2340 ieee transactions on information forensics …55 million customers [1] and 2012 india blackout...

2340 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 9, NO. 12, DECEMBER 2014

Resilience Analysis of Power GridsUnder the Sequential Attack

Yihai Zhu, Student Member, IEEE, Jun Yan, Student Member, IEEE, Yufei Tang, Student Member, IEEE,Yan (Lindsay) Sun, Senior Member, IEEE, and Haibo He, Senior Member, IEEE

Abstract— The modern society increasingly relies on electricalservice, which also brings risks of catastrophic consequences,e.g., large-scale blackouts. In the current literature, researchersreveal the vulnerability of power grids under the assumptionthat substations/transmission lines are removed or attackedsynchronously. In reality, however, it is highly possible thatsuch removals can be conducted sequentially. Motivated by thisidea, we discover a new attack scenario, called the sequentialattack, which assumes that substations/transmission lines canbe removed sequentially, not synchronously. In particular, wefind that the sequential attack can discover many combinationsof substation whose failures can cause large blackout size.Previously, these combinations are ignored by the synchronousattack. In addition, we propose a new metric, called thesequential attack graph (SAG), and a practical attack strategybased on SAG. In simulations, we adopt three test benchmarksand five comparison schemes. Referring to simulation results andcomplexity analysis, we find that the proposed scheme has strongperformance and low complexity.

Index Terms— Power grid security, attack strategies, cascadingfailures.

NOMENCLATURE

�Mseq Blackout Size of M-node Sequential

Attack.�M

syn Blackout Size of M-node SynchronousAttack.

M Number of Victim Nodes.P Size of SetC .R Size of Setm

R RC .Seq ASM

degree Degree-based Sequential Attack Strategy.Seq ASM

E S Exhaustive Search Based Sequential AttackStrategy.

Seq ASMload Load-based Sequential Attack Strategy.

Seq ASMS AG SAG-based Sequential AttackStrategy.

SetC Set of Candidate Node.

Manuscript received February 5, 2014; revised May 31, 2014 andSeptember 1, 2014; accepted October 9, 2014. Date of publication October 16,2014; date of current version November 12, 2014. This work was supportedin part by the National Science Foundation under Grant CNS-1117314, GrantCNS-0643532, and Grant ECCS-1053717 and in part by the Army ResearchOffice, under Grant W911NF-12-1-0378. The associate editor coordinating thereview of this manuscript and approving it for publication was Dr. AthanasiosVasilakos.

The authors are with the Department of Electrical, Computer, andBiomedical Engineering, University of Rhode Island, Kingston, RI 02881USA (e-mail: [email protected]; [email protected]; [email protected];[email protected]; [email protected]).

Color versions of one or more of the figures in this paper are availableonline at http://ieeexplore.ieee.org.

Digital Object Identifier 10.1109/TIFS.2014.2363786

SetmR RC mth Round Recommended Combination Set.

Syn ASMdegree Degree-based Synchronous Attack Strategy.

Syn ASMload Load-based Synchronous Attack Strategy.

Syn ASMRG RG-based Synchronous Attack Strategy.

CFS Cascading Failure Simulator.RG Risk Graph.RRCS Round Recommended Combination Set.SAG Sequential Attack Graph.SeqAS Sequential Attack Strategy.SynAS Synchronous Attack Strategy.VLs Victim Links.VNs Victim Nodes.

I. INTRODUCTION

ELECTRIC grids have been developing over decadesand become increasingly interconnected and complex.

Although mechanisms and regulations have been applied tomaintain the stability and security of power transmissions,large-scale blackouts are still inevitable. In the pastdecade, large-scale blackouts have caused catastrophic results.Examples include 2003 Northeast American blackout affecting55 million customers [1] and 2012 India blackout leaving700 million people without power [2]. In these cases,initial failures of one or a few power grid components(i.e., substations and transmission lines) can trigger the succes-sive failures of other components. In other words, a sequenceof dependent failures of individual components successivelyweakens power grids, which is referred to as the cascadingfailure [3].

The triggers of cascading failures can be diverse, such asnatural reasons, aging of equipment, and human errors [4].Recently, malicious attacks become significant and potentialtriggers of cascading failures. For instance, there are increasingevidences of malicious intention and actions that aim todestruct the US power systems [5]–[7]. Such attacks are simi-lar to the attacks in computer networks [8], [9]. To understandthe vulnerability of power grids, an important approach is toinvestigate malicious attacks, in terms of possible attack strate-gies, features, and consequence. Such investigation would alsofacilitate the study on mitigating or even preventing cascadingfailures in the future.

In the current literature [10]–[14], designing attack strate-gies is an important direction to investigate malicious attackson power grids. In particular, attackers can obtain informationof the power grid, choose a set of nodes (i.e., substations),

1556-6013 © 2014 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

ZHU et al.: RESILIENCE ANALYSIS OF POWER GRIDS 2341

referred to as victim nodes (VNs), or a set of links(i.e., transmission lines), referred to as victim links (VLs),and assume to remove these VNs/VLs through either cyberpenetration [7] or physical sabotages [6], [15]. In reality,attackers can collect the power grid information in differentways, e.g., purchasing the entire North American power gridfrom commercial companies [16]. In addition, the attackerscan conduct attacks against power grids by using cyber attacksor physical attacks. A simulated cyber attack has shown thegenerators in the U.S. power grid can be remotely accessedand destroyed by hackers [17]. Physical attacks have alreadycaused power outage in reality. On October 6, for instance,2013, a 37-year-old man in Arkansas physically destroyeda local high-voltage transmission line, which resulted in10,000 customers without power [18]. Physical attacks canalso be conducted in simple ways, such as cutting down atree to trip transmission lines [1], or in complex ways, suchas using electromagnetic pulse (EMP) to destroy substationsand transmission lines [19], [20]. In summary, it is possiblefor attackers to collect enough information of the power gridand carefully design their attacks.

Attack strategies in existing works [10]–[14], [21]–[28]can be classified from different angles. The first angle is thenumber of VNs/VLs. Single-node/link attacks are studiedin [10], [21], and [22]; many industry reliability standardsrequire power grids can tolerate failure of single node/link [4].Multiple-node/link attacks often cause larger damageand receive more research attention [12]–[14], [24], [25],[27], [29]. The second angle is whether nodes, links, or bothare removed. There are some studies that investigate attackson links [12], [21], [25], [26], whereas many investigateattacks on nodes [10]–[14], [21], [22], [24], [25], [27]–[29].Very few studies address attacks on both together [30].The third angle differentiates attack strategies accordingto the underlying cascading failure models they assumed.Some attack strategies are only meaningful for a givenmodel [11], [27], [29], whereas others are useful undervarious assumptions [10], [13], [24].

We argue that the above three classification angles arenot sufficient. An important classification angle is missing.In the current literature, it is assumed that multiple-node/link attacks are conducted synchronously or nearlysynchronously [25]. This assumption, however, omits the factthat multiple removals can occur sequentially. In other words,the attacker can remove VNs/VLs according to a carefullydesigned time sequence.

Furthermore, cascading failures in real life involve thesequences of various events, such as voltage collapse, gen-erators shunt down, and transmission lines tripping [4]. Thecascade process lasts probably minutes, or even hours [1], [2].Thus, time domain is an essential dimension to cascading fail-ures. The assumption of synchronous removals has apparentlimitations to comprehensively exploit the characteristics ofcascading failures. In this paper, we discover a new attackscenario, called the sequential attack. From the perspectiveof the new angle, attack strategies can be divided intonewly-discovered sequential attack strategy (SeqAS) andexisting synchronous attack strategy (SynAS).

Is the sequential attack more dangerous than the syn-chronous attack? Can the new attack scenario reveal newvulnerabilities of power grids? Are existing metrics useful todesign the SeqAS? In this paper, we answer these questionsby investigating the sequential attack and the SeqAS on nodes.The major contributions are summarized as follows.

• First, we find strong sequential attacks by using theexhaustive search on IEEE 39 bus system. On this small-scale power grid, we discover that the sequential attackgenerally causes more severe cascading failures, mea-sured by the blackout size, than the synchronous attack.

• Second, we propose a novel metric, called the sequentialattack graph (SAG). Compared with existing metrics,e.g., degree and load, this metric can intuitively capturethe combination of vulnerable nodes and indicate theorder of their removals, which would lead to strongersequential attacks.

• Third, we design a new SeqAS based on SAG, calledthe SAG-based SeqAS, which can achieve good attackperformance with low complexity.

• Finally, we perform extensive experiments to demonstratethe features of the sequential attack, the proposed metric,SAG, and the proposed SAG-based SeqAS. Brieflyspeaking, we adopt three different power grids as testbenchmarks. The proposed SAG-based SeqAS is com-pared with five other schemes. The comparison schemesinclude the straightforward degree-based SeqAS andload-based SeqAS, and three existing synchronous attackstrategies. The results demonstrate that the proposedSeqAS strategy yields strong attacks against powergrids. In addition, based on the complexity analysis, theproposed scheme has low complexity.

In our previous work [31], we conducted some preliminarystudies on the sequential attack regarding links. The proposedattack strategies regarding nodes can be extended to investigatethe sequential attack strategies regarding links.

The rest of this paper is organized as follows. Related workis discussed in Section II. In Section III, we define thesequential attack and demonstrate the new vulnerabilities. InSection IV, we propose a new metric, called sequential attackgraph (SAG), and the SAG-based sequential attack strategy.Experiments and discussions are given in Section V, followedby the conclusion in Section VI. In Appendix, cascadingfailure simulators used in this paper are presented in detail.

II. RELATED WORKS

Traditionally, investigating the attack strategy is from theperspective of the SynAS. We briefly summarize the existingattack strategies as follows.

The random removal, randomly choosing VNs, is to mimicunintentional failures, e.g., vegetation sagging, earthquakes,lightening, or software and hardware faults. Power grids havebeen proven to be insensitive to random removals [24], [28].

The search-based approaches provide attackers a possibleway to search for a set of VNs whose synchronous removalscan yield the strongest performance. However, the exhaustivesearch [11], or the similar contingency analysis in the power


TABLE I

COMPARISON BETWEEN THE PROPOSED WORK AND SOME

WELL-STUDIED ATTACK STRATEGIES

society [4], usually has extensive search space and is com-putationally infeasible [4], [11]. In order to improve searchefficiency, some heuristic approaches [13], [25] are proposedto reduce the search space. The key problem of search-basedapproaches is that they can not make quick attack decisionsbecause of the large search space.

The metric-based approaches are prevailing in studyingattack strategies. Many metrics have been proposed. Somemetrics are straightforward, e.g., degree [28], load [10] andrisk if failure (RIF) [11]. These metrics directly exploit thefeatures of power grids, e.g., the topology and initial powerflows. Other metrics are more complex, such as load distribu-tion vector (LDV) [12], risk graph (RG) [13] and geographicinformation [14]. These metrics can find the attacks strongerthan the straightforward metrics. Existing metrics, however,are specifically designed for the SynAS. It is unknown whetherthese existing metrics can yield strong SeqAS.

Furthermore, a few recent works have studied the vul-nerability of power grids from the perspective of timedomain [32], [33]. Cascading failures in power grids can havedramatically different intermediate processes, which revealsvarious evolution of cascading failures [32]. In addition,multiple triggers can be applied consecutively [33], withintervening time between two consecutive removals.

In this paper, we consider the time domain to reveal thevulnerability of power grids and develop practical and strongattack strategy. Particularly, we are interested in investigatingthe sequential attack. A brief summary is shown in Table I.

III. THE SEQUENTIAL ATTACK

AND NEW VULNERABILITIES

Before introducing the sequential attack scenario, weintroduce several concepts as follows.

• The removal of a node means physically disconnectingthis node from the power grid by removing its incomingand outgoing links. In reality, such removals can beconducted by either cyber attacks or physical attacks [15].

• A multiple-node combination is referred to as a setof nodes. An attack strategy is to select one suchmultiple-node combination as its VNs.

• For a multiple-node combination, we can perform theremovals either sequentially or synchronously. Either

Fig. 1. Comparisons between the sequential attack and the synchronousattack.

attack strategy can cause damage (in terms of blackoutsize defined in Equ. 3) to the power grid. The strength ofthe multiple-node combination for the SeqAS (or SynAS)is referred to as the damage caused by sequentially (orsynchronously) removing these nodes.

• The vulnerability of the power grid can have broadmeanings in the current literature. In this paper, thevulnerability analysis is to specifically find thesemultiple-node combinations that have large strengths.

• Known vulnerabilities are referred to as strong multiple-node combinations found by the synchronous attack.

• New vulnerabilities are referred to as strong multiple-node combinations that are discovered by the sequentialattack, but are not found by the synchronous attack.

In the rest of this section, we first introduce the formaldefinition of the sequential attack in Section III-A, then intro-duce several concepts related to setting up the demonstrationin Section III-B, and finally discuss the new vulnerability ofthe power grid in Section III-C.

A. The Sequential Attack

For a multiple-node combination with M nodes, supposethe removals of them occur at T1, T2, . . ., TM . If all removalshappen at the same time (i.e., usually at the beginning ofcascading failures or time 0), this attack scenario is referredto as the synchronous attack in this paper. That is,

T1 = T2 = · · · = TM (1)

If Equ. 1 is not satisfied, this attack scenario is referred to asthe general definition of the sequential attack. In particular, inthis paper we are interested in the special case that all removalsoccur at different times. That is,

T1 < T2 < · · · < TM (2)

The definition of the sequential attack in Equ. 2 means thatone node is removed each time. This definition is extensible.In Fig. 1, we demonstrate these two attack scenarios inthis paper. Roughly speaking, under the synchronous attackscenario M removals are conducted simultaneously at T1 = 0,while under the sequential attack scenario the first removaloccurs at T1 = 0 and the rest removals (i.e., M − 1 removals)occur sequentially at T2 till TM during cascading failures.Specifically, the calculation of T1, T2,…, TM is discussed indetails in Appendix.


Fig. 2. Topology of IEEE 39 bus system.

B. Concepts Related to Demonstration Setup

We show the features of the sequential attack throughdemonstrations, and explain some concepts for the demon-stration as follows.

• Grid Network: A power grid is viewed as a network,where substations and transmission lines are viewed asnodes and links, respectively. The set of nodes is denotedby B; the set of links is denoted by L. Due to differentfunctionalities, nodes are generally categorized into threesets, generation nodes (or generators that produceelectricity), transmission nodes, and demand nodes(delivering electricity to customers) [11]. The set of gen-eration nodes is denoted by G; the set of demand nodesis denoted by D. The number of nodes, links, generationnodes and demand nodes are represented as NB , NL, NGand ND , respectively.

• Test Benchmark: We adopt IEEE 39 bus system [29] asthe test benchmark to demonstrate new vulnerabilities.IEEE 39 bus system consists of 39 nodes (10 generationnodes and 29 demand nodes) and 46 links, which meansNB = 39, NL = 46, NG = 10 and ND = 29. Thetopology of IEEE 39 bus system is shown in Fig. 2.

• Blackout Size: We adopt the blackout size to measurethe strength of a multiple-node attack. Blackout size isdefined as [24],

� = 1 −∑

d∈D P ′d∑

d∈D Pd(3)

where Pd and P ′d represent the power on the demand node

before and after the attack, respectively. This definition,

Fig. 3. The correlation between the strengths of the two-node sequentialattacks and the two-node synchronous attacks on IEEE 39 bus system.

similar to that in [24], is the normalized power loss, whichmeans 0 ≤ � ≤ 1. The larger � is, the stronger themultiple-node attack is.

• Strong Attack: We define a threshold, η. Numerically,if the strength of a multiple-node attack, denoted by �,is larger or equal to η (i.e., � ≥ η), this multiple-nodeattack is called a strong attack; otherwise it is called aweak attack (i.e., � < η).

• Sequential Attack CFS: Cascading failure simula-tor (CFS) is employed to mimic the occurrence of remov-ing nodes and the evolution of cascading failures. Thesequential attack CFS in this paper is modified from theCFS in [25]. In Appendix, we give the detailed discussionon both the sequential attack CFS and the synchronousattack CFS adopted in this paper.

Next, for a multiple-node combination with M nodes,we perform both the synchronous attack and the sequentialattack. The strength of the M-node synchronous attack isdenoted by �M

syn; the strength of the M-node sequential attackis denoted by �M

seq . They are obtained as follows.• �M

syn: Perform the synchronous attack on M nodes in thesynchronous attack CFS. �M

syn is measured in terms ofblackout size when the synchronous attack CFS stops.

• �Mseq: There are M! orders of the M-node combination.

Perform the sequential attack for each order in thesequential attack CFS, and record all strengths in termsof blackout size. The largest strength value is �M

seq .

C. Demonstration of New Vulnerabilities

We conduct two-node attacks (i.e., M = 2) onIEEE 39 bus system. There are in total

(392

) = 741 two-nodecombinations. For each two-node combination, we obtain twostrength values, �2

syn and �2seq . The relation between the

sequential attack and the synchronous attack is demonstratedin Fig. 3 by plotting �2

seq versus �2syn. There are 741 dots

in Fig. 3, each of which represents a two-node combination.The relation between �2

seq and �2syn is not straightforward

based on Fig. 3, because the dots are scattered in the plane.


For demonstration purpose, we conduct two classificationsamong all dots.

First, we compare both �2seq and �2

syn with η (i.e., thethreshold of defining a strong attack). If �2

seq ≥ η

(or �2syn ≥ η), the two-node sequential attack (or the

two-node synchronous attack) is strong; otherwise, this attackis weak. By setting η = 0.2 (20% power loss is a big enoughevent for a power grid [24], [25]), we divide the 741 dotsin Fig. 3 into four types as follows.

• Type I: Both the sequential attack and the synchronousattack are strong. That is, �2

seq ≥ η and �2syn ≥ η.

• Type II: The sequential attack is strong, while the syn-chronous attack is weak, which means �2

seq ≥ η and�2

syn < η.• Type III: The sequential attack is weak, while the syn-

chronous attack is strong, which means �2seq < η and

�2syn ≥ η.

• Type IV: Both the sequential attack and the synchronousattack are weak. That is, �2

seq < η and �2syn < η.

Type II is particularly interesting. From the perspectiveof the synchronous attack (i.e., according to x-axis), dotsbelonging to Type I and Type III are strong attacks, whiledots in Type II and Type IV are weak attacks. However,if referring to y-axis, from the sequential attack’s point ofview, dots in Type II are viewed as strong attacks. It is clearlyseen from Fig. 3 that there are a considerable number of dotsbelonging to Type II. In particular, the dots in Type II are ofimportance to reveal new vulnerability of power grids, whichare not discovered in previous works.

Second, from Fig. 3, we see that the sequential attack cannot only discover new vulnerabilities but improve the strengthof many two-node attacks. We compare �2

seq with �2syn and

categorize these 741 dots into three groups.

• Group 1: The performances of the sequential attackand the synchronous attack are similar. If the differencebetween �2

seq and �2syn is less or equal to the threshold θ

(i.e., |�2seq −�2

syn| ≤ θ ), we put this dot (i.e., a two-nodecombination) into group 1.

• Group 2: The sequential attack is stronger than thesynchronous attack. If �2

seq − �2syn > θ , the dot is put

into group 2.• Group 3: The synchronous attack is stronger than the

sequential attack. If �2syn − �2

seq > θ , the dot is put intogroup 3.

For the dots in Group 2, the sequential attack reachesbetter strength than the synchronous attack. We set θ tobe 0.1. Among the 741 dots in Fig. 3, 75.44% belong toGroup 1, 22.94% belong to Group 2, and only 1.62% belongto Group 3. This statistic demonstrates the sequential attackcan find more combinations that can yield large strength thanthe synchronous attack.

More demonstrations and analysis on the features of thesequential attack are discussed in Section V.

IV. SEQUENTIAL ATTACK STRATEGY

The sequential attack strategy (SeqAS) is referred toas the method to identify multiple VNs and the order of

sequentially removing. In this section, we extend three existingsynchronous attack strategies to the sequential attack scenar-ios in Sections IV-A and IV-B, and propose a new SeqASin Section IV-C.

A. Exhaustive Search Based Sequential Attack Strategy

The strongest multiple-node sequential attack can be foundthrough the exhaustive search. Let Seq ASM

E S denote theexhaustive search based SeqAS with M VNs. Generally speak-ing, Seq ASM

E S can obtain the optimal optimal performance.However, Seq ASM

E S is often computationally infeasible.In a power grid with NB nodes, Seq ASM

E S needs to launch(NBM

) × M! times of the sequential attack CFS. When eitherNB or M is a large, even moderate, number, Seq ASM

E S needs atremendous number of simulations. Take IEEE 39 bus systemas an example, where NB = 39. When M = 6, Seq AS6

E Swill require more than 109 simulations. Running simulationonce on IEEE 39 bus system needs around 0.0107 (second),which is showed in Table VIII. It roughly needs 291 daysto finish all simulations for Seq AS6

E S . In addition, the sizeof real-life power transmission systems, however, is muchlarger than that of IEEE 39 bus system. For instance, theNorth American power transmission system has more than50,000 substations. Using Seq ASM

E S on such a system iscomputationally infeasible to find multiple victim nodes.

In this paper, we mainly adopt Seq ASME S as the comparison

scheme to analyze the complexity of other attack strategies,which will be discussed in Section V-E.

B. Degree-Based and Load-Based Sequential Attack Strategies

Two metrics, degree and load, have been widely usedin the SynAS [10], [11], [20], [24], [27], [28], [34], [35].We straightforwardly extend the degree-based and load-basedsynchronous attack strategies to obtain the degree-based andload-based sequential attack strategies. The degree of a nodeis defined as the number of the links connecting to thisnode [11]; the load of a node is defined as the summationof the absolute values of power injection into this node byall generation-demand-node pairs [24]. The load values arecalculated based on simulations but not the real power load onsubstations. This load definition is similar to the functionalityof other definitions, e.g., betweenness in [10] and extendedbetweenness in [21].

We present the degree-based SeqAS with M VNs, denotedby Seq ASM

degree as follows. There are two steps. In the firststep, select M nodes with maximum degrees as the VNs. Thisis the same as the degree-based SynAS in [10], [24], and [27].In the second step, we determine the order of removal ofthese VNs. We study two orders: (1) from higher degree tolower degree, and (2) from lower degree to higher degree.We choose the order that yields the stronger attack strength.In other words, we need to perform twice the sequential attackCFS to determine the order of removal.

The specific time of removing these M VNs is brieflydescribed as follows with more details in Appendix.. Thefirst removal is conducted as at the beginning. The mth ,2 ≤ m ≤ M , removal is conducted either after the (m − 1)th

removal or after tripping an overloaded link. Take removing


two VNs as an example. Removing the first VN occurs atthe beginning. After the removal, if there exists overloadedlink(s), the second VNs will be removed after tripping an suchoverloaded link; otherwise, the second removal is conductedafter the first removal.

The load-based SeqAS with M VNs, denoted bySeq ASM

load , uses the same procedure, except replacing“degree” by “load”.

C. Proposed Sequential Attack Strategy

In this substation, we present a practical and strong SeqASwith three steps. The first step is to use the iterative procedure(Section VI-C1) to search multiple-node combinations thatyield strong sequential attacks. The second step is to constructthe sequential attack graph (SAG) (Section VI-C2). The finalstep is to determine the VNs and removal order based onthe SAG (Section VI-C3). This proposed scheme is called theSAG-based SeqAS, denoted by Seq ASM

S AG .1) Iterative Procedure: The iterative procedure in [13] is

an effective and efficient way to find node combinations thatyield strong synchronous attacks. The rationale behind is thatif a m-node combination can yield strong synchronous attack,by combining these m nodes with another important node, thenew (m + 1)-node combination will likely become anotherstrong synchronous attack. Here, the important node refers tothese nodes that has strong single-node attack performance;the selection of important nodes (also referred to as candidatenodes) is discussed in the following part of this section.We extend this rationale to exploit node combinations thatyield strong sequential attacks.

Next, we briefly introduce the iterative procedure used inthis paper. This brief introduction focuses on the main ideaof the procedure. For interesting readers, more details can befound in [13] and [36].

• Assume the power grid has NB nodes, and the totalnumber of iteration rounds is M̂ .

• The rationale is to design a M̂-round iterative process tosearch the node combinations that yield strong sequentialattacks. We consider two restrictions. First, we selectP nodes as candidate nodes, denoted by SetC . Second,in each round we select R node combinations as roundrecommended combination set (RRCS). The mth RRCS(1 ≤ m ≤ M̂) is denoted by Setm

R RC . The parameterP and R will be introduced later.

• The strength of a node or a node combination is measuredin terms of the blackout size defined in Equ. 3. Strongernodes or node combinations yield larger blackout size.

• In the 1st round, the iteration is initialized. We first con-duct NB one-node attacks, then select the top P strongestnodes as candidate nodes and put them into SetC , andfinally select the top R strongest nodes as 1th RRCS andput them into Set1

R RC , where each combination consistsof only one node.

• In each following round, e.g., mth round, SetmR RC are

determined as follows. First, combine each candidatenode in SetC with each node combination in Setm−1

R RC toobtain P × R m-node combinations. Then, conduct the

TABLE II

THE REALIZATION OF RRCS ON IEEE 39 BUS SYSTEM

sequential attack using nodes in each m-node combina-tion as VNs. Finally, select top R strongest combinationsout of P × R combinations as mth RRCS and put theminto Setm

R RC .• The set-up of parameters R and P are of importance to

limit the search space. For R, we choose a small value,e.g., 16 in this paper, because selecting a few strongestnode combinations within each round is enough to findstrong attacks [13]. For P , it can vary according to thescale of a power grid (i.e., NB). For a small-scale powergrid, e.g., IEEE 39 bus system, P can be NB . For alarge-scale power grid, e.g., Polish transmission systemwith NB = 2383 nodes, P can be a value that is muchsmaller than NB , e.g., P = 150, because these mostvulnerable nodes are more critical than others in findingstrong attacks [10], [11], [24].

Regarding multiple-node attacks, {Set2R RC , Set3

R RC , . . . ,

Set M̂R RC} represent the strongest node combinations that are

found in each iteration round. Take IEEE 39 bus system as anexample. We set P , R and M̂ to be 39, 16 and 5, respectively.A realization of {Set2

R RC , Set3R RC , Set4

R RC , Set5R RC} is shown

in Table II. From the second column to the fifth column, themth column shows Setm

R RC . For instance, the node combina-tions kept in the 2nd round are showed in the 2nd column, andeach combination consists of two nodes.

2) Sequential Attack Graph: We specifically design a newmetric, called sequential attack graph (SAG), to find VNs andtheir removal order. The SAG metric is constructed accordingto RRCS obtained in Section VI-C1. The construction of SAGincludes the following steps.

• Step 1: For a given power grid, set up parameters P ,R and M̂ and obtain RRCS (i.e., {Set2

R RC , . . . , Set M̂R RC }).

An example of RRCS is demonstrated in Table II.• Step 2: Generate the combination-SAG for each node

combination. Take the combination {b1, b2, b3} asan example. First, add three vertexes, labeled asb1, b2 and b3. Second, for each pair of nodes in thiscombination, add a directed edge with the direction point-ing from the node at front to the node behind. That is,b1 → b2, b1 → b3 and b2 → b3. Finally, assign the


Fig. 4. The demonstration of constructing SAG. (a), (b) and (c) are thecombination-SAGs constructed from single node combinations; (d) is obtainedby merging (a) and (b); (e) is obtained by merging (c) and (d).

weight to each edge, referred to as the edge occurrencefrequency (EOF). If a combination has m nodes, thereare m(m−1)

2 edges and the EOF of each edge is 2m(m−1) ,

such that the total weight introduced by this combinationis 1. In the above example, m equals to 3 and the EOFof each edge is 1

3 . Figs. 4(a), 4(b) and 4(c) demonstratethe examples of the combination-SAG.

• Step 3: Merge all combination-SAGs to generatethe SAG. We give an example of merging twocombination-SAGs as follows. First, put all vertexes inboth combination-SAGs into a new combination-SAG,and merge the repeated vertexes. Second, put all edges inboth combination-SAGs into the new combination-SAG.For the repeated edges, merge them and sum their EOF asthe new EOF; for the non-repeated edge, keep this edgeand its EOF. Figs. 4(d) and 4(e) demonstrate the resultsof merging two combination-SAGs. Fig. 4(d) is generatedby merging Fig. 4(a) and Fig. 4(b); Fig. 4(e) is generatedby merging Fig. 4(c) and Fig. 4(d).

The SAG of IEEE 39 bus system, for example, is con-structed based on Table II and demonstrated in Fig. 5, wherethe width and color of an edge is determined by its EOF. Thewider and darker an edge is, the larger the EOF is.

3) SAG-Based Sequential Attack Strategy: The direction andweight of an edge in SAG convey important information. Thegreater the weight of an edge is , the more likely the pairof nodes connected by this edge is a strong sequential attack.The direction represents the removal order of these two nodes.

Recall that SAG is constructed according to RRCS,{Set2

R RC , . . . , Set M̂R RC}. This SAG can be used to find strong

sequential attacks, as long as the number of VNs (i.e., M) isno larger than M̂ (i.e., M ≤ M̂).

We propose a sequential attack strategy, called theSAG-based SeqAS. Let Seq ASM

S AG denote the SAG-basedSeqAS with M VNs. Seq ASM

S AG is conductedas follows.

• Construct the SAG, where M̂ ≥ M .

Fig. 5. The sequential attack graph of IEEE 39 bus system. This figure isconstructed based on Table II and visualized by using Gephi [37].

• Find all interesting M-VN combinations in SAG. Eachinteresting combination, e.g., {b′

1, b′2, . . . , b

′M }, satisfies

the condition that for any pair of i and j , 1 ≤ i < j ≤ M ,there exists an edge between b′

i and b′j , and the direction

is b′i → b′

j .• For each interesting combination, compute the sum-

mation of EOF for all edges. The combination thatyields the largest EOF summation is chosen as theVNs for Seq ASM

S AG . In this combination, the removalorder already exists. That is, b′

i is removed earlier thanb′

j , if i < j . The corresponding removal order is1, 2, · · · , M .

For instance, according to SAG in Fig. 5, if attackers wantto choose three VNs (i.e., M = 3) for Seq AS3

S AG , the VNschosen by the above procedure is {26, 31, 39}. The removalorder is first node 26, then node 31, and finally node 39. Howto determine the removal times is discussed in Appendix. Forexample, the node 26 is initially removed, which might causesome links to be overloaded. The second removal, removingnode 31, occurs either after removing node 26 or after trippingan overloaded link caused by removing node 26. The time toremove node 39 is similarly determined.

The basic idea behind Seq ASMS AG is to find these VNs

whose node pairs occur most frequently in RRCS. Obviously,it is not guaranteed that the above procedure can discover thestrongest M-node sequential attack, which can be found bySeq ASM

E S . The complexity of Seq ASMS AG , however, is much

lower than that of Seq ASME S , as demonstrated in Section V-E.

V. SIMULATIONS AND DISCUSSIONS

We investigate the sequential attack on three different testbenchmarks, IEEE 39 and 300 bus systems and Polish trans-mission system, which are all available in Matpower [38].The brief description of these test benchmarks is givenin Table III. IEEE 39 bus system, a small-scale power grid,is used to demonstrate new vulnerabilities discovered by thesequential attack. All test benchmarks are adopted to compare


TABLE III

DESCRIPTION OF TEST BENCHMARKS USED IN THIS PAPER. NB , NL , NGAND ND REPRESENT THE NUMBER OF NODES, LINKS, GENERATION

NODES AND DEMAND NODES, RESPECTIVELY

TABLE IV

THE NUMBER OF NODE COMBINATIONS BELONGING

TO TYPE I, TYPE II, TYPE III AND TYPE IV ON

IEEE 39 BUS SYSTEM

the proposed SAG-based SeqAS with comparison schemes.Simulations are conducted in Matlab environment.

A. Further Demonstration of the Sequential Attack

In this subsection, we extend the demonstration of thesequential attack. In Section III we have demonstrated the newvulnerabilities discovered by the sequential attack. Here, weextend the demonstration by conducting three-node attacks andfour-node attacks on IEEE 39 bus system.

Similar to the discussion in Section III-C, we conductboth the sequential attack and the synchronous attack foreach three-node/four-node combination, obtain two strengthvalues, and perform two types of classifications. Takethree-node attacks as an example. There are in total 9,139three-node combinations. For each combination, we obtain�3

seq and �3syn. By comparing both �3

seq and �3syn with the

threshold η (i.e., η = 0.2), we divide these 9,139 combinationsinto four types (i.e., Type I, Type II, Type III and Type IV).Note that the combinations in Type II represent the newvulnerabilities. Recall that new vulnerabilities refer to thestrong multiple-node combinations that are individually dis-covered by the sequential attack. If only the synchronousattack is used in vulnerability analysis, these new vulnerablecombinations will not be recognized as critical ones in termsof causing cascading failures. In addition, we can divide thesecombinations into three groups (i.e., Group 1, Group 2 andGroup 3). The combinations in Group 2 lead to sequentialattacks that are stronger than synchronous attacks.

There are 82,251 four-node combinations; similar classifica-tions are conducted. Comparison results are shown in Table IVand Table V, respectively. We have the following observations.

• As M increases, the number of multiple-node combina-tions belonging to Type II increases sharply, which ishighlighted in bold in Table IV. This means that thesequential attack can discover more new vulnerabilities.

• As M increases, the percentages of Group 2, highlightedin bold in Table V, go up quickly, which means thesequential attack can exploit more strong attacks than thesynchronous attack.

TABLE V

THE PERCENTAGE OF NODE COMBINATIONS BELONGING TO GROUP 1,

GROUP 2 AND GROUP 3 ON IEEE 39 BUS SYSTEM

B. Comparison Between the Sequential Attack and theSynchronous Attack in Terms of Attack Strength

Although we focus on studying the attack in the paper, wewant to understand the attack strength under simple defensescheme. It is reasonable to assume that some critical nodesin a power grid have strong physical and/or cyber protectionsuch that the attacker cannot successfully remove them [39],[40]. In this subsection, we compare the sequential attack withthe synchronous attack in terms of the average strength, underthe condition that some critical nodes are protected from theinitial removal. In particular, the comparison is conducted asfollows.

• We test the defense scheme on IEEE 39 bus system.• We sort all nodes in this test benchmark descendingly

based on �1syn , i.e., the strength of one-node attacks.

• We find that the strengths of the first ten nodes areapparently larger than those of others. These ten nodesare more critical than others. Therefore, we determine twosets. The first set includes the first ten nodes; the secondset includes all remaining nodes.

• We introduce the protection rate, denoted by α, andprotect �NB×α� nodes. If �NB×α� ≤ 10, these protectednodes are chosen from the first set based on �1

syn.Otherwise, we choose 10 nodes from the first set, andthen randomly select the remaining �NB ×α�−10 nodesfrom the second set for protection. (Note that, when�NB × α� > 10, the random selections are conductedmany times in order to obtain the average performancesfor the following comparisons.)

• We consider multiple-node attacks, where nodes can onlybe chosen from the N

′B = NB − �NB × α� unprotected

nodes. Let �̄seq and �̄syn denote the average blackoutsize for the sequential attack and the synchronous attack,respectively. Considering M-node attacks, there are in

total(N

′B

M

)combinations. We perform the sequential attack

on each combination, and average all(N

′B

M

)strength values

as �̄seq . Similarly, we conduct the synchronous attack onall combinations and obtain �̄syn .

• In simulations, α is chosen from 0 to 0.4 with the stepsize as 0.05; M is set to be 2, 3 and 4, respectively.

Comparisons are demonstrated in Fig. 6, where threesubfigures show comparisons regarding two-node attacks,three-node attacks and four-node attacks, respectively. In eachsubfigure, the x-axis represents the protect rate; y-axis rep-resents the average blackout size. In addition, the red-squarecurve represents �̄seq ; the blue-star curve represents �̄syn.The observations and discussions made from Fig. 6 are givenas follows.


Fig. 6. Comparisons between the sequential attack and the synchronous attack in terms of average blackout size, where the protect rate, α, is chosen from0 to 0.4 with the interval 0.05. Three subfigures show comparisons on (a) two-node attacks, (b) three-node attacks and (c) four-node attacks.

First, on average, the sequential attack is stronger than thesynchronous attack. In the three subfigures, the red-squarecurves are higher than the blue-star curves. That is, thesequential attack can obtain better average attack performance.For instance, when the protect rate is zero (α = 0), mean-ing no nodes are protected, �̄seq are 0.38, 0.56 and 0.69,while �̄syn are relatively 0.32, 0.42 and 0.5 (see in Fig. 6).

Second, the protection scheme can reduce the damagecaused by initial removals to the power grid. As α increasesfrom 0 to 0.4, all curves in Fig. 6 decrease. This is reasonable.As the number of critical nodes that are protected from initialremovals increases, there will be less and less multiple-nodecombinations that can yield strong attack performance.

Third, the protection scheme alone cannot solve the cascad-ing failure problem. The simulation is conducted under theassumption that up to 40% of nodes are initially protected,which is really high percentage in any realistic systems.However, even α is chosen as 0.4, on IEEE 39 bus system theaverage blackout size caused by the sequential attack is stillaround 0.28 for two-node attacks, 0.47 for three-node attacks,and 0.62 for four-node attacks. Besides the protected nodes,there are many remaining nodes, whose single removals mightnot cause serious cascading failures. The combination of thesenodes, however, can cause moderate-scale, even large-scale,power outages. Note that our discussion here is based on theassumption that people can only choose and protect a limitednumber of critical nodes. It is not practical to protect a largenumber of, or even all, nodes in a power grid.

Finally, as M increases, the sequential attack yields betterattack strength. We can see from the three subfigures in Fig. 6that the gap between the two curves becomes larger whileM increases from 2 to 4. This is reasonable. In this paper, fora M-node combination, we perform the exhaustive search tofind the removal order with the largest � for the sequentialattack (discussed in Section III-B). When M increases, thetotal number of removal orders (i.e., M!) increases sharply.The sequential attack has more flexibility, and the synchronousattack is a special case of the sequential attack.

C. Comparison Among Different SequentialAttack Strategies

In this subsection, we compare the proposed Seq ASMS AG

with these straightforward sequential attack strategies,i.e., Seq ASM

E S , Seq ASMload and Seq ASM

degree. We set the num-

TABLE VI

PERFORMANCE COMPARISONS BETWEEN Seq AS ME S

AND Seq AS MS AG ON IEEE 39 BUS SYSTEM

ber of VNs (M) to be 2, 3, 4 or 5, and adopt IEEE 39 bussystem, IEEE 300 bus system and Polish transmission systemas test benchmarks. Due to the need of extensive number ofsimulations, Seq ASM

E S is only feasible on IEEE 39 bus system.The other three schemes are tested on all three benchmarks.

Comparison results between Seq ASMS AG and Seq ASM

E S areshown in Table VI. Comparison results among Seq ASM

S AG ,Seq ASM

load and Seq ASMdegree are shown in Fig. 7, where three

subplots represent comparisons on different test benchmarks.In each subplot, x-axis represents the number of victimnodes (VNs); y-axis represents the blackout size. In addition,red-triangle curves, blue-square curves and green-pentagramcurves represent the strength of Seq ASM

S AG , Seq ASMload and

Seq ASMdegree, respectively. Based on Table VI and Fig. 7,

we have the following observations and discussions.First, the performance of Seq ASM

S AG is close to that ofSeq ASM

E S . In Table VI, it is apparent that the performancesof Seq ASM

S AG equal to those of Seq ASME S at M = 3, 4, 5,

while at M = 2 the performance of Seq ASMS AG is weaker than

that of Seq ASME S . On large-scale systems, it is expected that

the performance of Seq ASMS AG cannot be so close to that of

Seq ASME S as on IEEE 39 bus system. However, the theoretical

proof is difficult to obtain at this stage. This is because (1) thisconvergence problem is in generally difficult in cascadingfailure studies [4]; (2) Seq ASM

E S is computationally infeasibleon large-scale systems.

Second, the proposed metric, SAG, is better than thewidely-studied metrics, degree and load, in terms of find-ing stronger sequential attacks. It is clearly seen fromFig. 7 that the proposed Seq ASM

S AG is much stronger thanSeq ASM

load and Seq ASMdegree. In Fig. 7(b), for instance, the

strengths of Seq AS3S AG , Seq AS3

load and Seq AS3degree are

0.78, 0.32 and 0.17, respectively. These results are reasonable.The metrics, degree and load, are not specifically designedfor the sequential attack. These metrics cannot accurately findVNs and the removal order, which can yield strong sequential


Fig. 7. Blackout size versus the number of victim nodes (M). Comparisons are made among Seq ASMS AG , Seq AS M

degree and Seq AS Mload , on (a) IEEE 39 bus

system, (b) IEEE 300 bus system and (c) Polish transmission system.

TABLE VII

PERFORMANCE COMPARISONS AMONG Seq AS MS AG ,

Syn AS Mdegree , Syn AS M

load AND Syn AS MRG

attack. However, the proposed metric, SAG, can reveal notonly vulnerable nodes but orders of their removals (an exampleis shown in Fig. 5). From the perspective of the sequentialattack, SAG is an effective metric.

Finally, it is highly possible to cause serious power lossto a power grid by only sequentially removing several VNs.This observation agrees with a recent discovery in [41]. In thisarticle published at Nature news, the author discussed that inpower grids failure in one place leads to failure in anotherplace, which cascades into collapse. Seq ASM

S AG is powerful tocause serious power loss. In Fig. 7(c), for example, if only twoVNs are chosen and removed from Polish transmission system(less than 1% of the total number of nodes), Seq AS2

S AG cancause nearly 87% power loss, a serious blackout case. It isclearly seen that Seq ASM

S AG is a strong attack strategy againstpower grids.

D. Comparison Between the Proposed SeqASand Synchronous Attack Strategies

In this subsection, we compare the SAG-based SeqASwith three synchronous attack strategies, the degree-basedSynAS, denoted by Syn ASM

degree, the load-based SynAS,denoted by Syn ASM

load , and the RiskGraph-based SynAS,denoted by Syn ASM

RG . In the current literature [10], [11], [13],[24], [28], these schemes represent the most popular ones andare conducted as follows.

• Syn ASMdegree: Calculate the degree for all nodes, and

select M nodes with top largest degree as VNs [11].

• Syn ASMload: Calculate the load for all nodes, and select

M nodes with top largest load as VNs [24].• Syn ASM

RG: Construct the metric, Risk Graph (RG), andselect M nodes that are tightly connected in RG asVNs [13].

All three benchmarks are used in this comparison. We setthe number of VNs (i.e., M) to be 2, 3, 4 and 5. Results aredemonstrated in Table VII. The strengths of Seq ASM

S AG areunderlined; in each group comparison, the strongest strengthis highlighted in bold. We make the following observations.

First, Seq ASMS AG is much stronger than Syn ASM

load andSyn ASM

degree. Because, the metric, SAG, is specificallydesigned and more accurate than degree and load in findingmultiple-node combinations that yield strong attacks.

Second, Seq ASMS AG is mostly stronger than Syn ASM

RG , witha few exceptions. In Table VII, we can see that Seq ASM

S AGis weaker than Syn ASM

RG only at M = 2 for IEEE 39bus system and M = 4 for Polish transmission system.We explain this as follows. In Fig. 3, it is already shown thatthe strongest synchronous attack (according to x-axis) hassimilar strength to the strongest sequential attack (accordingto y-axis). Although, in an average sense the sequentialattack is stronger the synchronous attack, the SeqAS doesnot guarantee to yield the strongest attack. This also indicatesthat Seq ASM

S AG can be further improved. For example, weallow that more than one nodes can be removed at the sametime, which means the “equality” can be met in Equ. 2. Thiscombination of sequential and synchronous attacks has thepotential to yield strong attacks.

In summary, compared with the existing synchronous attackstrategies, Seq ASM

S AG can surely yield larger damage andneeds to be considered in designing defense approaches forpower grids.

E. Complexity Analysis of Different Attack Strategies

In the current literature [3], [4], [29], the cascading failurein power grids is considered to be a complex process, and theclose-form theoretical analysis the cascading failure is stillunavailable. In this paper, we use two CFSs, the sequentialattack CFS and the synchronous attack CFS. Both are intro-duced in the Appendix. We use OSeqC F S to represent thecomputational complexity of the sequential attack CFS andOSynC F S to represent the computational complexity of thesynchronous attack CFS.


TABLE VIII

NUMERICAL COMPLEXITY VALUES

Although, theoretical complexities of OSeqC F S andOSynC F S are unavailable, their numerical complexities can beobtained by simulations. On Window 7 OS with 4 GB memoryand dual-core i5 CPU (2.4GHz each), we run the sequentialattack CFS for 1000 times on each test benchmark, and obtainthe average time as the numerical complexity of OSeqC F S.Similarly, we can obtain the numerical complexityof OSynC F S. In Table VIII, numerical complexities aredemonstrated. The unit is second (s). We have the followingobservations.

• Numerically, OSeqC F S and OSynC F S are almost the sameon each test benchmark. Because, both CFSs use similarcascading procedures (discussed in the Appendix).

• The numerical complexities increase dramatically as NBincreases. The scale of the power gird is an importantfactor to the computational complexity of both CFSs.

Since, OSeqC F S ≈ OSynC F S , we can uniformly use OC F S

to represent the complexity of running either CFSs once onthe power grid. For any attack strategy, the complexity toidentify its VNs consists of two parts. The first part is tofinish some preliminary work, such as constructing the gridnetwork. Let OP denote the complexity of the first part. Fordifferent attack strategies, OP is necessary and nearly thesame. In addition, OP is much less than OC F S . Comparedwith OC F S , OP is negligible in complexity analysis. Thesecond part is to determine VNs. For some attack strategies,e.g., Syn ASM

degree, the second part does not rely on any CFS.For other attack strategies, e.g., Seq ASM

E S , the second partneeds to rely on the CFS. Since, OP is necessary and nearlythe same for each attack strategy. We will mainly analyze thecomplexity of the second part for different attack strategies.The complexity of each attack strategy is calculated as follows.

First, we calculate the complexity of Seq ASME S ,

denoted by �E SSeq AS . Seq ASM

E S needs to search among(NB

M

)×M! different removal orders. The complexity ofSeq ASM

E S is,

�E SSeq AS = OP + (

(NBM

)

× M!) × OC F S (4)

Second, we calculate the complexity of Seq ASMdegree,

denoted by �degreeSeq AS . The metric, degree, can be obtained

through finishing the preliminary work. Determining VNs doesnot rely on CFS; the complexity is 0×OC F S . Determining theremoval order needs to run CFS twice, meaning the complexityis 2 × OC F S . Therefore, the complexity of determining VNsand removal order is 2 × OC F S . In summary, �

degreeSeq AS is

OP + 2 × OC F S .In addition, let �

degreeSyn AS denote the complexity of

Syn ASMdegree. The calculation of �

degreeSyn AS is similar to that

of �degreeSeq AS . The difference is that Syn ASM

degree does not need

to determine the removal order of VNs. Therefore, determiningVNs for Syn ASM

degree does not rely on CFS; �degreeSyn AS is 0×

OC F S . The complexities of Syn ASMdegree and Seq ASM

degree are,

�degreeSyn AS = OP + 0 × OC F S = OP

�degreeSeq AS = OP + 2 × OC F S (5)

Third, calculating the complexity of Seq ASMload , denoted

by �loadSeq AS , is similar to that of �

degreeSeq AS; calculating the

complexity of Syn ASMload , denoted by �load

Syn AS , is similar to

that of �degreeSyn AS .

Finally, we calculate the complexity of Seq ASMS AG ,

denoted by �S AGSeq AS . There are two steps to determine

the VNs for Seq ASMS AG . The first step is to obtain the

metric, SAG, which includes searching for RRCS (dis-cussed in Section VI-C1) and constructing SAG (discussedin Section VI-C2). Obtaining RRCS needs to run CFS in totalNB + P × P × (M − 1) times; constructing SAG does notrely on CFS. Therefore, the complexity of the first step is(NB + P P × (M −1))× OC F S. R and P are chosen to be lessor equal to NB . In the worst case, when R = P = NB , thecomplexity of the first step is ((M−1)×(NB)2+NB)×OC F S ,the same order to (M × (NB)2) × OC F S . The second step isto choose VNs and the removal order from SAG (discussedin Section VI-C3). This step does not rely on CFS; thecomplexity is 0 × OC F S .

In practice, as long as attackers know the topology andelectrical features of a power grid, they can construct SAGof the power grid in advance. This step can be doneoff-line. When conducting the attack, attackers may encounterdifferent situations. If an attacker, for instance, has observedthat node 31 in Fig. 5 is down for some reasons (e.g., naturedisasters and previous attacks), he/she can quickly identify asequential attack strategy by adding another VN, e.g. node 39,to the already-down node 31. Therefore, sequential attacks canbe conducted on-line based on SAG.

From the above discussions, �S AGSeq AS consists of two parts,

�S AGSeq AS =

{OP + (M × (NB)2) × OC F S Off-lineOP On-line

(6)

The calculation of the complexity of Syn ASMRG , denoted

by �RGSyn AS , is similar to that of �S AG

Seq AS .Generally speaking, other attack strategies in this paper are

conducted on-line. Seq ASME S is not a metric-based approach,

and can only be conducted on-line. In addition, comparedwith simulating cascading failures, obtaining the metrics,degree and load, is fast, and does not need to be specificallycalculated off-line. Therefore, the degree-based and load-basedapproaches can be conducted on-line.

In summary, complexity comparisons among different attackstrategies in this paper are given in Table IX. For the proposedSAG-based SeqAS, its on-line complexity is as low as thatof the degree-based and load-based attack strategies, and itsoff-line complexity is much lower than that of the exhaustivesearch SeqAS.


TABLE IX

COMPLEXITY COMPARISONS AMONG DIFFERENT ATTACK STRATEGIES DISCUSSED IN THIS PAPER. OP REPRESENTS THE COMPLEXITY

OF FINISHING PRELIMINARY WORKS; OC F S REPRESENTS THE COMPLEXITY OF RUNNING CFS ONCE

VI. CONCLUSIONS AND FUTURE WORKS

In this paper, we investigated the sequential attackagainst power grids. The sequential attack can discover newvulnerabilities of power grids. We specifically designed themetric SAG, and proposed the SAG-based SeqAS. Intensiveexperiments were conducted to study the features of thesequential attack, and comparative studies with the existingapproaches demonstrate the effectiveness of the proposedSAG-based SeqAS.

There are several possible future directions along this topic.First, it is of importance to study the relation between theremoval order of VNs and the performance. Second, theproposed metric, SAG, demonstrates how nodes are relatedto each other in terms of sequential removals. This infor-mation can be exploited to design defense solutions againstmalicious attacks. Third, the construction of SAG on large-scale power grids, e.g., with thousands of nodes, is time-consuming, or even computationally infeasible. Developingnew strong SeqAS with lower complexity is needed. Fourth, itis an interesting direction to further investigate the proposedmetric, SAG, by using different methods, e.g., the extendedbetweenness model and transient stability analysis [42]. Fifth,it is necessary to use different protect strategies, e.g.,Monte Carlo method, to further investigate the sequentialattack. Sixth, cloud computing [43], [44] and energy stor-age [45] are the possible ways to study the defense schemesagainst the sequential attack. Finally, it is critical to developmore accurate models in future to simulate cascading failuresand conduct convergence study of cascading outage problems.

APPENDIX

CASCADING FAILURE SIMULATOR

In this paper, we use a DC power-flow model to set upcascading failure simulator (CFS). This is because DC power-flow model can approximate the power system failure behavioreffectively and efficiently. Nonetheless, it is easy to similarlyset up CFSs by adopting simplified topological models [27]or more complicated transient stability analysis [46].In particular, we use two types of cascading failure simu-lator (CFS), the sequential attack CFS and the synchronousattack CFS. Our CFSs are modified from the CFS in [25].Briefly speaking, we conduct the modifications as follows.

• In our CFSs, multiple removals can be conducted eithersequentially or synchronously; in the CFS from [25],multiple removals are conducted synchronously.

• Our CFSs will stop when there is no more attacks andno overloading links; the CFS from [25] will terminate

Fig. 8. The diagram of sequential attack CFS adopted in this paper.

when 10% of the nodes are no longer connected to thelargest island.

• In our CFSs, we adopt the blackout size (defined inEqu. 3) to measure the damage of the attack; in the CFSfrom [25], there is no such measurement.

We first introduce the sequential attack CFS. Fig. 8 illus-trates its flow diagram; the description of each step is givenas follows.

CFS Step 1: Suppose an attack strategy has determined Mvictim nodes (VNs) and the order to remove them,e.g., {V N1, V N2, . . . , V NM }, where V Ni represents i th

VN (1 ≤ i ≤ M). These M removals are performedindividually at M different times, e.g., {T1, T2, . . . , TM },during cascading failures.CFS Step 2: Initialize CFS, e.g. set up timer T andcalculate initial power flows.CFS Step 3: Remove one VN each time at time T tomimic the sequential attack. That is, remove V Ni attime Ti . After each removal, update the topological andelectrical features of the power grid. The calculation of Ti

will be discussed below.CFS Step 4: Check whether CFS needs to stop. If yes,quit CFS and goto CFS Step 11. The criterion to terminateCFS include (1) all removals are finished, (2) there is nooverloaded link.CFS Step 5: If the power grid is broken into additionalsubgrids due to removals of VNs or trips of links fromCFS Steps 3 to 9, re-dispatch generation and shed loadto meet power supply/demand balance in each subgrid as


follows. First, ramp up or down the supply of genera-tors to meet the demand as closely as possible. Theseadjustments are restricted by the capacity of genera-tors and ramping time [25]. Second, after re-dispatchinggenerators in a subgrid, if the generation is surplus(η = (

∑g∈G(Pg)−∑

d∈D(Pd )) > 0, where G and D rep-resent the sets of generation nodes and demand nodes inthe subgrid, respectively), trip the generators sequentially,beginning from the smallest one, until η ≤ 0 [25]. Third,after ramping the generation and tripping the surplusgenerators, if the supply is insufficient (i.e., η < 0),tripping the demand nodes sequentially, beginning fromthe smallest one, until η ≥ 0. Then, if η > 0, recoverthe last tripped demand node partially to the demand ηto meet supply/demand balance. When a subgrid reachesthe balance, DC power-flows are recalculated to checkthe overloading on links.CFS Step 6: Check link overloadings. If there is (are)overloaded link(s), go through CFS Steps 7 to 9 to dealwith the overloading; otherwise go to CFS Step 10 tocheck next possible removal.CFS Step 7: Update relays. For the link(s) withoverloading, use the time-delayed overcurrent relay todetermine whether/when next link is tripped [25]. Here,the “relay modeling” is to mimic a number of processesby which links may shut down, such as the overheatingof a transmission line due to sagging into vegetation. If alink is overloaded at time T, the timer begins to countthe overloading duration. We assume that each link cantolerate the overloading for certain time, denoted by τ .The τ for link j , denoted by τj , is defined as,

τj ={

Ojfj−Fj

if fj > Fj

0 otherwise(7)

where fj is the current power flow, Fj is the flow limit,and Oj is the threshold, which is chosen such that link jcan tolerate 5 seconds of being 50% above its powerflow limit. For instance, suppose the flow limit of link jis 45 (i.e., Fj = 45), the threshold Oj is calculated as0.5 ∗ 45 ∗ 5 = 112.5. If the current flow in link j is55 (i.e., fj = 55), τj is 11.25 = 112.5

55−45 s. The definitionindicates that how fast a link is tripped depends howseriously this link is overloading. Among all overloadedlinks, the link(s) with the smallest τ value is chosen tobe tripped in CFS Step 9. The corresponding τ value isreferred to as τmin .CFS Step 8: Update the timer to when next trip happens,as T = T + τmin , the smallest τ in CFS Step 7.CFS Step 9: Trip the chosen link(s) in CFS Step 7, andupdate the topological structure and the electrical featuresof the power grid network.CFS Step 10: Check whether all removals are finished.If not, current time T is the “time” for next removal.CFS Step 11: When CFS stops, evaluate the damage byexploiting the blackout size, defined in Equ. 3.

In CFS Step 3, Ti is calculated as follows. First, wheni = 1, T1 = 0, meaning the first removal, V N1, occurs at

the beginning of cascading failures. Second, when 2 ≤ i ≤ M ,Ti is obtained depending on whether there are overloaded linksafter removing V Ni−1 at Ti−1. If there exist overloaded links,Ti = Ti−1+τmin , where τmin is decided in CFS Step 7. That is,the removal of V Ni at Ti occurs after tripping an overloadedlink in CFS Step 9. Otherwise, Ti = Ti−1 + ε (ε is a smallinterval, e.g., 0.001.). That is, the removal of V Ni at Ti occursjust after the removal of V Ni−1 at Ti−1.

Note that if we use different policies to determine Ti ,the sequential attack performances may be different. In thispaper, we specifically use the above policy to demonstratethe sequential attack. In the future works, we will surelyconsider to further investigate various policies in determiningthe removal time.

The procedures of the synchronous attack CFS is similarto that of the sequential attack CFS. The only difference isthat in CFS Step 3 all M VNs are removed simultaneously atthe begging of cascading failures. That is, T1 = T2 = · · · =TM = 0.

REFERENCES

[1] “Final report on the August 14, 2003 blackout in the United Statesand Canada: Causes and recommendations,” U.S.-Canada Power SystemOutage Task Force, Tech. Rep., Apr. 2004.

[2] The Guardian. India Blackouts Leave 700 Million Without Power.[Online]. Available: http://www.guardian.co.uk/, accessed May 15, 2014.

[3] R. Baldick et al., “Initial review of methods for cascading failureanalysis in electric power transmission systems,” in Proc. IEEE PowerEnergy Soc. General Meeting, Pittsburgh, PA, USA, Jul. 2008, pp. 1–8.

[4] M. Vaiman et al., “Risk assessment of cascading outages: Methodologiesand challenges,” IEEE Trans. Power Syst., vol. 27, no. 2, pp. 631–641,May 2012.

[5] Attack Ravages Power Grid. [Online]. Available:http://www.nytimes.com/, accessed May 20, 2014.

[6] X. Liu, K. Ren, Y. Yuan, Z. Li, and Q. Wang, “Optimal budgetdeployment strategy against power grid interdiction,” in Proc. IEEEINFOCOM, Turin, Italy, Apr. 2013, pp. 1160–1168.

[7] P. J. Hawrylak, M. Haney, M. Papa, and J. Hale, “Using hybrid attackgraphs to model cyber-physical attacks in the smart grid,” in Proc. 5thInt. Symp. Resilient Control Syst., Salt Lake City, UT, USA, Aug. 2012,pp. 161–164.

[8] Z. M. Fadlullah, T. Taleb, A. V. Vasilakos, M. Guizani, and N. Kato,“DTRAB: Combating against attacks on encrypted protocols throughtraffic-feature analysis,” IEEE/ACM Trans. Netw., vol. 18, no. 4,pp. 1234–1247, Aug. 2010.

[9] B. Liu, J. Bi, and A. V. Vasilakos, “Toward incentivizing anti-spoofingdeployment,” IEEE Trans. Inf. Forensics Security, vol. 9, no. 3,pp. 436–450, Mar. 2014.

[10] R. Kinney, P. Crucitti, R. Albert, and V. Latora, “Modeling cascadingfailures in the North American power grid,” Eur. Phys. J. B, Condens.Matter Complex Syst., vol. 46, no. 1, pp. 101–107, 2005.

[11] W. Wang, Q. Cai, Y. Sun, and H. He, “Risk-aware attacks andcatastrophic cascading failures in U.S. power grid,” in Proc. IEEE GlobalTelecommun. Conf., Houston, TX, USA, Dec. 2011, pp. 1–6.

[12] Y. Zhu, Y. Sun, and H. He, “Load distribution vector based attack strate-gies against power grid systems,” in Proc. IEEE Global Telecommun.Conf., Anaheim, CA, USA, Dec. 2012, pp. 935–941.

[13] Y. Zhu, J. Yan, Y. Sun, and H. He, “Risk-aware vulnerability analysisof electric grids from attacker’s perspective,” in Proc. IEEE PES Innov.Smart Grid Technol. Conf., Washington, DC, USA, Feb. 2013, pp. 1–6.

[14] J. Yan, Y. Zhu, H. He, and Y. Sun, “Multi-contingency cascading analysisof smart grid based on self-organizing map,” IEEE Trans. Inf. ForensicsSecurity, vol. 8, no. 4, pp. 646–656, Apr. 2013.

[15] J. E. David. (Jan. 5, 2014). Double Threat: US Grid Vulnerable on TwoFronts. [Online]. Available: http://www.cnbc.com/

[16] Platts. [Online]. Available: http://www.platts.com, accessedJan. 10, 2014.

[17] R. Lemos. (Sep. 27, 2007). DHS Video Shows Potential Impact ofCyberattack. [Online]. Available: http://www.securityfocus.com/

[18] (2013). FBI, Joint Terrorism Task Force Arrest Suspect in ArkansasPower Grid Attacks. [Online]. Available: http://www.forbes.com/


[19] P. K. Agarwal, A. Efrat, S. K. Ganjugunte, D. Hay, S. Sankararaman, andG. Zussman, “Network vulnerability to single, multiple, and probabilisticphysical attacks,” in Proc. Military Commun. Conf., San Jose, CA, USA,Oct./Nov. 2010, pp. 1824–1829.

[20] E. I. Bilis, W. Kroger, and C. Nan, “Performance of electric powersystems under physical malicious attacks,” IEEE Syst. J., vol. 7, no. 4,pp. 854–865, Dec. 2013.

[21] E. Bompard, D. Wu, and F. Xue, “Structural vulnerability of powersystems: A topological approach,” Electr. Power Syst. Res., vol. 81, no. 7,pp. 1334–1340, 2011.

[22] M. Khanabadi, H. Ghasemi, and M. Doostizadeh, “Optimal transmissionswitching considering voltage security and N-1 contingency analysis,”IEEE Trans. Power Syst., vol. 28, no. 1, pp. 0885–8950,Feb. 2013.

[23] Y. Yuan, Z. Li, and K. Ren, “Modeling load redistribution attacks inpower systems,” IEEE Trans. Smart Grid, vol. 2, no. 2, pp. 382–390,Jun. 2011.

[24] P. Hines, E. Cotilla-Sanchez, and S. Blumsack, “Do topological modelsprovide good information about electricity infrastructure vulnerability?”Chaos, vol. 20, no. 3, p. 033122, 2010.

[25] M. J. Eppstein and P. D. H. Hines, “A ‘random chemistry’ algorithm foridentifying collections of multiple contingencies that initiate cascadingfailure,” IEEE Trans. Power Syst., vol. 27, no. 3, pp. 1698–1705,Aug. 2012.

[26] D. L. Pepyne, “Topology and cascading line outages in power grids,”J. Syst. Sci. Syst. Eng., vol. 16, no. 2, pp. 202–221, 2007.

[27] J.-W. Wang and L.-L. Rong, “Cascade-based attack vulnerability on theUS power grid,” Safety Sci., vol. 47, no. 10, pp. 1332–1336, 2009.

[28] R. Albert, I. Albert, and G. L. Nakarado, “Structural vulnerability ofthe North American power grid,” Phys. Rev. E, vol. 69, p. 025103(R),Feb. 2004.

[29] S. Mei, X. Zhang, and M. Cao, Power Grid Complexity. Beijing, China:Tsinghua Univ. Press, 2011.

[30] A. J. Wood, B. F. Wollenberg, and G. B. Sheble, Power Generation,Operation and Control, 3rd ed. Hoboken, NJ, USA: Wiley,2009.

[31] Y. Zhu, J. Yan, Y. Tang, Y. Sun, and H. He, “The sequential attack againstpower grid networks,” in Proc. IEEE Int. Conf. Commun., Sydney, NSW,Australia, Jun. 2014, pp. 616–621.

[32] J. Yan, Y. Zhu, Y. Sun, and H. He, “Revealing temporal features ofattacks against smart grid,” in Proc. IEEE PES Innov. Smart GridTechnol. Conf., Washington, DC, USA, Feb. 2013, pp. 1–6.

[33] N. Fan, R. Chen, and J. Watson, “N-1-1 contingency-constrained optimalpower flow by interdiction methods,” in Proc. IEEE Power Energy Soc.General Meeting, San Diego, CA, USA, 2012, pp. 1–6.

[34] P. Holme, B. J. Kim, C. N. Yoon, and S. K. Han, “Attack vul-nerability of complex networks,” Phys. Rev. E, vol. 65, p. 056109,May 2002.

[35] P. Crucitti, V. Latora, M. Marchiori, and A. Rapisarda, “Error and attacktolerance of complex networks,” Phys. A, Statist. Mech. Appl., vol. 340,nos. 1–3, pp. 388–394, 2004.

[36] Y. Zhu, J. Yan, Y. Sun, and H. He, “Revealing cascading failurevulnerability in power grids using risk-graph,” IEEE Trans. ParallelDistrib. Syst., to be published.

[37] M. Bastian, S. Heymann, and M. Jacomy, “Gephi: An opensource software for exploring and manipulating networks,” inProc. 3rd Int. ICWSM Conf., San Jose, CA, USA, May 2009,pp. 361–362.

[38] R. D. Zimmerman, C. E. Murillo-Sanchez, and R. J. Thomas,“MATPOWER: Steady-state operations, planning, and analysis toolsfor power systems research and education,” IEEE Trans. Power Syst.,vol. 26, no. 1, pp. 12–19, Feb. 2011.

[39] T. T. Kim and H. V. Poor, “Strategic protection against data injectionattacks on power grids,” IEEE Trans. Smart Grid, vol. 2, no. 2,pp. 326–333, Jun. 2011.

[40] X. Liu, K. Ren, Y. Yuan, Z. Li, and Q. Wang, “Optimal budgetdeployment strategy against power grid interdiction,” in Proc. IEEEINFOCOM, Turin, Italy, Apr. 2013, pp. 1160–1168.

[41] J. Tollefson, “US electrical grid on the edge of failure,” Nature, Tech.Rep., Aug. 2013.

[42] J. Yan, H. He, and Y. Sun, “Integrated security analysis on cascadingfailure in complex networks,” IEEE Trans. Inf. Forensics Security, vol. 9,no. 3, pp. 451–463, Mar. 2014.

[43] L. Wei, H. Zhu, Z. Cao, W. Jia, and A. V. Vasilakos, “Seccloud: Bridgingsecure storage and computation in cloud,” in Proc. IEEE 30th Int. Conf.Distrib. Comput. Syst. Workshops (ICDCSW), Genova, Italy, Jun. 2010,pp. 52–61.

[44] L. Wei et al., “Security and privacy for storage and computation in cloudcomputing,” Inf. Sci., vol. 258, pp. 371–386, Feb. 2014.

[45] X. Sui, Y. Tang, H. He, and J. Wen, “Energy-storage-based low-frequency oscillation damping control using particle swarm optimizationand heuristic dynamic programming,” IEEE Trans. Power Syst., vol. 29,no. 5, pp. 2539–2548, Sep. 2014.

[46] J. Yan, Y. Tang, H. He, and Y. Sun, “Cascading failure analysis with DCpower flow model and transient stability analysis,” IEEE Trans. PowerSyst., to be published.

Yihai Zhu (S’13) received the B.S. degree incomputer science and technology from the HefeiUniversity of Technology (HFUT), Hefei, China, in2007, the M.S. degree in pattern recognition andintelligent systems from the University of Scienceand Technology of China, Hefei, China, in 2010,and the Ph.D. degree in electrical and computerengineering from the University of Rhode Island,Kingston, RI, USA, in 2014.

Dr. Zhu’s research interests include cybersecurity,smart grid security, cyber-physical systems, big data,

and pattern recognition. He was a recipient of the Best Paper Award at theIEEE International Conference on Communications (2014), the Best BachelorThesis Award of HFUT (2007), and the Soccer Simulation 3D Award at theRoboCup China Open (2006).

Jun Yan (S’13) received the B.S. degree in infor-mation and communication engineering from Zhe-jiang University, Hangzhou, China, in 2011, and theM.S. degree in electrical engineering from the Uni-versity of Rhode Island, Kingston, RI, USA, in 2013,where he is currently pursuing the Ph.D. degreewith the Department of Electrical, Computer andBiomedical Engineering.

His research interests include smart grid securityanalysis, cyber-physical systems and cyber-security,data analysis in biostatistics and bioinformatics,

computer vision and behavior analysis, computational intelligence, andmachine learning. He is currently with the Laboratory of ComputationalIntelligence and Self-Adaptive Systems, University of Rhode Island.

Yufei Tang (S’13) received the B.Eng. and M.Eng.degrees in electrical engineering from Hohai Univer-sity, Nanjing, China, in 2008 and 2011, respectively.He is currently pursuing the Ph.D. degree with theDepartment of Electrical, Computer, and BiomedicalEngineering, University of Rhode Island, Kingston,RI, USA.

His research interests include power system mod-eling, power system stability control, wind energygeneration and integration, smart grids, power sys-tem cyber security, and the application of computa-

tional intelligence in power systems.


Yan (Lindsay) Sun (SM’14) received theB.S. (Hons.) degree from Peking University,Beijing, China, in 1998, and the Ph.D. degreein electrical and computer engineering from theUniversity of Maryland at College Park, CollegePark, MD, USA, in 2004. She joined the Universityof Rhode Island, Kingston, RI, USA, in 2004,where she is currently an Associate Professorwith the Department of Electrical, Computer andBiomedical Engineering.

Dr. Sun is an elected member of the InformationForensics and Security Technical Committee in the IEEE Signal ProcessingSociety. She serves on the Editorial Board of the IEEE Security and PrivacyMagazine. She has also been an Associate Editor of the IEEE SIGNALPROCESSING LETTERS and Inside Signal Processing eNewsletter since2013 and 2010, respectively. Her research interests include power gridsecurity, trustworthy social computing, wireless network security, and reliablebiomedical systems. She applied signal processing techniques in modeling,detection, and estimation of abnormal behaviors in various computing andcommunication systems. she was a recipient of the Best Paper Awardsat the IEEE International Conference on Communications (2014) and theIEEE International Conference on Social Computing (2010), and the NSFCAREER Award.

Haibo He (SM’11) is currently the Robert HaasEndowed Professor of Electrical Engineering withthe University of Rhode Island, Kingston, RI, USA.He received the B.S. and M.S. degrees in electri-cal engineering from the Huazhong University ofScience and Technology, Wuhan, China, in 1999and 2002, respectively, and the Ph.D. degree inelectrical engineering from Ohio University, Athens,OH, USA, in 2006. From 2006 to 2009, he was anAssistant Professor with the Department of Electri-cal and Computer Engineering, Stevens Institute of

Technology, Hoboken, NJ, USA.His research interests include adaptive learning and control, cyber security,

smart grid, computational intelligence, and hardware design for machine intel-ligence. He has authored one research book (Wiley), edited one research book(Wiley-IEEE) and six conference proceedings (Springer), and authored or co-authored over 150 peer-reviewed journal and conference papers, includingCover Page Highlighted Paper in the IEEE TRANSACTIONS ON INFOR-MATION FORENSICS AND SECURITY, and highly cited papers in the IEEETRANSACTIONS ON KNOWLEDGE AND DATA ENGINEERING, the IEEETRANSACTIONS ON NEURAL NETWORKS, and the IEEE TRANSACTIONSON POWER DELIVERY. His researches have been covered by national andinternational media, such as the IEEE Smart Grid Newsletter, The Wall StreetJournal, and Providence Business News. He serves as the Program Co-Chair ofthe International Joint Conference on Neural Networks (2014) and the GeneralChair of the IEEE Symposium Series on Computational Intelligence (2014).He is currently an Associate Editor of the IEEE TRANSACTIONS ON NEURAL

NETWORKS AND LEARNING SYSTEMS and the IEEE TRANSACTIONS ONSMART GRID.

Prof. He was a recipient of the IEEE International Conference on Commu-nications Best Paper Award (2014), the IEEE CIS Outstanding Early CareerAward (2014), the K. C. Wong Research Award from the Chinese Academyof Sciences (2012), the National Science Foundation CAREER Award (2011),the Providence Business News Rising Star Innovator Award (2011), and theBest Master Thesis Award of Hubei, China (2002).

2340 ieee transactions on information forensics …55 million customers [1] and 2012 india blackout...

Documents