towards a framework for cyber attack impact analysis of the electric
smart grid,” in Proc. 1st Int. Conf. Smart Grid Commun., Gaithersburg,
MD, USA, 2010, pp. 244–249.
[25] J. Dagle, “Vulnerability assessment activities [for electric utilities],”
in Proc. Power Eng. Soc. Win. Meeting, Columbus, OH, USA, 2001,
pp. 108–113.
[26] Y. Xu, J. Zhang, W. Wang, A. Juneja, and S. Bhattacharya, “Energy
router: Architectures and functionalities toward energy Internet,” in
Proc. Int. Conf. Smart Grid Commun., Brussels, Belgium, 2011,
pp. 31–36.
[27] S. Shitharth and D. P. Winston, “A novel IDS technique to detect DDoS
and sniffers in smart grid,” in Proc. World Conf. Futuristic Trends
Res. Innov. Soc. Welfare (Startup Conclave), Coimbatore, India, 2016,
pp. 1–6.
[28] M. Kammerstetter, L. Langer, F. Skopik, and W. Kastner, “Architecture-
driven smart grid security management,” in Proc. 2nd Workshop Inf.
Hiding Multimedia Security, Salzburg, Austria, 2014, pp. 153–158.
[29] R. Al-Dalky, O. Abduljaleel, K. Salah, H. Otrok, and M. Al-Qutayri,
“A modbus traffic generator for evaluating the security of SCADA sys-
tems,” in Proc. Int. Symp. Commun. Syst. Netw. Digit. Signal Process.,
Manchester, U.K., 2014, pp. 809–814.
[30] G. C. Walsh, O. Beldiman, and L. Bushnell, “Asymptotic behavior of
networked control systems,” in Proc. Int. Conf. Control Appl., 2002,
pp. 1448–1453.
[31] A. Sargolzaei, K. K. Yen, and M. N. Abdelghani, “Preventing time-
delay switch attack on load frequency control in distributed power
systems,” IEEE Trans. Smart Grid, vol. 7, no. 2, pp. 1176–1185,
Mar. 2016.
[32] H. Suo, J. Wan, C. Zou, and J. Liu, “Security in the Internet of Things:
A review,” in Proc. Int. Conf. Comput. Sci. Electron. Eng., vol. 3.
Hangzhou, China, 2012, pp. 648–651.
[33] Z. E. Mrabet, N. Kaabouch, H. E. Ghazi, and H. ElGhazi, “Cyber-
security in smart grid: Survey and challenges,” Comput. Elect. Eng.,
vol. 67, pp. 469–482, Apr. 2018.
[34] D. Ding, Q.-L. Han, Y. Xiang, X. Ge, and X.-M. Zhang, “A survey
on security control and attack detection for industrial cyber-physical
systems,” Neurocomputing, vol. 275, pp. 1674–1683, Jan. 2018.
[35] R. C. Diovu and J. T. Agee, “A cloud-based OpenFlow firewall for
mitigation against DDoS attacks in smart grid AMI networks,” in Proc.
PES PowerAfrica, Accra, Ghana, 2017, pp. 28–33.
[36] R. Fu et al., “Stability analysis of the cyber physical microgrid system
under the intermittent DoS attacks,” Energies, vol. 5, no. 5, p. 680,
2017, doi: 10.3390/en10050680.
[37] K. Ding, Y. Li, D. E. Quevedo, S. Dey, and L. Shi, “A multi-channel
transmission schedule for remote state estimation under DoS attacks,”
Automatica, vol. 78, pp. 194–201, Apr. 2017.
[38] Y. Li, D. E. Quevedo, S. Dey, and L. Shi, “SINR-based DoS attack
on remote state estimation: A game-theoretic approach,” IEEE Trans.
Control Netw. Syst., vol. 43, no. 2, pp. 632–642, Sep. 2017.
[39] S. Shapsough, F. Qatan, R. Aburukba, F. Aloul, and A. R. Al Ali,
“Smart grid cyber security: Challenges and solutions,” in Proc. Int.
Conf. Smart Grid Clean Energy Technol., Offenburg, Germany, 2015,
pp. 170–175.
[40] D. Wei, Y. Lu, M. Jafari, P. Skare, and K. Rohde, “An integrated secu-
rity system of protecting smart grid against cyber attacks,” in Proc.
Innov. Smart Grid Technol., 2010, pp. 1–7.
[41] R. Xu et al., “Achieving efficient detection against false data injection
attacks in smart grid,” IEEE Access, vol. 5, pp. 13787–13798, 2017.
[42] T. Lan, W. Wang, and G. M. Huang, “False data injection attack in
smart grid topology control: Vulnerability and countermeasure,” in
Proc. IEEE Power Energy Soc. Gen. Meeting, Chicago, IL, USA, 2017,
pp. 1–5.
[43] S. A. Foroutan and F. R. Salmasi, “Detection of false data injection
attacks against state estimation in smart grids based on a mixture
Gaussian distribution learning method,” IET Cyber Phys. Syst. Theory
Appl., vol. 2, no. 4, pp. 161–171, Dec. 2017.
[44] A. Bartoli et al., “Secure lossless aggregation for smart grid M2M
networks,” in Proc. 1st IEEE Int. Conf. Smart Grid Commun.,
Gaithersburg, MD, USA, 2010, pp. 333–338.
[45] J. Vijayan, Stuxnet Renews Power Grid Security Concerns,
Computerworld, Framingham, MA, USA, Jul. 2010. [Online].
Available: https://www.computerworld.com/article/2519574/security/
stuxnet-renews-power-grid-security-concerns.html
[46] Y.-L. Wang, Q.-L. Han, M. Fei, and C. Peng, “Network-based T–S
fuzzy dynamic positioning controller design for unmanned marine vehi-
cles,” IEEE Trans. Cybern., vol. 48, no. 9, pp. 2750–2763, Sep. 2018.
IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS: SYSTEMS
[47] Y.-L. Wang and Q.-L. Han, “Network-based modelling and dynamic
output feedback control for unmanned marine vehicles,” Automatica,
vol. 91, pp. 43–53, May 2018.
[48] H.-B. Zeng, K. L. Teo, and Y. He, “A new looped-functional for
stability analysis of sampled-data systems,” Automatica, vol. 82,
pp. 328–331, Aug. 2017.
[49] S. Liu, X. P. Liu, and A. El Saddik, “Denial-of-service (DoS) attacks
on load frequency control in smart grids,” in Proc. IEEE PES Innov.
Smart Grid Technol., Washington, DC, USA, 2013, pp. 1–6.
[50] A. Teixeira, I. Shames, H. Sandberg, and K. H. Johansson, “A secure
control framework for resource-limited adversaries,” Automatica,
vol. 51, pp. 135–148, Jan. 2015.
[51] H. T. Sun, C. Peng, P. Zhou, Z.-W. Wang, “A brief overview on secure
control of networked systems,” Adv. Manuf., vol. 5, no. 3, pp. 243–250,
2017.
[52] X. Ge, F. Yang, and Q.-L. Han, “Distributed networked control systems:
A brief overview,” Inf. Sci., vol. 380, pp. 117–131, Feb. 2017.
[53] Y. Shoukry and P. Tabuada, “Event-triggered state observers for sparse
sensor noise/attacks,” IEEE Trans. Autom. Control, vol. 61, no. 8,
pp. 2079–2091, Aug. 2016.
[54] C. De Persis and P. Tesi, “Input-to-state stabilizing control under
denial-of-service,” IEEE Trans. Autom. Control, vol. 60, no. 11,
pp. 2930–2944, Nov. 2015.
[55] H. Shisheh-Foroush and S. Martínez, “On single-input controllable lin-
ear systems under periodic DoS jamming attacks,” in Proc. SIAM Conf.
Control Appl., San Diego, CA, USA, 2013, pp. 222–229.
[56] Y.-L. Wang, C.-C. Lim, and P. Shi, “Adaptively adjusted event-
triggering mechanism on fault detection for networked control sys-
tems,” IEEE Trans. Cybern., vol. 47, no. 8, pp. 2299–2311, Aug. 2017.
[57] H. S. Foroush and S. Martinez, “On triggering control of single-input
linear systems under pulse-width modulated DoS signals,” SIAM J.
Control Optim., vol. 54, no. 6, pp. 3084–3105, 2016.
[58] M. Long, C.-H. Wu, and J. Y. Hung, “Denial of service attacks on
network-based control systems: Impact and mitigation,” IEEE Trans.
Ind. Informat., vol. 1, no. 2, pp. 85–96, May 2005.
[59] J. Xiong and J. Lam, “Stabilization of linear systems over networks
with bounded packet loss,” Automatica, vol. 43, no. 1, pp. 80–87, 2007.
[60] J. Zhang, C. Peng, S. Masroor, H. Sun, and L. Chai, “Stability analysis
of networked control systems with denial-of-service attacks,” in Proc.
UKACC 11th Int. Conf. Control, Belfast, Ireland, 2016, pp. 1–6.
[61] D. Ding, Z. Wang, G. Wei, and F. E. Alsaadi, “Event-based security
control for discrete-time stochastic systems,” IET Control Theory Appl.,
vol. 10, no. 15, pp. 1808–1815, Nov. 2016.
[62] A. Cetinkaya, H. Ishii, and T. Hayakawa, “Event-triggered control over
unreliable networks subject to jamming attacks,” in Proc. 54th Annu.
Conf. Decis. Control, Osaka, Japan, 2015, pp. 4818–4823.
[63] A. Cetinkaya, H. Ishii, and T. Hayakawa, “Random and malicious
packet transmission failures on multi-hop channels in networked
control systems,” IFAC PapersOnLine, vol. 49, no. 22, pp. 49–54, 2016.
[64] S. AminAlvaro, A. Cárdenas, and S. S. Sastry, “Safe and secure net-
worked control systems under denial-of-service attacks,” in Proc. Int.
Conf. Hybrid Syst. Comput. Control, San Francisco, CA, USA, 2009,
pp. 31–45.
[65] H. Zhang, P. Cheng, L. Shi, and J. Chen, “Optimal denial-of-service
attack scheduling with energy constraint,” IEEE Trans. Autom. Control,
vol. 60, no. 11, pp. 3023–3028, Nov. 2015.
[66] H. Zhang, P. Cheng, L. Shi, and J. Chen, “Optimal DoS attack schedul-
ing in wireless networked control system,” IEEE Trans. Control Syst.
Technol., vol. 24, no. 3, pp. 843–852, May 2016.
[67] A. A. A. Abass, M. Hajimirsadeghi, N. B. Mandayam, and Z. Gajic,
“Evolutionary game theoretic analysis of distributed denial of service
attacks in a wireless network,” in Proc. Annu. Conf. Inf. Sci. Syst.,
Princeton, NJ, USA, 2016, pp. 36–41.
[68] J. Wu, Y. Yuan, H. Zhang, and L. Shi, “How can online schedules
improve communication and estimation tradeoff?” IEEE Trans. Signal
Process., vol. 61, no. 7, pp. 1625–1631, Apr. 2013.
[69] J. Hu and M. P. Wellman, “Nash Q-learning for general-sum stochastic
games,” J. Mach. Learn. Res., vol. 4, no. 11, pp. 1039–1069, 2003.
[70] Y. Yuan, H. Yuan, L. Guo, H. Yang, and S. Sun, “Resilient con-
trol of networked control system under DoS attacks: A unified game
approach,” IEEE Trans. Ind. Informat., vol. 12, no. 5, pp. 1786–1794,
Oct. 2016.
[71] R. Cao, J. Wu, C. Long, and S. Li, “Stability analysis for networked
control systems under denial-of-service attacks,” in Proc. 54th IEEE
Conf. Decis. Control, Osaka, Japan, 2015, pp. 7476–7481.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.
PENG et al.: SURVEY ON SECURITY COMMUNICATION AND CONTROL FOR SGs UNDER MALICIOUS CYBER ATTACKS
[72] E. Fridman, A. Seuret, and J.-P. Richard, “Robust sampled-data sta-
bilization of linear systems: An input delay approach,” Automatica,
vol. 40, no. 8, pp. 1441–1446, 2004.
[73] X.-M. Zhang, Q.-L. Han, and B.-L. Zhang, “An overview and deep
investigation on sampled-data-based event-triggered control and filter-
ing for networked systems,” IEEE Trans. Ind. Informat., vol. 13, no. 1,
pp. 4–16, Feb. 2017.
[74] Z. H. Pang, G. P. Liu, and Z. Dong, “Secure networked control sys-
tems under denial of service attacks,” IFAC Proc. Vol., vol. 44, no. 1,
pp. 8908–8913, 2011.
[75] Z. Cheng, D. Yue, X. Lan, C. Huang, and S. Hu, “H∞ prediction
triggering control of multi-area power systems load frequency control
under DoS attacks,” in Proc. Int. Conf. Intell. Comput. Sustain. Energy
Environ., Nanjing, China, 2017, pp. 477–487.
[76] G. K. Befekadu, V. Gupta, and P. J. Antsaklis, “Risk-sensitive con-
trol under Markov modulated denial-of-service (DoS) attack strate-
gies,” IEEE Trans. Autom. Control, vol. 60, no. 12, pp. 3299–3304,
Dec. 2015.
[77] C. Peng, D. Yue, and M.-R. Fei, “A higher energy-efficient sampling
scheme for networked control systems over IEEE 802.15.4 wireless
networks,” IEEE Trans. Ind. Informat., vol. 12, no. 5, pp. 1766–1774,
Oct. 2016.
[78] A. Abur and A. G. Exposito, Power System State Estimation: Theory
and Implementation. Boca Raton, FL, USA: CRC, 2004.
[79] Y. Liu, P. Ning, and M. K. Reiter, “False data injection attacks against
state estimation in electric power grids,” ACM Trans. Inf. Syst. Security,
vol. 14, no. 1, pp. 21–32, 2011.
[80] Y. Mo, E. Garone, A. Casavola, and B. Sinopoli, “False data injec-
tion attacks against state estimation in wireless sensor networks,” in
Proc. 49th IEEE Conf. Decis. Control, Atlanta, GA, USA, 2010,
pp. 5967–5972.
[81] C. Kwon, W. Liu, and I. Hwang, “Security analysis for cyber-physical
systems against stealthy deception attacks,” in Proc. Amer. Control
Conf., Washington, DC, USA, 2013, pp. 3344–3349.
[82] J. J. Gertler, “Survey of model-based failure detection and isolation
in complex plants,” IEEE Control Syst. Mag., vol. 8, no. 6, pp. 3–11,
Dec. 1988.
[83] K. Manandhar, X. Cao, F. Hu, and Y. Liu, “Detection of faults and
attacks including false data injection attack in smart grid using Kalman
filter,” IEEE Trans. Control Netw. Syst., vol. 1, no. 4, pp. 370–379,
Dec. 2014.
[84] A. A. Cárdenas et al., “Attacks against process control systems: Risk
assessment, detection, and response,” in Proc. 6th ACM Symp. Inf.
Comput. Commun. Security, Hong Kong, 2011, pp. 355–366.
[85] A. Wald, Sequential Analysis. New York, NY, USA: Dover, 1973.
[86] F. F. Wu and W.-H. E. Liu, “Detection of topology errors by state
estimation (power systems),” IEEE Trans. Power Syst., vol. 4, no. 1,
pp. 176–183, Feb. 1989.
[87] O. Kosut, L. Jia, R. J. Thomas, and L. Tong, “Malicious data attacks
on smart grid state estimation: Attack strategies and countermeasures,”
in Proc. IEEE Int. Conf. Smart Grid Commun., 2010, pp. 220–225.
[88] Y. Mo, R. Chabukswar, and B. Sinopoli, “Detecting integrity attacks on
SCADA systems,” IEEE Trans. Control Syst. Technol., vol. 22, no. 4,
pp. 1396–1407, Jul. 2014.
[89] C. Peng, J. Zhang, and Q.-L. Han, “Consensus of multiagent systems
with nonlinear dynamics using an integrated sampled-data-based event-
triggered communication scheme,” IEEE Trans. Syst., Man, Cybern.,
Syst., to be published, doi: 10.1109/TSMC.2018.2814572.
[90] J. P. Farwell and R. Rohozinski, “Stuxnet and the future of cyber war,”
Survival, vol. 53, no. 1, pp. 23–40, 2011.
[91] Y. Mo et al., “Cyber–physical security of a smart grid infrastructure,”
Proc. IEEE, vol. 100, no. 1, pp. 195–209, Jan. 2012.
[92] K. Zhou, J. C. Doyle, and K. Glover, Robust and Optimal Control.
Upper Saddle River, NJ, USA: Prentice-Hall, 1996.
[93] H. Fawzi, P. Tabuada, and S. Diggavi, “Secure estimation and con-
trol for cyber-physical systems under adversarial attacks,” IEEE Trans.
Autom. Control, vol. 59, no. 6, pp. 1454–1467, Jun. 2014.
[94] C. Lee, H. Shim, and Y. Eun, “Secure and robust state estimation
under sensor attacks, measurement noises, and process disturbances:
Observer-based combinatorial approach,” in Proc. Eur. Control Conf.,
Linz, Austria, 2015, pp. 1872–1877.
[95] C. Peng, M. Wu, X. P. Xie, and Y.-L. Wang, “Event-triggered predic-
tive control for networked nonlinear systems with imperfect premise
matching,” IEEE Trans. Fuzzy Syst., vol. 26, no. 5, pp. 2797–2806,
Oct. 2018.
[96] E. J. Candes and T. Tao, “Decoding by linear programming,” IEEE
Trans. Inf. Theory, vol. 51, no. 12, pp. 4203–4215, Dec. 2005.
15
[97] C. Peng, S. Ma, and X. Xie, “Observer-based non-PDC control for
networked T–S fuzzy systems with an event-triggered communication,”
IEEE Trans. Cybern., vol. 47, no. 8, pp. 2279–2287, Aug. 2017.
[98] H. Zhang, C. Peng, H. Sun, and D. Du, “Adaptive state estimation
for cyber physical systems under sparse attacks,” Trans. Inst. Meas.
Control, pp. 1–9, Feb. 2018, doi: 10.1177/0142331217730123.
[99] Y. Mo and B. Sinopoli, “Secure estimation in the presence of integrity
attacks,” IEEE Trans. Autom. Control, vol. 60, no. 4, pp. 1145–1151,
Apr. 2015.
[100] U. A. Khan and J. M. F. Moura, “Distributing the Kalman filter for
large-scale systems,” IEEE Trans. Signal Process., vol. 56, no. 10,
pp. 4919–4935, Oct. 2008.
[101] V. Kekatos and G. B. Giannakis, “Distributed robust power system state
estimation,” IEEE Trans. Power Syst., vol. 28, no. 2, pp. 1617–1626,
May 2013.
[102] Y. Hu, A. Kuh, T. Yang, and A. Kavcic, “A belief propagation based
power distribution system state estimator,” IEEE Comput. Intell. Mag.,
vol. 6, no. 3, pp. 36–46, Aug. 2011.
[103] A. Souza, E. M. Lourenço, and A. S. Costa, “Real-time monitoring
of distributed generation through state estimation and geometrically-
based tests,” in Proc. IREP Symp. Bulk Power Syst. Dyn. Control VIII
(IREP), Rio de Janeiro, Brazil, 2010, pp. 1–8.
[104] S. Bi and Y. J. Zhang, “Defending mechanisms against false-data injec-
tion attacks in the power system state estimation,” in Proc. IEEE
GLOBECOM Workshops, 2011, pp. 1162–1167.
[105] S. Bi and Y. J. A. Zhang, “Graph-based cyber security analysis of state
estimation in smart power grid,” IEEE Commun. Mag., to be published,
doi: 10.1109/MCOM.2017.1600210CM.
[106] M. Ekstedt and T. Sommestad, “Enterprise architecture models for
cyber security analysis,” in Proc. IEEE/PES Power Syst. Conf. Expo.,
Seattle, WA, USA, 2009, pp. 1–6.
[107] L. Ding, Q.-L. Han, X. Ge, and X.-M. Zhang, “An overview of recent
advances in event-triggered consensus of multiagent systems,” IEEE
Trans. Cybern., vol. 48, no. 4, pp. 1110–1123, Apr. 2018.
[108] Y. Zhang, L. Wang, W. Sun, R. C. Green, II, and M. Alam, “Distributed
intrusion detection system in a multi-layer network architecture of
smart grids,” IEEE Trans. Smart Grid, vol. 2, no. 4, pp. 796–808,
Dec. 2011.
[109] P. Lee, A. Clark, L. Bushnell, and R. Poovendran, “A passivity
framework for modeling and mitigating wormhole attacks on net-
worked control systems,” IEEE Trans. Autom. Control, vol. 59, no. 12,
pp. 3224–3237, Dec. 2014.
[110] Q. Yang et al., “On false data-injection attacks against power system
state estimation: Modeling and countermeasures,” IEEE Trans. Parallel
Distrib. Syst., vol. 25, no. 3, pp. 717–729, Mar. 2014.
Chen Peng (M’13–SM’15) received the B.Sc. and
the M.Sc. degrees in coal preparation and the
Ph.D. degree in control theory and control engi-
neering from the Chinese University of Mining
Technology, Xuzhou, China, in 1996, 1999, and
2002, respectively.
From 2004 to 2005, he was a Research Associate
with the University of Hong Kong, Hong Kong.
From 2006 to 2007, he was a Visiting Scholar with
the Queensland University of Technology, Brisbane,
QLD, Australia. From 2011 to 2012, he was a
Post-Doctoral Research Fellow with the Central Queensland University,
Rockhampton, QLD, Australia. From 2009 to 2012, he was the Department
Head with the Department of Automation and a Professor with the School of
Electrical and Automation Engineering, Nanjing Normal University, Nanjing,
China. In 2012, he was appointed as an Eastern Scholar by the Municipal
Commission of Education, Shanghai, China, and joined Shanghai University,
Shanghai, where he is currently the Director of the Centre of Networked
Control Systems and a Distinguished Professor. In 2018, he was appointed as
an Outstanding Academic Leader by the Municipal Commission of Science
and Technology, Shanghai. His current research interests include networked
control systems, distributed control systems, smart grid, and intelligent con-
trol systems.
Prof. Peng was a recipient of one of the Most Cited Chinese Researchers
in Computer Science by Elsevier from 2014 to 2017. He is an Associate
Editor of a number of international journals, including Information Sciences
and Transactions of the Institute of Measurement and Control.
 This article has been accepted for inclusion in a future issue of this journal. Content is final as presented, with the exception of pagination.

16 IEEE TRANSACTIONS ON SYSTEMS, MAN, AND CYBERNETICS: SYSTEMS

Hongtao Sun received the B.Sc. degree in electronic Yu-Long Wang (M’14) received the B.S. degree in
information science and technology from Binzhou computer science and technology from Liaocheng
University, Binzhou, China, in 2010 and the M.Sc. University, Liaocheng, China, in 2000 and the M.S.
degree in control engineering from the Lanzhou and Ph.D. degrees in control science and engineer-
University of Technology, Lanzhou, China in 2013. ing from Northeastern University, Shenyang, China,
He is currently pursuing the Ph.D. degree with the in 2006 and 2008, respectively.
School of Mechatronic Engineering and Automation, He was a Post-Doctoral Research Fellow and
Shanghai University, Shanghai, China. a Research Fellow with Central Queensland
His current research interest includes stability and University, Rockhampton, QLD, Australia, and an
security of networked control systems. Academic Visitor with the University of Adelaide,
Adelaide, SA, Australia. He is currently a Professor
with Shanghai University, Shanghai, China. His current research interests
include networked control systems, fault detection, and the motion control
for marine vehicles.
Mingjin Yang received the B.Sc. degree in elec-
trical engineering and automation from Xuzhou
Normal University, Xuzhou, China, in 2011 and the
M.Sc. degree in control engineering from Shanxi
University, Taiyuan, China, in 2016. He is cur-
rently pursuing the Ph.D. degree with the School of
Mechatronic Engineering and Automation, Shanghai
University, Shanghai, China.
His current research interests include fault diagno-
sis, power system, and networked control systems.