Graph-Theoretic Framework for Unified Analysis of Observability and DataInjection Attacks in the Smart Grid

Anibal Sanjab1,2, Walid Saad1, and Tamer Basar31 Wireless@VT, Bradley Department of Electrical and Computer Engineering, Virginia Tech, Blacksburg, VA, USA,

Emails: anibals,walids@vt.edu2 Flemish Institute for Technological Research, VITO/EnergyVille, Genk, Belgium, Email: anibal.sanjab@vito.be

3 Coordinated Science Laboratory, University of Illinois at Urbana-Champaign, IL, USA, Email: basar1@illinois.edu

Abstract—In this paper, a novel graph-theoretic framework isproposed to generalize the analysis of a broad set of security attacks,including observability and data injection attacks, that target thestate estimator of a smart grid. First, the notion of observabilityattacks is defined based on a proposed graph-theoretic construct.In this respect, a structured approach is proposed to characterizecritical sets, whose removal renders the system unobservable. It isthen shown that, for the system to be observable, these criticalsets must be part of a maximum matching over a proposedbipartite graph. In addition, it is shown that stealthy data injectionattacks (SDIAs) constitute a special case of these observabilityattacks. Then, various attack strategies and defense policies, forobservability and data injection attacks, are shown to be amenableto analysis using the introduced graph-theoretic framework. Theproposed framework is then shown to provide a unified basis foranalysis of four key security problems (among others), pertainingto the characterization of: 1) The sparsest SDIA; 2) the sparsestSDIA including a certain measurement; 3) a set of measurementswhich must be defended to thwart all potential SDIAs; and 4) theset of measurements, which when protected, can thwart any SDIAwhose cardinality is below a certain threshold. A case study usingthe IEEE 14-bus system with a set of 17 measurements is used tosupport the theoretical findings.

I. INTRODUCTION

With the integration of information and communication tech-nologies in power systems, new security concerns have emergeddue to the potential exploitation of this cyber layer to infiltrateand compromise the underlying physical system. Indeed, in re-cent years, various studies have focused on analyzing the securityof emerging cyber-physical power systems [1]–[7] and the effectof potential cyber attacks on the various operational componentsof the grid, ranging from power system state estimation [2],to electricity markets [3]–[5] and power system dynamics andcontrol [6], [7].

Such attacks can become more pronounced when they targetcritical power system functions such as state estimation. In thisregard, the power system state estimation is an integral smart gridprocess in which system-wide measurements are collected andprocessed to estimate the global state of operation of a power sys-tem [8]. State estimation is the basis for various grid operationaldecisions such as congestion management, economic dispatch,contingency analysis, and electricity pricing [9]. As a result,the critical importance of state estimation to the sustainableoperation of the grid makes it a primary target of possible cyber-physical attacks [1]. Such attacks may target the availability ofthe collected measurements as well as their integrity.

This research was supported by the U.S. National Science Foundation underGrants ECCS-1549894 and CNS-1446621, and in part by the Office of NavalResearch (ONR) MURI Grant N00014-16-1-2710.

In this respect, intercepting a subset of the collected measure-ment data using availability attacks (such as denial-of-serviceattacks) can render the power system unobservable (i.e. not fullyobservable), a state in which the collected measurements do notprovide enough independent equations to estimate the states.Such cyber-physical attacks, to which we refer as observabilityattacks hereinafter, will make the operator partially obliviousto the real state of operation of the system, leading to unin-formed operational decisions. Beyond observability attacks, datainjection attacks (DIAs) have emerged as a malicious type ofintegrity attacks which aim at manipulating the collected stateestimation data, leading to inaccurate state estimation outcomesthat result in misinformed operational decisions with potentiallydetrimental consequences [1]–[3]. As shown in [2], such DIAscan stealthily target the power system state estimation process –manipulating the collected measurements and altering the stateestimation outcome – while being undetectable by the systemoperator using traditional bad data detection mechanisms. Hence,due to their potential danger to system operation, such stealthydata injection attacks (SDIAs) and observability attacks havebeen the focus of various recent research efforts [10]–[16].

A. Related Works

In this regard, the works in [10] and [11] focused on com-puting a security set which comprises the minimum set ofmeasurements which must be attacked in addition to a certainspecific measurement in order to make the system unobservable.Moreover, the work in [12] focused on computing the cardinalityof the smallest set of meters which when attacked render thesystem unobservable. The authors in [13]–[15] extended suchobservability problems to studying SDIAs. In this regard, theseworks focused on characterizing the sparsest stealthy attackcontaining a certain specific measurement. In addition, the workin [16] focused on characterizing a set of measurements todefend so that no attack which concurrently manipulates a setof meters whose cardinality is below a certain threshold can bestealthy. Hence, this latter analysis focuses on the defense againstresource-limited attackers. As such, these works have focused onformulating and studying mathematical problems whose solu-tions enable anticipating potential sophisticated attacks – whichconstitutes a first step towards deriving corresponding defensemechanisms – and designing optimal defense strategies to thwartsuch attacks and mitigate their potential effect.

The computational complexity of these problems [10]–[16]has led to limiting the analysis of their solutions to special,often approximated, cases or required the use of heuristics andrelaxation techniques which led to suboptimal solutions. For

arX

iv:1

801.

0895

1v2

[cs

.SY

] 4

Feb

202

0

example, for characterizing the sparsest observability attackscontaining a specific measurement, the work in [10] focusedon the special case of measurement sets of low cardinalitywhile the work in [11] derived an approximate solution thatis based on the solution of a min-cut problem. In addition,with regard to the analysis of the sparsest SDIAs containinga certain measurement [13]–[15], the work in [13] focused onderiving an upper-bound on this stealthy attack set while thework in [14] used min-cut relaxation techniques to approximatethe sought solution. Moreover, the work in [15] proposed aheuristic algorithm which can approximate the solution of thestudied problem while an exact solution was found for the specialcase in which power flows over all the transmission lines andpower injections into and out of every bus are assumed to bemeasured. To defend against a resource-limited data injectionattacker, the authors in [16] used an l1 relaxation method forcharacterizing the set of meters to defend to thwart SDIAslaunched by attackers whose attack space is limited by a certaincardinality threshold. Other related security works are also foundin [17]–[22].

Therefore, this rich body of literature [10]–[22] employsheuristics and approximation techniques to numerically approx-imate the solutions to these fundamental observability attacksand SDIA problems rather than propose new analytical methodsfor studying these problems and characterizing their solutions.As such, there is a need for an analytical framework whichallows modeling and studying such data availability and integrityattacks and enables an analytical characterization of solutionsto such widely-studied security problems. In addition, the factthat these works [10]–[16] studied correlated problems but fromdifferent perspectives highlights the need for a unified frameworkusing which solutions to such correlated observability attacks andSDIA problems can be studied and derived.

B. Contributions

The main contribution of this paper is a novel unified graph-theoretic framework that enables a global detailed modeling andunderstanding of observability attacks and SDIAs. As a result,this framework provides a unified tool for analyzing variouswidely-studied observability attacks and SDIA problems suchas those studied in [10]–[16], among others. In addition, theproposed framework enables a graph-theoretic characterizationof solutions to such security problems. In this regard, ourproposed framework is based on a shift in the modeling ofobservability attacks and SDIAs from a linear algebra frame ofreference to a graph-theoretic perspective. As a result, basedon this proposed framework, such attacks can be modeledand analyzed by requiring only power system topological data,namely, the power system 1-line diagram and the location ofdeployed measurement units without the need for neither lineparameters data nor the exact knowledge of power flow levelsthroughout the system.

To build the proposed framework, we first begin by introduc-ing a graph-theoretic basis of observability attacks and, then, weprove that SDIAs are a special case of such observability attacks.In this respect, we introduce an algorithm providing a step-by-step approach for building critical sets, a set of measurements

TABLE ISUMMARY OF MAIN NOTATIONS.

z ∈ Rµ measurement vector with µ measurementsx ∈ Rν state vector with ν states

H ∈ Rµ×ν system’s Jacobian matrixG(N ,L) power system graph with N buses & L linesM set of measurements in G(N ,L)

T (N ,B) spanning tree over G(N ,L)MA ⊆M set of assigned measurements

f(.):MA → B measurement assignment functionCm critical set of measurement m

T mi (Nmi ,Bmi ) spanning tree over subgraph Gmi (Nmi ,Lmi )Mm

i set of measurements in subgraph Gmi (Nmi ,Lmi )Lm set of lines connecting subgraphs Gm1 and Gm2Mm set of measurements on or incident to Lm excluding m

– containing a certain specific measurement – which, whenremoved, renders the system unobservable. We then prove thatfor a DIA to be stealthy, the attacked measurements shouldstrictly result in leaving critical sets unmatched as part of amaximum matching over an introduced bipartite graph. As such,a graph-theoretic model of SDIAs is then introduced basedon which we analyze various well-studied SDIA problems. Inparticular, we show that our developed framework enables agraph-theoretic characterization of solutions to various SDIAproblems such as, but not limited to: 1) Finding the stealthyattack of lowest cardinality, 2) Finding the stealthy attack oflowest cardinality, including a specific measurement, 3) Findinga set of measurements which when defended can thwart allpossible stealthy attacks, and 4) Finding a set of measurements todefend against a resource-limited attacker, among others. Here,we note that our goal is not to propose tractable algorithms tothese problems, but rather to identify graph-theoretic problemswhose solutions would lead to the solutions of these problems.A case study using the IEEE 14-bus system, with 17 distributedmeasurement units, is considered throughout the paper to show-case the developed analytical concepts.

The rest of the paper is organized as follows. Section IIintroduces state estimation and power system observability. Sec-tion III introduces our proposed graph-theoretic foundation ofobservability attacks and shows its impact on modeling andanalyzing such data availability attacks. Section IV introducesthe proposed graph-theoretic framework for modeling SDIAs,as well as investigates various well-studied SDIA problems.Section V concludes the paper and provides an outlook detail-ing the impact of the proposed framework on studying futureobservability and data injection attacks.

A summary of the main notations used in this paper is givenin Table I.

II. STATE ESTIMATION AND OBSERVABILITY

We next provide an overview of state estimation and of thealgebraic and topological concepts of observability in powersystems. This overview provides background material which isuseful for the analysis that follows.

A. State Estimation Process

Consider a power system state estimation process whichuses various measurements collected from across the system to

estimate the voltage magnitudes and phase angles at every bus inthe system, known as the system states [8]. Let z ∈ Rµ (µ beingthe number of measurements) be the vector of collected mea-surements, which includes power flow levels (real and reactive)over transmission lines, power (real and reactive) injected in orwithdrawn from certain buses, as well as bus voltage magnitudes.In addition, let x ∈ Rν be the vector of system states. Therelationship between the measurements and the states directlyfollows from the linearized power flow equations [8]:

z = Hx+ e, (1)

where H ∈ Rµ×ν is the measurement Jacobian matrix ande ∈ Rµ is the vector of random errors that typically followsa Gaussian distribution, N(0,R), where R is positive definite.Here µ ≥ ν, that is the dimension of x cannot be larger than thedimension of the measurement vector, z. Further, we assume thatH is a full column rank matrix. Using a maximum-likelihoodestimator – a weighted least squares estimator (WLS) for aGaussian error vector e – an estimate of the states, x, will be:

x = (HTR−1H)−1HTR−1z. (2)

This estimate of all the states provides visibility of the steady-state operating conditions of the system, based on which variousoperational decisions are performed [8].

B. Power System Observability

The observability1 of the power system consists of the abilityto uniquely determine its states based on the collected set ofmeasurements [8]. Observability, hence, requires the collectedmeasurements to provide a sufficient number of independentequations to allow for the estimation of the state vector, x.Otherwise, when this observability condition is not met, thepower system is dubbed unobservable. The power system isobservable if and only if the measurement matrix H is offull column rank [8], which was our initial assumption. Thisis known as algebraic observability, as it enables assessment ofobservability using linear algebra. Due to the P − θ, Q − Vdecoupling2 in power systems [9], the observability analysiscan be decoupled by separately studying the observability ofvoltage phase angles, using real power measurements, and theobservability of voltage magnitudes, based on reactive powermeasurements. Since the two analyses are identical, we focushere on phase angle observability. To this end, we considerz ∈ Rµ to be a vector of real power measurements (businjections and line flows), and the state vector x ∈ [−π, π]ν to bethe vector of voltage phase angles (in radians). Here, ν = N −1for a power system with N buses given that the phase angle ofthe reference bus is fixed and is taken to be the reference withrespect to which all other phase angles are calculated [8].

An alternative measure of observability, which turns out to beequivalent to algebraic observability, has been proposed in [23]and uses graph-theoretic techniques to introduce the concept oftopological observability. Topological observability is equivalent

1Our analysis focuses on static state estimation and static observability ofthe power system, which is a fundamental aspect of power system analysis [8].Our analysis, thus, does not extend to dynamic observability of a power system,which would arise with dynamically changing states.

2P denotes real power, θ denotes voltage phase angles, Q denotes reactivepower, and V denotes voltage magnitudes.

to algebraic observability, in the sense that it enables assessmentof the observability of the power system using graph-theoretictools rather than using linear algebra as done for algebraicobservability. In this regard, let the power system 1-line diagrambe represented as a graph G(N ,L) in which the set of verticesN ,|N | = N , represents the set of buses of the power system whilethe set of branches L, |L| = L, represents the set of lines. Onekey result that was shown in [23] and that will be of relevanceto our work is the following:

Proposition 1 ([23] ): A power system is observable if andonly if a subset of measurements can be assigned to a subset ofedges of the power system graph G(N ,L), following a set ofassignment rules, in a way to form a spanning tree over G(N ,L).A spanning tree over G(N ,L) is an acyclic connected subgraphof G(N ,L) which contains (i.e. is incident to) the entire set ofnodes N of G(N ,L). The set of measurement assignment rulesare the following:

1) A measurement cannot be simultaneously assigned to twodifferent lines.

2) If m is a measurement over a transmission line l, then mcan only be assigned to l.

3) If m is an injection measurement over bus η ∈ N , thenm can only be assigned to an unmeasured line l that isincident to η.

If a measurement assignment yields a spanning tree over thepower network G, then the power system will be observable(and vice versa). Fig. 1 shows an example of measurementassignments over the IEEE 14-bus system. This figure showsthe tree edges (marked in solid red lines) to which measure-ment where assigned as part of the measurement assignmentfunction. The measurements that were assigned to each one ofthese edges are identified using dashed arrow lines originatingfrom the assigned measurement and pointing to the line towhich this measurement is assigned. This tree is formed ofedges 1, 2, 4, 6, 8, 9, 10, 12, 13, 15, 16, 17, 19 and spansthe whole vertex set N of the power system graph G, and hence,is a spanning tree. As a result, since this measurement assignmentyields a spanning tree, then the available set of measurementsrenders the system observable.

Let M be the set of measurements, and let T (N ,B) be aspanning tree formed by an assignment of a subset of measure-ments, MA ⊆ M, to a subset of lines B ⊆ L following themeasurement assignment rules in Proposition 1. The assignmentof measurements inMA to lines in B for constructing the span-ning tree T (N ,B) can be modeled by an assignment functionf(.) formally defined [23] as follows:

Definition 1: For an assigned set of measurement MA

forming a spanning tree T (N ,B) over the power system graphG(N ,L), the assignment function f(.) : MA → B indicateswhich measurement m ∈ MA is assigned to which edge b ∈ Bof the spanning tree T (N ,B).

For example, in Fig. 1, MA is composed of the injectionmeasurements over buses 1, 2, 3, 5, 6, 9, and 13 and the lineflow measurements over lines 2, 8, 9, 15, 17, and 19. In addition,B = 1, 2, 4, 6, 8, 9, 10, 12, 13, 15, 16, 17, 19, where eachedge of B in Fig. 1 is colored in red. Moreover, the correspondingassignment function f(.) is visualized in Fig. 1 by dashed red

1

12

6

2

13

10 119

14

4

3

5

8

7

1 7

2 3 4

5

6

9

17

2019

1112

13 18 16

1015

14

8

Bus number

Line number

Bus injection measurement

Line flow measurement

Tree branch

Edge not part of the tree

Measurement assignment

IEEE 14-Bus System

Fig. 1. IEEE 14-bus system with measurement assignment.

arrows indicating which measurement in MA is assigned towhich line in B.

Measurements in M that are not part of MA, i.e. m ∈M \ MA, are not assigned measurements and are, therefore,redundant measurements with respect to the assigned set ofmeasurements MA. Here, we note that due to this redundancy,a spanning tree which can be obtained from the measurementset following the measurement assignment rules may not beunique [23]. Hence, when such a redundancy exists, following adifferent assignment function can result in a different spanningtree and, hence, in different sets of assigned and redundantmeasurements.

Various algorithms of low complexity have been proposed tofind and build such a spanning tree [23]–[25]. In this regard, thework in [23] proposes an algorithm to find a spanning tree overG, which will be used in some of the derivations in the followingsections. This algorithm starts by processing flow measurementsby assigning each flow measurement to its corresponding branchto form disjoint tree components. Then, injection measurementsare assigned to lines in a way to connect these tree components toform one spanning tree. Here, we highlight one type of injectionmeasurements, namely, boundary injections, which will play acrucial role in our derivations.

Definition 2: A boundary injection is an injection measure-ment over a bus incident to lines whose flow is measured andlines whose flow is not measured [23].

Boundary injections play a major role in connecting thesetree components. Indeed, for a bus which is not incident toa measured line to be connected to the spanning tree, it hasto be reachable from a boundary injection through a series ofmeasurement assignments [23]. As such, boundary injections areconsidered to be sources and unmeasured buses are consideredto be sinks which must be connected to these sources followingthe set of measurement assignment rules.

We next build on the foundation of topological observability topresent a graph-theoretic framework for modeling and studyingthe security of the smart grid facing observability attacks and

SDIAs. This framework is based on our proposed concepts ofcritical sets and observability sets, which we define and derivein the next section.

III. OBSERVABILITY ATTACKS

The sustainable and efficient operation of the power systemrequires an accurate observability of all its states [8]. Securityattacks that target this observability can cause a limited (orpartial) monitoring ability for the operator over the power systemwhich can lead to incorrect operational decisions. Hence, study-ing and modeling attacks which can target the full observabilityof the system is indispensable to the sustainable operation ofthe grid. In this respect, we define a cyber-physical attack,dubbed observability attack, that consists of launching a denial-of-service (DoS) attack against a set of measurements to makethe system unobservable. We next study this type of attacks byintroducing and characterizing what we define as critical sets andobservability sets and prove that the well-studied stealthy datainjection attack is a subset of our defined observability attacks.This latter finding will provide us with a unified set of tools tocharacterize solutions to various widely-studied SDIA problems.

A. Critical Sets

Understanding and modeling observability attacks requires anin-depth understanding of the effect of the loss of any bundle ofmeasurements on the observability of the system. In this regard,we next introduce a structured method for identifying, for eachmeasurement m, a minimal set of measurements including m(which we refer to as a critical set of m), which when removedrenders the system unobservable. To this end, we first charac-terize the set of potential measurements to be investigated, foreach measurement m, and then provide the necessary discussionand introduce the underlying method for characterizing a criticalset of m. Then, a detailed algorithm is introduced to provide astep-by-step method for characterizing such critical sets.

As defined in Section II-B, we let MA ⊆ M be a set ofassigned measurements, i.e., a subset of measurements that areassigned to a subset of lines of the power system graph G(N ,L),following the measurement assignment rules in Proposition 1, toform a spanning tree, T (N ,B), over this graph. As described inSection II-B, T (N ,B) is a spanning tree as it includes all thenodes of G(N ,L). The set of edges of this tree, i.e. B, representsthe set of lines to which measurements inMA were assigned toconstruct the spanning tree. We refer to measurements that arenot part of MA as unassigned measurements. We consider thatthe system is originally observable. Hence, such a spanning treeand its corresponding set of assigned measurements exist.

In this regard, consider a spanning tree T (N ,B) result-ing from a measurement assignment and consider an as-signed measurement m ∈ MA. Since m is assigned toa line f(m) to build the spanning tree T (N ,B), its re-moval will split the original tree T (N ,B) into two treesT m1 (Nm

1 ,Bm1 ) and T m2 (Nm2 ,Bm2 ) each spanning, respectively,

subgraphs Gm1 (Nm1 ,Lm1 ) and Gm2 (Nm

2 ,Lm2 ), such that N =Nm

1 ∪Nm2 and B = Bm1 ∪ Bm2 ∪ f(m). We let Nm

1 = |Nm1 |

and Nm2 = |Nm

2 |. We refer to the set of measurements withineach of Gm1 (Nm

1 ,Lm1 ) and Gm2 (Nm2 ,Lm2 ) by, respectively, Mm

1

1

12

6

2

13

10 119

14

4

3

5

8 7

1 7

2 34

5

6

9

17

2019

11 12

13 18 16

1015

14

8

IEEE 14-Bus System

Unassigned Boundary Injection

Branches

Branches

Fig. 2. Effect of removal of the flow measurement over line 2, F2, in the IEEE14-bus system.

and Mm2 . In other words, Mm

i , for i ∈ 1, 2, consists ofinjection measurements over buses in Nm

i and power flowmeasurements over lines in Lmi .

Fig. 2 provides an illustrative example of the two spanningtrees created by the deletion of flow measurement F2 over line 2.Here, f(F2) is line 2. Fig. 2 represents the same system shownin Fig. 1 and will be used hereinafter to provide a practicalexample of the defined concepts and analytical derivations. Ascan be seen from Fig. 2, since F2 was assigned to line 2, whenthe measurement assignment is not modified (i.e. not consideringthe redundant measurements), the removal of F2 will split theoriginal tree T (N ,B), represented in solid red lines in Fig. 1,into two trees each of which spans a subgraph of G(N ,B),namely, subgraphs GF2

1 and GF22 in Fig. 2.

We let Lm be the set of lines connecting a bus in Gm1 to abus in Gm2 . In addition, let Nm

1,2 ⊆ Nm1 and Nm

2,1 ⊆ Nm2 be the

set of nodes in, respectively, Nm1 and Nm

2 which are connectedto a node in, respectively, Nm

2 and Nm1 . An example of these

notations is provided in Fig. 2, for m , F2. Lm is, hence,formally defined as:

Lm = l ∈ L | l = (η1, η2), η1 ∈ Nm1,2, η2 ∈ Nm

2,1. (3)

Gm1 and Gm2 are two disjoint subgraphs of G. Hence, for anytree to potentially span G, it must connect Gm1 and Gm2 (i.e.connect at least one node of Gm1 to a node in Gm2 ), whichcan only be achieved by assigning a measurement to a linein Lm. In this regard, we define MLm to be the set of linemeasurements over lines in Lm and injection measurements overbuses incident to Lm, i.e., buses in Nm

1,2 ∪ Nm2,1. Based on

the measurement assignment rules described in Section II-B, alsosummarized in Proposition 1, only measurements inMLm couldbe potentially assigned to a line in Lm. As a result, removingall of the measurements in MLm will guarantee that the systembecomes unobservable, as it guarantees that two subgraphs ofG would never be connected by any measurement assignment,making it, thus, impossible to build a spanning tree over G.Hence, the removal ofMLm is a sufficient condition for causing

the unobservability of the system. However, removing the entireset MLm may be more than required to prevent any possiblemeasurement assignment (or constructed tree) from connectingGm1 and Gm2 ; a goal which could be achieved by the removal ofonly a subset of MLm , as we investigate next.

In this regard, for the pair of subgraphs Gm1 and Gm2 , resultingfrom the spanning tree T , we define a set of measurements,Cm ∈ MLm , for each measurement m ∈ MA, to which werefer as a critical set of m, as follows:

Definition 3: For a measurement m ∈ MA and the pair ofsubgraphs Gm1 (Nm

1 ,Lm1 ) and Gm2 (Nm2 ,Lm2 )), a critical set of

m, denoted by Cm ⊆MLm , is a maximal set of measurements3

within MLm (i.e., the measurements which could be assignedto lines in Lm, following the measurement assignment rules inProposition 1, to connect a bus in Gm1 to a bus in Gm2 ) containingm, such that a spanning tree can be formed over each ofGm1 (Nm

1 ,Lm1 ) and Gm2 (Nm2 ,Lm2 ) using only the measurements

in Mm1 ∪Mm

2 \ Cm.In other words, Cm includes m and a maximal set of redundant

measurements in MLm \ m. When all of the measurementswithin Cm except for an arbitrary one are removed, Gm1 and Gm2can still be connected while having a spanning tree in each, toform a spanning tree over the entire graph G. Indeed, when mis removed, any m′ ∈ Cm can be assigned to a line in Lm toreconnect Gm1 and Gm2 , while a spanning tree can still be formedover Gm1 and Gm2 , using Mm

1 ∪Mm2 \Cm. A critical set, such

as Cm ∈ MLm is maximal in the sense that if any additionalmeasurement inMLm is added to Cm, no spanning tree could beformed in Gm1 (Nm

1 ,Lm1 ) or Gm2 (Nm2 ,Lm2 ) using measurements

in Mm1 ∪ Mm

2 \ Cm. From an algebraic perspective, Cm issuch that the Jacobian matrices of Gm1 and Gm2 using only themeasurements in Mm

1 \ Mm1 ∩ Cm and Mm

2 \ Mm2 ∩ Cm,

denoted by H(−Cm)1 and H

(−Cm)2 , are full column rank, i.e.,

rank(H(−Cm)1 ) = Nm

1 − 1 and rank(H(−Cm)2 ) = Nm

2 − 1.However, the addition of any additional measurement inMLm toCm would lead to rank(H(−Cm)

1 ) < Nm1 −1 or rank(H(−Cm)

2 ) <Nm

2 − 1. Hence, finding Cm corresponds to finding a maximalset of redundant measurements inMLm \m. This maximal setmay not be unique (as we will demonstrate in the analysis thatensues). Indeed, any set of measurements that meets Definition 3,is a critical set of m ∈ MA, considering the pair of subgraphsGm1 (Nm

1 ,Lm1 ) and Gm2 (Nm2 ,Lm2 ). Here, in general, a set of

measurements is redundant if its removal does not affect therank of the Jacobian matrix in the studied graph/subgraph or,equivalently, does not prevent the possibility of building aspanning tree over the studied graph/subgraph. We next introducea set of rules for building a critical set – which is not necessarilyunique – of a certain measurement, following which we providea step-by-step procedure for building such critical sets. As such,a critical set can be derived for each of the N −1 measurementsin MA, i.e., the measurement assigned as part of the originaltree. This set of N − 1 critical sets is then used, analyzed, and

3A critical set is defined based on the two subgraphs it aims to reconnect. Asthese two subgraphs are defined based on the original spanning tree T , Cm isthen dependent on T . However, the notion of a critical set defined here can alsobe applied to any other pair of adjacent subgraphs. For ease of notation, we donot include T as an index in the notation of Cm. However, the dependence ofCm on T , as we have highlighted, is always implied.

Flow measurements over lines in

Unassigned injection measurements over buses in

Assigned injection measurements over buses in

Redundant measurements part of

Further investigation needed to determine whether a measurement in this set

is part of Measurements in

Category 1 Category 2

Category 3

Fig. 3. The three categories of measurements in Mm.

extended for analyzing the observability of the system.For a measurement m, we let Mm = MLm \ m, and

investigate the redundant subset of measurements in Mm toobtain a critical set Cm. Given that m is always considered tobe part of Cm, m is always added to Cm after investigatingthe measurements in Mm. An example of the set Mm form , F2 is shown in Fig. 2. The measurements in Mm canbe grouped into three different categories: 1) flow measurementsover lines in Lm, which we denote by Mm

F ,4 2) unassignedinjection measurements over buses in Nm

1,2 ∪ Nm2,1, and 3)

assigned injection measurements over buses in Nm1,2 ∪Nm

2,1, i.e.,measurements in Mm ∩MA. A representation of this partitionis shown in Fig. 3

Since the measurements in MmF and the unassigned injection

measurements over buses in Nm1,2 ∪ Nm

2,1 (which are the firsttwo categories of measurements in Mm, as shown in Fig. 3)are redundant, they are part of Cm. For example, consider theinjection measurement, I4, over bus 4 in Fig. 2. I4 is in MF2

and is a redundant measurement since it was not assigned to anyline as part of the original tree T . Thus, I4 ∈ CF2 .

Now, when m′ ∈ Mm is assigned as part of the originalassignment function, i.e., m′ ∈Mm ∩MA (which correspondsto the third category of measurements in Mm, indicated inFig. 3), then additional investigation is needed to determinewhether m′ is redundant, and hence, whether it can be consideredin Cm. This process will explore all alternative ways of buildinga spanning tree in the subgraph in which m′ is assigned, todetermine whether m′ is a redundant measurement.

In this regard, consider that m′ ∈ Mm is assigned to a linel′, i.e., f(m′) = l′ ∈ B. If m′ is to be reassigned to a linel ∈ Lm, T m1 and T m2 will be reconnected, but since m′ wasoriginally assigned as part of the original tree, another portionof the tree gets disconnected by this reassignment of m′ to linstead of l′. Hence, m′ would be redundant and can, thus, bepart of Cm if another measurement can be used to reconnectthe subgraph which was disconnected by the reassignment ofm′ from l′ to l. In other words, m′ can be part of Cm if

4Such measurements are unassigned measurements. In fact, if m is a linemeasurement, lines in Lm would form a loop with f(m) and hence cannot bepart of the original spanning tree. Moreover, if m is an injection measurement,Mm

F would be an empty set since, otherwise, based on the spanning tree buildingmethod described in Section II-B and originally presented in [23], one of themeasurements inMm

F would have been assigned to a line in Lm, and m wouldnot have been part of MA. As a result, measurements in Mm

F are redundant.

the measurement set within the subgraph that was disconnectedby the reassignment of m′ to l instead of l′ allows buildinga spanning tree over this subgraph. This can be assessed byanalyzing the redundant measurements within this subgraph toinvestigate all other possible spanning trees which can be formed,hence, not limiting the analysis to the original spanning tree T .For example, consider the injection measurement over bus 13 inFig. 2, which we denote by I13. I13 has been assigned to line 12as part of the original spanning tree. Hence, if I13 is assignedto line 20 to reconnect T F2

1 and T F22 after measurement F2 is

removed, it cannot be assigned to line 12 anymore which willsplit T F2

1 into two subtrees, one formed by buses 12, 13 andline 19 and the other subtree composed of buses 6, 10, 1, 5and lines 13, 10, 1. We denote these two subtrees by T F2

1,1

and T F21,2 , respectively. In this respect, if another measurement

can replace I13 in reconnecting T F21,1 and T F2

1,2 , then I13 wouldbe redundant and can be assigned to line 20 and, hence, shouldbe part of CF2 . To this end, consider the injection measurementover bus 12, denoted by I12, which was not part of the originalspanning tree assignment, i.e., I12 /∈MA. I12 can be assigned toline 11 to reconnect T F2

1,1 and T F21,2 in case I13 is reassigned to line

20 instead of line 12. Hence, I13 is indeed redundant, resultingin I13 ∈ CF2 . Thus, the assignment of I12 to line 11 will lead tomodifications to T F2

1 . However, here, the goal is not to identifythe new form of T F2

1 , but rather to merely investigate whether ornot a new form of T F2

1 can be constructed using the measurementset in GF2

1 . To generalize the analysis in this example, we nextprovide a general discussion of measurements in Mm ∩ MA

(i.e., third category in Fig. 3) which allows determining whethera measurement in this set is part of Cm.

More generally, consider m′ ∈ Mm ∩MA to be a measure-ment assigned to a branch l′ = f(m′) in Bm1 , and letMm

1 be theset of measurements in Gm1 . Reassigning m′ to l ∈ Lm instead ofl′, to reconnect T m1 and T m2 , will split T m1 into two subtrees T m1,1and T m1,2. These trees, respectively, span subgraphs Gm1,1 and Gm1,2.Let Mm

1,1 and Mm1,2 be the sets of measurements in Gm1,1 and

Gm1,2. m′ can be reassigned to l only if some measurement inMm1

can reconnect T m1,1 and T m1,2. Hence, this corresponds to finding ameasurement assignment that connects the two subtrees T m1,1 andT m1,2. As discussed in Section II-B, two subtrees can be connectedby using a measurement assignment if the processing of anunassigned boundary injection in one of them reaches a nodein the other. We denote such unassigned boundary injections bybackup boundary injections, defined as follows:

Definition 4: A measurement m′′ ∈ Mm1 \ Mm

1 ∩ Mmis a backup boundary injection for a measurement m′, if m′′

is a boundary injection which can reconnect – following theboundary injection assignment procedure in [23] – the subtreesT m1,1 and T m1,2 generated by the reassignment of m′ ∈ Mm ∩MA to a line l ∈ Lm instead of its original line assignmentf(m′) = l′. The set of all such backup boundary injections forthis measurement m′ ∈Mm ∩MA is referred to as the backupboundary injection set of m′ and is denoted by Imb−m′ .

Since the tree building algorithm in [23] is based on connect-ing subtrees (i.e. tree components) – to build a full spanningtree – by starting from an unassigned boundary injection ina certain subtree (as a source) to reach a node in another

Injection Measurement

Backup Boundary Injection

General Representation

Unmatched

Matched

Fig. 4. Maximum matching over the “injection measurements - backup boundaryinjections bipartite graph”.

subtree (as a sink), this algorithm can be readily employedto identify a backup boundary injection for a measurementm′ ∈ Mm ∩ MA. To this end, to find a backup boundaryinjection of m′, we run the algorithm in [23] by starting from anunassigned boundary injection in either T m1,1 or T m1,2 and checkingwhether the algorithm reaches a bus in T m1,2 or T m1,1, respectively.As such, using the spanning tree building algorithm providedin [23, Fig. 1], one can identify the backup boundary injectionsfor each injection measurement in m′ ∈ Mm ∩MA. Here, wenote that, following our proposed method for constructing Cm, abackup boundary injection cannot be an injection measurementin Mm, since if m′′ ∈ Mm and m′′ is unassigned, m′′ willitself be part of Cm, as previously discussed.

Therefore, an assigned injection measurement m′ ∈ Mm ∩MA is a redundant measurement and is, as a result, partof Cm if it has a nonempty boundary injection set Imb−m′ .However, a boundary injection may be part of multiple backupboundary injection sets. In this regard, based on the measurementassignment rules, an injection measurement can be assigned toonly one line at a time. Hence, an unassigned boundary injectioncan act as a backup boundary injection for only one measurementin Mm ∩ MA, at a time. Thus, if two measurements m1

and m2 in Mm ∩ MA have only one and the same backupboundary injection, only one of them can be concurrently in Cm,which indicates that a critical set Cm of m may not be unique.As a result, due to this one-to-one assignment requirementbetween backup boundary injections and injection measurementsin Mm ∩ MA, finding this assignment can be performed bysolving a maximum matching problem over a bipartite graph5,as the one shown in Fig. 4. We refer to this graph as the injectionmeasurements - backup boundary injections bipartite graph.

In this bipartite graph, the left-side nodes denote the injectionmeasurements in Mm ∩ MA and right-side nodes denote theunion of their backup boundary injections,

⋃m′∈Mm∩MA

Imb−m′ ,

in which each node represents one backup boundary injection.In this bipartite graph, an edge exists between a node m′ ∈Mm ∩ MA, on the left-side of the graph, and a boundaryinjection m′′, on the right-side of the graph, if m′′ ∈ Imb−m′ .Here, we note that a boundary injection can be simultaneouslypart of different backup boundary injection sets. Hence, findingthe injection measurements in Mm ∩MA which are part of acritical set of m, Cm, requires solving a maximum matching

5A matching over a graph is a subset of edges sharing no vertices. A maximummatching is a matching having the maximum possible number of edges [26].

Algorithm 1 Critical sets step-by-step procedureInput: Power system 1-line diagram G(N ,L), measurement set M, spanning

tree T (N ,B), set of assigned measurementsMA, assignment function f(.):MA → B

Output: Critical set Cm for all measurements m ∈MA

1: for m ∈MA do2: Characterize T m1 , T m2 , Nm1,2, Nm2,1, Lm, Mm

3: Initialize Cm4: Initialize Mm

test5: Add m to Cm6: for m′ ∈Mm do7: if m′ is a flow measurement then8: Add m′ to Cm9: end if

10: if m′ is an injection measurement then11: if m′ /∈MA then12: Add m′ to Cm13: end if14: if m′ ∈MA then15: Characterize its backup boundary injection set Im

b−m′

16: Add m′ to Mmtest

17: end if18: end if19: end for20: Solve maximum matching over the “injection measurements - backup

boundary injections bipartite graph”21: for m′ ∈Mm

test do22: if m′ is a matched node as part of the maximum matching then23: Add m′ to Cm24: end if25: end for26: end for27: return Critical set Cm for all measurements m ∈MA

problem over this bipartite graph6. As a result, the matchedleft-side nodes in a maximum matching over the “injectionmeasurements - backup boundary injections bipartite graph” arethe injection measurements inMm ∩MA which will be part ofCm. Here, we note that this leads to the identification of a criticalset Cm of m, as Cm may not be unique given that a maximummatching over a bipartite graph may not be unique. Indeed, eachpossible maximum matching would lead to a different Cm.

Based on these introduced rules for building critical sets, Al-gorithm 1 provides a structured step-by-step method for buildinga critical set, Cm, for each measurement m ∈MA.

B. Example and Case Analysis

As an example of characterizing critical sets of the variousassigned measurements, as part of a spanning tree, in a powersystem, we consider the IEEE 14-bus system in Fig. 1. In thisexample, we denote an injection measurement over bus k by Ikand a flow measurement over line k by Fk. We first considerthe measurement over line 2, F2, for which we find a critical setCF2 using Algorithm 1.

From Fig. 2, we can see that removing F2 will result in split-ting the original spanning tree into two trees, T F2

1 (NF21 ,BF2

1 )and T F2

2 (NF22 ,BF2

2 ), such that NF21 = 1, 5, 6, 10, 12, 13

and NF22 = 2, 3, 4, 7, 8, 9, 11, 14 are the sets of nodes of

the two trees and BF21 = 1, 10, 13, 12, 19 and BF2

2 =4, 6, 8, 15, 9, 16, 17 are their sets of edges. These two treesspan, respectively, GF2

1 and GF22 , as shown in Fig. 2. In ad-

6The solution of a maximum matching problem over a bipartite graph can beefficiently obtained in polynomial time by transforming the matching probleminto a max-flow problem, which can be solved in polynomial time using variousknown algorithms such as Ford-Fulkerson [26].

dition, NF21,2 = 1, 5, 10, 13, NF2

2,1 = 2, 4, 11, 14, LF2 =2, 3, 7, 18, 20, and MF2 = F2, I4, I11, I2, I1, I5, I13.Now, for characterizing a critical set of F2, we explore setMF2 .

The first measurement in MF2 is F2. F2 is a flow measure-ment. Hence, F2 ∈ CF2 . The second and third measurementsin MF2 are I4 and I11. I4 and I11 are unassigned injectionmeasurements, i.e. I4 /∈MA and I11 /∈MA. Hence, I4, I11 ⊆CF2 . Indeed, I4 can be assigned to line 7 to reconnect T F2

1 andT F22 , while I11 can be assigned to line 18 for that purpose.I2 is the fourth measurement in MF2 and the last remaininginjection measurement on Nm

2,1 to be explored. I2 is an assignedmeasurement, originally assigned to line 4 as part of the spanningtree T . As I2 ∈ MA, assigning I2 to lines 2 or 3 to reconnectT F21 and T F2

2 will disconnect bus 2 from the rest of T F22 . Hence,

we next characterize the backup boundary injection set of I2, i.e.IF2

b−I2 . The only unassigned boundary injection in GF22 that is not

part ofMF2 is I7. However, using the algorithm in [23, Fig. 1],we can observe that starting from I7, the algorithm does notreach bus 2. Hence, bus 2 cannot be reconnected to the rest ofT F22 using any unassigned boundary injections over buses in GF2

2 .Hence, IF2

b−I2 = ∅, and as a result F2 /∈ CF2 . Similarly, exploringI1 and I5 – the fifth and sixth measurements in MF2 – whichare both assigned measurements, i.e. I1, I5 ⊆ MA, showsthat they both have empty backup boundary injection sets7, i.e.IF2

b−I1 = ∅ and IF2

b−I5 = ∅. Hence, neither I1 nor I5 are part ofCF2 . The only remaining measurement in MF2 is I13. I13 is anassigned measurement, I13 ∈ MA. As previously discussed inSection III-A, when I13 is reassigned to line 20 to reconnect T F2

1

and T F22 , the subtree containing buses 12 and 13 and line 19 gets

disconnected from the rest of T F21 . Hence, we next characterize

the backup boundary injection set of I13, i.e. IF2

b−I13 . To thisend, I12, the only unassigned boundary injection measurementin GF2

1 , can be assigned to line 11 to reconnect the two subtrees,and is the only boundary injection which can do so. Hence,IF2

b−I13 = I12. As a result, the “injection measurements -backup boundary injections bipartite graph” is composed of onlyI13 on the left-side connected to IF2

b−I13 = I12 on the right-side. Hence, I13 is matched to the backup boundary injectionI12. As a result, I13 ∈ CF2 . The processing of MF2 is thuscomplete, resulting in CF2 = F2, I4, I11, I13.

Similarly, Algorithm 1 can be carried out to characterizecritical sets of all of the measurements in MA in the IEEE14-bus system in Fig.1. The results are listed in Table II.

We next discuss the value of critical sets with regard to under-standing and analyzing observability attacks. We also introducethe concept of observability sets, a generalization of critical sets,which provides a holistic modeling of observability attacks.

Notation: We use the following notation in the derivationsthat ensue. For the Jacobian matrix H , we let H(−K)+(K′)

correspond to H but with the removal of the rows correspondingto measurements in K and the addition of rows correspondingto measurements in K′.

7If I1 or I5 are to be reassigned to lines 2 or 3, respectively, to reconnectT F21 and T F2

2 , each of these reassignments will split T F21 into two subtrees

which cannot be reconnected using the unassigned boundary injection I12, ascan be shown by a run of the algorithm in [23, Fig. 1]. Here, we note that I12is the only unassigned boundary injection in GF2

1 .

TABLE IICRITICAL SETS OF THE MEASUREMENTS INMA .

Measurement (m ∈MA) Critical Set (Cm)F2 F2, I4, I11, I13F8 F8, I4, I7, I9F9 F9, I4, I7, I11, I13F15 F15, I7I1 I1, I4, I11, I13I2 I2, I4, I11, I13I3 I3, I2, I4I5 I5, I11, I13I6 I6, I11I9 I9, I11I13 I6, I12, I13F17 F17, I9, I13F19 F19, I6, I12

C. Critical Sets and Observability

Next, we show that the derived critical sets are indispensablefor modeling observability attacks. In this regard, we show thatthe removal of a critical set renders the system unobservable. Theproof is carried out using two approaches: 1) A graph-theoreticapproach presented in Theorem 1 and showing that no spanningtree could be build over G when a critical set is removed, and2) an approach based on linear algebra, presented in Theorem 2,where we will prove that the rank of the Jacobian matrix of thepower system graph G, when not considering the measurementsin a critical set (i.e. after the removal of a critical set), is strictlyless than N − 1 (we, in fact, prove that the rank of the Jacobianmatrix becomes N − 2), making the Jacobian matrix not fullcolumn rank and leading the system to become unobservable.These two approaches are presented next.

1) Proof by Graph-Theoretic Arguments:Theorem 1: Removing a critical set, Cm, renders the system

unobservable.Proof: By topological observability, we know that a system

is observable if and only if a spanning tree could be formedusing an assignment function. Hence, given that Gm1 and Gm2 aretwo disjoint subgraphs of G, any spanning tree over G must atleast assign one measurement to a line in Lm. Otherwise, thistree would not span the whole system.

When m is removed, the original spanning tree T is split intotwo disjoint trees T m1 and T m2 , spanning subgraphs Gm1 andGm2 , respectively. This makes each of Gm1 and Gm2 observable.However, it does not make the whole system observable asthere is a need to connect Gm1 and Gm2 . By definition of Cm,removing Cm makes it impossible to connect Gm1 and Gm2 , byany measurement assignment, as Cm contains all measurementswhich could be assigned to a line in Lm without losing theobservability within one of the two subgraphs. In fact, if Cmis removed, based on Proposition 1, for any measurement tobe assignable to a line in Lm it must be in MLm \ Cm, inorder to either connect T m1 and T m2 or interconnect disjointcomponents of T m1 and T m2 (or disjoint tree components withineach of Gm1 and Gm2 ) to span the entire G. However, none ofthese measurements in MLm \ Cm can be assigned to a linein Lm, as none of these measurements is redundant. In fact, ifany of these measurements in MLm \ Cm were redundant, thismeasurement would have been part of Cm, as otherwise, it wouldhave contradicted the maximality property of Cm. As such, if Cm

is removed, G would contain no spanning tree that could be builtaccording to the rules of Proposition 1, which makes the systemunobservable.

2) Proof by Linear Algebra:In addition, we prove in the next theorem (Theorem 2) that

removing a full critical set decreases the rank of the Jacobianmatrix by 1, which as a result makes the system unobservable.However, we first present the following preliminary lemma,which is essential for the proof of Theorem 2.

Lemma 1: Let m ∈ M be an injection measurement over abus η that is assigned to a line l, f(m) = l. Then, replacingm by a hypothetical line flow measurement m′ over line lwill not affect the rank of matrix H . In other words, letH(−m)+(m′) be the the Jacobian matrix with the removal ofthe row corresponding to measurement m and the addition ofthe row corresponding to the hypothetical measurement m′, thenrank(H) = rank(H(−m)+(m′)).

Proof: Since m is assigned, i.e. is part of an originalspanning tree measurement assignment, removing it will splitthe original spanning tree into two subtrees T m1 and T m2 . If m′

existed, m′ can reconnect T m1 and T m2 , as it is a measurementover line l, which is part of Lm. Hence, replacing m by m′

will not affect the connectivity of the spanning tree and, hence,rank(H) = rank(H(−m)+(m′)).

Theorem 2: For m ∈ MA, removing Cm results inrank(H(−Cm)) = rank(H) − 1, which makes the system un-observable.

Proof: Since the system is originally fully observable,rank(H) = N − 1. Now, let Mm

1 and Mm2 be the mea-

surement sets in subgraphs Gm1 and Gm2 , respectively, and letH

(−Cm)1 and H

(−Cm)2 be the Jacobian matrices of Gm1 and Gm2 ,

respectively, composed of measurements in Mm1 \ Mm

1 ∩Cmand Mm

2 \ Mm2 ∩ Cm. Since T m1 and T m2 respectively span

Gm1 and Gm2 , this implies that rank(H(−Cm)1 ) = Nm

1 − 1 andrank(H(−Cm)

2 ) = Nm2 − 1. In addition, let m′ ∈Mm

1 \ Mm1 ∩

Cm be an injection measurement over a bus in Nm1,2. Since

m′ ∈ Mm1 \ Mm

1 ∩ Cm, then m′ is assigned to a certainbranch b′ = f(m′) ∈ T m1 ; otherwise, m′ would have also beenin Cm. By Lemma 1, m′ can be replaced by a hypothetical lineflow measurement over b′ without affecting the rank of H(−Cm)

1 .As such, let H

(−Cm)′

1 be the same as H(−Cm)1 but replacing

any row corresponding to an injection measurement in Nm1,2 by

its corresponding hypothetical line flow measurement. The samecan be done to form Jacobian matrix H

(−Cm)′

2 from H(−Cm)2 .

By Lemma 1, rank(H(−Cm)′

1 )=rank(H(−Cm)1 ) = Nm

1 − 1 andrank(H(−Cm)′

2 )=rank(H(−Cm)2 ) = Nm

2 − 1.

Now, let us return to H(−Cm). By rearranging its elementsto include first the measurements in Mm

1 \ Mm1 ∩ Cm then

the elements of Mm2 \ Mm

2 ∩ Cm, H(−Cm) can be written as

H(−Cm) =

[H

(−Cm)1

H(−Cm)2

]. In this respect,

rank(H(−Cm)) = rank([

H(−Cm)1

H(−Cm)2

])= rank

([H

(−Cm)′

1 0

0 H(−Cm)′

2

])= (Nm

1 − 1) + (Nm2 − 1)

= N − 2 = rank(H)− 1.

Therefore, rank(H(−Cm)) = N − 2 < N − 1⇒H(−Cm) is notfull column rank ⇒ the system becomes unobservable after theremoval of any critical set Cm.

3) Analysis and Discussion:Theorem 2 shows the effect of the removal of a single critical

set on the rank of the Jacobian matrix. Theorem 1 and Theorem 2provide key conditions for observability of the power systemunder observability attacks. In fact, the contrapositives of thesetheorems show that if a power system is fully observable,then the investigated observability attack (i.e. the removal ofmeasurements) did not result in removing a full critical set. Inaddition, using Theorem 1 and Theorem 2, we can also show thata critical set Cm is a minimal set of measurements including mwhich when removed renders the system unobservable. In fact,as shown in Theorem 1 and Theorem 2, removing Cm rendersthe system unobservable while, if all measurements in Cm areremoved except for one arbitrary measurement m′, the systemwould still remain observable. In fact, by Definition 3, this m′

can be assigned to a line l ∈ Lm to connect Gm1 and Gm2 , whilehaving a spanning tree over each of Gm1 and Gm2 , which leads toa spanning tree over G(N ,L) and makes the system observable.

Moreover, based on Theorem 1 and Theorem 2, the criticalmeasurements8 of a power system can be characterized using thenotion of critical sets, as shown in the following corollary.

Corollary 1: m is a critical measurement if and only if itsonly critical set is Cm = m.

Proof: By definition, if m is a critical measurement, remov-ing it will render the system unobservable. Hence, if the criticalset of m is such that Cm ⊃ m, then removing m would not affectthe observabilty of the system since any other measurementm′ ∈ Cm \ m can be used to replace m and reconnect thetree. As such, Cm ⊃ m ⇒ m is not a critical measurement,which proves the contrapositive: m is critical ⇒ m is the onlyelement in its critical set, i.e. m = Cm. Conversely, if m is theonly element in its critical set, its removal constitutes removinga complete critical set, which by Theorem 1 and Theorem 2,renders the system unobservable. As a result, Cm = m ⇒m is a critical measurement. Thus, m is critical if and only ifCm = m.

Next, we extend this concept to account for the interconnectionbetween multiple critical sets.

D. Observability Sets

For a measurement m′ to be in a critical set of a measurementm, i.e. m′ ∈ Cm, a critical set of m′, Cm′

, must contain measure-ments other than m′, i.e. Cm′ ⊃ m′. Otherwise, m′ would not

8In power systems, a critical measurement is a single measurement whichwhen removed renders the system unobservable [8].

be redundant. For example, consider injection measurements I6and I9. Removing I6 and I9 will render the system unobservable– even though I6 and I9 do not form a critical set – sinceCI6 = I6, I11 and CI9 = I9, I11. As such, if I6 is removed,I11 can be used to replace I6 since I11 ∈ CI6 . However, if I9is also removed, even though I11 ∈ CI9 , I11 cannot be usedto replace I9 since I11 has already been used as a replacementto I6. Therefore, removing I9 and I6 does render the systemunobservable. Indeed, rank(H−(I6)−(I9)) = 12 < N − 1 = 13.This concept can be extended to the interconnection betweenmultiple critical sets. For example, consider F2, I1, I2, and I5and their critical sets shown in Table II. We can see that F2,I1, and I2 have critical sets sharing measurements I4, I11, andI13. Hence, if F2, I1, and I2 are removed, I4, I11, and I13 areassigned, one to each of these measurements, to preserve systemobservability and, hence, cannot be used as part of further criticalsets in case further measurements are removed. Hence, sinceCI5 = I5, I11, I13, removing F2, I1, I2 and I5 will renderthe system unobservable, even though F2, I1, I2, I5 is not acritical set.

In this respect, the concept of critical sets must be furtherdeveloped to yield a general graph-theoretic concept of observ-ability attacks. To this end, we define a graph, dubbed “criticalsets - system measurements bipartite graph”, as follows:

Definition 5: A critical sets - system measurements bipartitegraph (CS-SMBG) is a bipartite graph in which each left-handside node represents one of the critical sets of the power system(such that the set of left-hand side nodes include only one criticalset Cm for each m ∈ MA), and the right-hand side nodesrepresent the entire measurement set M such that each right-hand side node represents one measurement in the measurementset M. In this respect, an edge between a critical set Ci and ameasurement j exists if j ∈ Ci.

An example of this bipartite graph is shown in Fig. 5. Here,we note that since a critical set Cm might not be unique, differentversions of a CS-SMBG can be constructed for a single powersystem, depending on the choice of a critical set for each m ∈MA, which depends on the choice of the assigned measurementsMA (associated with the original spanning tree T ). Based onthis formulation, a general concept of observability is establishedin Theorem 3.

Theorem 3: If the system is observable, then any maximummatching over any CS-SMBG must include all of the critical setsof this CS-SMBG.

Proof: We prove this theorem by proving its contrapositivewhich is the following: if a maximum matching does not includeall of the critical sets of a certain CS-SMBG (i.e. at least onecritical set is unmatched in a maximum matching over this CS-SMBG), then the system is not observable.

The contrapositive can be proven as follows. As defined inDefinition 3, a critical set Cm consists of a maximal set of mea-surements which can be assigned to a line in Lm to connect twosubgraphs of the power system graph, namely, Gm1 (Nm

1 ,Lm1 )and Gm2 (Nm

2 ,Lm2 ), while preserving the ability to constructspanning trees over each of Gm1 (Nm

1 ,Lm1 ) and Gm2 (Nm2 ,Lm2 )

using measurements in Mm1 ∪ Mm

2 \ Cm. Consider that anumber of measurements in the system are unavailable (i.e.

attacked) so that the remaining measurements are not enoughto include all critical sets in a maximum matching. Without lossof generality, we consider Cm to be an unmatched critical set.

When Cm is not part of a maximum matching over a CS-SMBG, then either 1) all of the measurements in Cm wereremoved (i.e. attacked and are not available), or 2) other mea-surements in the system were removed so that not enough mea-surements remain to match all critical sets (i.e. all measurementsin Cm are matched to other critical sets).

Now, if none of the measurements in Cm could be matched toCm ⇒ no measurement in Cm could be assigned to a line in Lmsince a measurement can be assigned to one line at a time ⇒Gm1 (Nm

1 ,Lm1 ) and Gm2 (Nm2 ,Lm2 ) could not be connected while

preserving the observability within each of Gm1 (Nm1 ,Lm1 ) and

Gm2 (Nm2 ,Lm2 ) (i.e., concurrently having a spanning tree over

each of Gm1 and Gm2 ) ⇒ a spanning tree over the power systemgraph G(N ,L) could not be constructed through measurementassignments ⇒ the power system is unobservable. This thenproves the contrapositive of this theorem and, hence, proves thetheorem.

Theorem 3 can be used to fully characterize observabilityattacks as follows. An observability attack is one in whichmeasurements are removed (i.e. nodes from the right-side ofa CS-SMBG) such that any maximum matching over this CS-SMBG would not include at least one critical set (i.e. nodeson the left-side of a CS-SMBG), which renders the systemunobservable. This applies to any CS-SMBG, that is built fromany set of critical sets (containing a critical set for each assignedmeasurement), that are derived from any original spanning treeT . This, as a result, provides a general analytical characterizationof observability attacks and enables prediction of the effect ofthe removal of a subset of measurements on the observability ofthe system. This enables identifying security indices such as theobservability attack of lowest cardinality or the minimal set ofmeasurements to remove in addition to a certain measurementto make the system unobservable. In what follows, we focuson stealthy data injection attacks – proving that they are asubset of observability attacks – and we show how our pro-vided analytical characterization of observability attacks enablesanalysis of various widely-studied stealthy data injection attackproblems. To this end, we introduce sets of measurements,dubbed observability sets, as follows, which are valuable for theanalysis of data injection attacks which ensues.

Definition 6: For a CS-SMBG, an observability set S ∈ M isa set of measurements such that removing S leads a maximummatching over this CS-SMBG not to include a certain criticalset.

In this regard, adding any measurement s ∈ S , which wasremoved, back to the right-side of this bipartite graph will resultin re-including the previously unmatched critical set in thismaximum matching. In addition, removing all of S except forone measurement s ∈ S will not lead to excluding any criticalset from a maximum matching over the CS-SMBG (resultingin a perfect matching). We note that multiple observability setsmay exist for a CS-SMBG, as the removal of a different set ofmeasurements may lead to the exclusion of a different criticalset from a maximum matching over this graph. Here, we note

that an observability set is associated with the CS-SMBG fromwhich it was derived. A different CS-SMBG (resulting from adifferent set of critical sets, originating from a different originalspanning tree) would result in different observability sets.

A union of observability sets for a CS-SMBG is defined asa set of measurements composed of a number of observabilitysets such that, when each of these sets is successively removed,each such removal leads to excluding one additional critical setfrom being part of a maximum matching over the CS-SMBG.Adding back any of the removed measurements to the right-side of the bipartite graph will result in re-including one ofthe unmatched critical sets in the previously obtained maximummatching. Note that with the successive removal of observabilitysets, observability sets are defined based on the updated state ofthe CS-SMBG after the removal of a previous observability set ata previous step. In addition, at each step, multiple observabilitysets may exist. These observability sets play a crucial role incharacterizing stealthy data injection attacks, as shown next.

We next introduce stealthy data injection attacks and prove thatthey are a variant of our introduced observability attacks. Thisenables further studying and solving various problems related toSDIAs using our developed analytical tools.

IV. STEALTHY DATA INJECTION ATTACKS

A. Stealthy Data Injection Attacks

Recalling the measurement-state equation in (1), data injec-tion attacks aim at replacing the measurement vector, z by amanipulated measurement vector za = z+a, where a ∈ Rm isthe attack vector, resulting in a new state estimate xa. However,typically, the state estimation process is run in conjunction withwhat is known as a bad data detector and identifier (BDD).The BDD aims at detecting and identifying the presence ofoutliers in the collected data set, so that such outliers can beremoved preventing them from affecting the estimation outcome.Such BDDs rely on the statistical analysis of what is known asmeasurement residuals, r, defined as [8]:

z = Hx = Sz, r = z − z = (In − S)z = Wz, (4)

where S = H(HTR−1H)−1HTR−1 and W = In − S.A statistical analysis on the residuals enables analysis of the

magnitudes of the errors associated with each measurement, andhence, allows the identification of outliers [8]. Regarding datainjection attacks, when data is added to certain measurements,the adversary aims at keeping the residuals unchanged, so thatthe attack cannot be detected by the BDD. Indeed, as shownin [27], an attack vector that falls in the column-space of theJacobian matrix H , i.e. a = Hc, cannot be detected by residualstatistical analysis. Indeed, for a = Hc,

ra = W (z + a) = r +Wa = r +Hc−Hc = r. (5)

As such, given the weighted least squares state estimationequation in (2), the attack vector a = Hc generates an arbitrarynew state estimate xa = x+ c by choosing the constant vectorc without inducing any changes to the residual vector, as shownin (5). Such DIAs are, hence, stealthy and are referred to asstealthy DIAs. The ability of SDIAs to stealthily manipulatethe state estimates poses various challenges to the operation

of the grid. Hence, understanding and modeling such attacks isindispensable to the secure and sustainable operation of powersystems. To this end, we next introduce a holistic graph-theoreticmodeling of SDIAs that is based on the graph-theoretic modelingof observability attacks introduced in Section III.

B. Graph-Theoretic Modeling of SDIAs

The observability attacks and observability sets introduced inSection III provide the basis for a graph-theoretic interpretationof SDIAs as will be shown in Theorem 4. However, beforeintroducing and proving Theorem 4, we introduce a preliminarylemma which will be used in the proof of Theorem 4.

Lemma 2: If a DIA is stealthy (i.e. a = Hc), then removingthe attacked measurements renders the system unobservable.

Proof: Since the attack vector a is stealthy, then a = Hc.Since H is of full rank, then the only solution to Hc = 0 isc = 0. Hence, a = Hc has zero and nonzero elements forc 6= 0. Now, if all of the rows of H corresponding to nonzeroelements of a are removed to form matrix Hnew, then, this resultsin anew = Hnewc = 0 for c 6= 0. Hence, Hnew is not of full rankand the power system whose Jacobian matrix is given by Hnewis unobservable. Therefore, when the attack is stealthy, removingthe attacked measurements renders the system unobservable.

Here we note, that the result of Lemma 2, provides a onedirectional relation stating that if a = Hc, i.e. the attack isstealthy, then the removal of the nonzero elements of a, i.e. theattacked measurements, causes the system to be unobservable.However, the reverse direction does not always hold true. Indeed,the reverse statement of Lemma 2 states that, if removing aset of measurements renders the system unobservable, then thisguarantees that a stealthy DIA can be constructed which targetsall of these measurements, and only these measurements. Wenext provide a counter example which proves that this reversestatement does not hold true. In this regard, we consider the

Jacobian matrix H to be represented as follows: H =

[H0

H1

].

We let M0 and M1 represent the subset of measurementscorresponding to the rows of H0 and H1, respectively. ConsiderM0 to contain one critical measurement, i.e., one row of H0 isindependent of all of the other rows of H . As such, removing thesubset of measurementsM0 renders the system unobservable. Inaddition, consider two measurements m0 ∈ M0 and m1 ∈ M1

such as m0 measures the power flow from bus i to bus j and m1

measures the power flow from bus j to bus i (i.e., m0 and m1 areinstalled on the same transmission line but measure the flow intwo opposite directions). In this regard, let h0 and h1 correspondto the rows of m0 and m1 in, respectively, H0 and H1. Then, wehave9 h0 = −h1. As a result, one cannot find a stealthy attack

vector a =

[a0

a1

]=

[H0

H1

]c, in which all the elements of

a0 are nonzero and all the elements of a1 are zero, since ifh0c 6= 0, then h1c 6= 0, due to the fact that h0 = −h1. Thisimplies that for the attack to target all the measurements in M0

and be stealthy, this attack must also target measurements inM1.Otherwise, this attack must be limited to a strict subset of M0

and may not target all the measurements inM0. As a result, even9Since Pij = −Pji, where Pij and Pji are the real power flow from bus i

to bus j and from bus j to bus i, respectively, over the same transmission line.

though removing the measurements in M0 renders the systemunobservable, one cannot necessarily construct a stealthy attackvector that only targets all the measurements inM0. Hence, thisprovides a counter example of the reverse statement of Lemma 2proving that this reverse statement does not always hold true.

Theorem 4: A DIA is stealthy if and only if the attackedmeasurements constitute a union of observability sets over acertain CS-SMBG.

Proof: We begin by proving that when the attacked measure-ments (i.e. nonzero elements of the attack vector a) constitutea union of observability sets, then a is stealthy (i.e. a can berepresented as a = Hc). As shown in Theorem 3, when anobservability set (equivalently, a union of observability sets) isremoved, the system is unobservable. Hence, consider an observ-ability set S which has been removed. Let H(−S) be the system’sJacobian matrix without the measurements in S and let C be thecritical set which cannot be part of a maximum matching over theCS-SMBG when S is removed. Since the system is unobservablewhen removing S, H(−S)y = 0 for a y 6= 0. However, theaddition of any measurement s ∈ S will reinclude C in themaximum matching over the CS-SMBG, and hence, reconnectthe tree. As such, let H(−S)+(k) correspond to H(−S) with theaddition of a row corresponding to a measurement k ∈ S. Inthis regard, since the system is rendered observable, H(−S)+(k)

is of full rank and H(−S)+(k)y will have one nonzero elementcorresponding to the row of H(−S)+(k) pertaining to the addedmeasurement k. This procedure can be repeated for all k ∈ S. Assuch, adding the rows corresponding to S back to the Jacobianmatrix results in b = Hy in which only the elements of bcorresponding to measurements in S are nonzero. As a result,a = b is an attack vector in which only the observability set Sis attacked and is proven to be stealthy.

Now, we prove that, when an attack is stealthy, i.e. a = Hc,then the nonzero elements of a correspond to a union ofobservability sets. In this regard, from Lemma 2, we know thatremoving the nonzero elements of a = Hc will render thesystem unobservable, which implies that the nonzero elementsof a contain at least one observability set. Let S denote thisobservability set, and let H(−S) be the system’s Jacobian matrixwithout the measurements in S. Removing S will lead to twosubsystems each of which is fully observable (i.e. it will split thespanning tree, T , into two subtrees each of which spans its ownsubgraph). Let H1 and H2 be the Jacobian matrices of each ofthese two subsystems (we denote these subsystems as subsystem1 and subsystem 2) and let a1 and a2 correspond to the portionsof a (excluding the measurements of the previously removedobservability set) corresponding to the measurements in H1 andH2, respectively. In addition, let c1 and c2 correspond to theportions of c pertaining to nodes in subsystem 1 and subsystem2, respectively. Now, if ai for i ∈ 1, 2 has nonzero elements,this implies that removing these elements will make subsystemi unobservable, which implies that the nonzero elements of aicontain an observability set. Following this same logic, removingthis observability set will subsequently split subsystem i into twosubsystems, each of which is observable. This process can becontinued recursively until no measurement m corresponding toa nonzero element of a remains. Hence, this shows that when

I1

I3

F2

Critical Set MeasurementsF2

I5

I2

F8F9

I1I2I3I4I11I13

I7I9

I5

F8

F9

I1

I3

F2

Critical Set MeasurementsF2

I5

I2

F8F9

I1I2I3I4I11I13

I7I9

I5

F8

F9

UnmatchedMatched

Maximum matching

AttackedUncompromised

Pre-attack Post-attack

CCCCCCC

CC

CC

C

C

C

Fig. 5. Critical sets - system measurements maximum matching and SDIAs.

a = Hc, then the nonzero elements of a correspond to a unionof observability sets.

This proves both directions of the theorem, and hence, con-cludes the proof.

Theorem 4 provides an analytical graph-theoretic modelingof SDIAs using the fundamentals of observability attacks intro-duced in Section III. This enables a fundamental understandingof SDIAs since it allows the characterization of the subset ofmeasurements which would be compromised as part of an SDIAand hence enables defense against such attacks. In addition, thisanalytical characterization of SDIAs enables a more in-depthanalysis of such integrity attacks and allows a characterizationof analytical solutions to a wide-range of well-studied problemsin this field, as will be explored in Section IV-C.

Example 1: As an illustrative example of the result10 inTheorem 4, we consider the IEEE 14-bus system, shown inFig. 1, whose line transmission data can be found in [28]. Weconsider the stealthy attack a = Hc with c = [1, 0, ..., 0]T ,which corresponds to having the attack vector equal to thefirst column of the Jacobian matrix H given by H(:, 1) =[−16.9, 0, 0, 0,−16.9, 33.37,−5.05,−5.67,−5.75, zeros(1, 8)]T .This attack consists of attacking measurement indices1, 5, 6, 7, 8, 9 which correspond to F2, I1, I2, I3, I4, I5.In this respect, we next verify whether this attack is stealthy,following Theorem 4. To this end, Fig. 5 shows a portion of theCS-SMBG that is relevant to the attacked measurements. Thepost-attack portion of Fig. 5 marks the nodes corresponding tomeasurements F2, I1, I2, I3, I4, I5, on the right-side of thebipartite graph, as attacked (following the attack vector a). Asa result, all the edges connecting these nodes to the criticalsets on the left-side of the bipartite graph are removed. Then,building a maximum matching over the post-attack bipartitegraph shows that, indeed, not all the critical sets are matched.Hence, the removed measurements lead to a maximum matchingthat does not include all critical sets. Furthermore, the additionof a node corresponding to any of the attacked measurements,i.e. F2, I1, I2, I3, I4, I5, would lead to reincluding one ofthe unmatched critical sets CF2 , CI3 , CI5 in the maximummatching. This implies that the attack consists of a union ofobservability sets which implies that the attack is stealthy.

C. Unified Analysis of Diverse SDIA Problems

Theorem 4 provides a unified basis for studying various SDIAproblems from a graph-theoretic perspective, as show next.

10In this example, we index the measurements in Fig. 1 from1 to 17 in an incremental manner based on the following order(F2, F8, F9, F15, I1, I2, I3, I4, I5, I6, I7, I9, I11, I12, I13, F17, F19).

SDIA analyses can be categorized based on whether the focusis on modeling the attack or the defense strategies. As such, wefirst present two problems focusing on modeling attack strategiesfollowed by two problems focusing on the derivation of defensestrategies to thwart SDIAs.

1) Modeling SDIA Attack Strategies: Modeling SDIA attackstrategies enables a vulnerability assessment of the system andallows anticipating sophisticated attack strategies which cantarget the system. This, in turn, allows the derivation of adequatedefense strategies to thwart such attacks. We next focus on twoproblems which aim at modeling potential attack strategies.

Problem 1: If measurement k ∈ M is attacked, what is aminimal set of measurements which must be attacked along withk for the attack to be stealthy? In other words, Problem 1 seeksa solution to the following optimization problem:

minc||Hc||0,

subject to: H(k, :)c = 1. (6)

Problem 1 has been proposed in [13] and studied in [14]and [15]. The derived solution in [14] is based on an approximaterelaxation method while the solution in [15] focuses on thespecial case assuming that the measurement set consists of all in-jection measurements at all buses and all line flow measurementsat all transmission lines. Instead, here, we provide a generalgraph-theoretic characterization of a solution to this problemusing our developed framework. We note that the goal of thisanalysis here is not to determine and analyze the computationalefficiency of deriving a solution to Problem 1 but rather toanalytically characterize a solution to this problem using ourdeveloped graph-theoretic framework11.

An analytical graph-theoretic solution to Problem 1 is charac-terized in Theorem 5.

Theorem 5: A stealthy attack of smallest cardinality contain-ing measurement k corresponds to attacking the measurementsof the critical set of lowest cardinality which contains k.

Proof: First, we show that the attack containing the criticalset of lowest cardinality containing k is, indeed, stealthy. Then,we prove that this attack is a stealthy attack containing k thathas a minimum cardinality.

By Theorem 4, for the attack to be stealthy, the removalof the attacked measurements must lead a maximum matchingover a CS-SMBG not to include all the critical sets (i.e. allthe left-side nodes of the bipartite graph). In other words, theattack must be composed of a union of obseravbility sets. In thisrespect, removing the critical set containing k that is of smallestcardinality is, indeed, stealthy since removing an entire criticalset will disconnect the node corresponding to this critical set (onthe left-hand side of the CS-SMBG) from the right-side of thebipartite graph, which prevents this critical measurement frombeing part of any maximum matching.

Next, we prove that there are no stealthy attacks containingk that have a smaller cardinality. In this regard, for an attackcontaining k to be stealthy, it must prevent a critical set, inwhich k exists, from being part of a maximum matching over acertain CS-SMBG. A critical set would be excluded from sucha maximum matching in two cases: 1) if all the measurements

11Exact complexity analysis can be an interesting subject for future work.

in this critical set are attacked, or 2) if all the measurements inthis critical set are matched to other critical sets.

In the first case, considering attacking all the measurementsin a critical set, then attacking the critical set that has thefewest number of measurements – as stated in this theorem –corresponds to the minimum cardinality attack for this specificCS-SMBG. As for the second case, if a measurement k′ in acritical set containing k is matched – as part of a maximummatching – to another critical set (we denote this set by Cp), thenmeasurement p must be attacked since, otherwise, Cp would havebeen matched to p sparing k to be matched to another criticalset to maximize the cardinality of the matching. In other words,matching a critical set Cp with a measurement k′ 6= p while p isnot attacked is contradictory to the assumption that this matchingis maximum. As a result, for a critical set C, such that k ∈ C, tobe discarded from a maximum matching, every measurement in Cmust be matched to another critical set. This implies that at leastone measurement of each of these critical sets is attacked. Thus,the number of attacked measurements will be at least equal to thenumber of measurements within C for the attack to be stealthy.Consequently, for a certain CS-SMBG, attacking the critical setthat has the fewest number of measurements and which containsk is a SDIA containing k having the lowest cardinality. As aresult, considering all possible CS-SMBGs, obtained from anyset of critical sets that were derived from any original tree, andconsidering the minimum-cardinality critical set containing k ineach one of these CS-SMBGs leads to the following result:a stealthy attack containing k that has the lowest cardinalityconsists of attacking only the measurements of the critical setcontaining k that has the lowest cardinality, considering all suchcritical sets derived from any possible original spanning tree.

Here, one can also conclude that the solution to Problem 1may not be unique since a critical set containing k of minimumcardinality may not be unique. Thus, any critical set containingk, whose cardinality is less than or equal to any other criticalset containing k, is a solution to Problem 1. In addition, anumerical derivation to the solution of Problem 1 requiresexploring all possible spanning trees over G. This could beperformed, for example, based on a repeated application of thespanning tree building algorithms proposed in [23]–[25], amongother techniques. However, our goal here is to provide a graph-theoretic characterization to the solution of Problem 1, ratherthan proposing algorithms to numerically obtain this solution.This latter end goal would highly complement the results of thecurrent work and is left to be explored in future extensions.

Characterizing the solution to Problem 1 will also facilitatesolving another key SDIA problem, referred to as Problem 2,and stated as follows.

Problem 2: What is the SDIA with the lowest cardinality? Inother words, which SDIA is a solution to:

mina||a||0,

subject to: a = Hc. (7)

A solution to Problem 2 is provided in Proposition 2.Proposition 2: A stealthy attack of lowest cardinality consists

of attacking the smallest critical set.

Proof: This proof follows directly from the proof of Theo-rem 5. Indeed, since the stealthy attack containing measurementk that is of smallest cardinality corresponds to the critical set oflowest cardinality containing k, searching for a global stealthyattack of lowest cardinality can be limited to only critical sets,considering the set of critical sets originating from each possibleoriginal spanning tree. Based on this fact, a stealthy attack oflowest cardinality is the one in which the measurements in thecritical set of lowest cardinality are the only measurements thatare attacked (the only measurements having nonzero correspond-ing elements in the attack vector a).

As multiple critical sets may have the same cardinality, thesolution to Problem 2 may not be unique.

2) Modeling SDIA Defense Strategies: Using our introducedgraph-theoretic framework, two fundamental widely-studiedproblems for defending the system against SDIAs are presentedand investigated, next, in Problem 3 and Problem 4.

Problem 3: What is the minimum set of measurements thatmust be protected (i.e. made immune to SDIAs) to guarantee noSDIAs can be successful?

The solution to Problem 3 is presented in Theorem 6.Theorem 6: A minimum set of measurements that must be

protected to guarantee that no SDIA can be successful consists ofprotecting all measurements in MA, i.e. all measurements thatare part of the original assignment function forming a spanningtree over the power system.

Proof: Protecting all the measurements inMA will guaran-tee that these measurements will be part of the Jacobian matrixH . Since these measurements form a spanning tree over thepower system, their rows in H are linearly independent. Assuch, let HA be the Jacobian matrix corresponding only tomeasurements in MA, then HAc = 0 has no solution otherthan c = 0. The rows of HA are a subset of the rows of H .As such, one cannot find an attack vector a = Hc such thatall the elements of a corresponding to the rows of HA arezero. Hence, one cannot find a stealthy attack a = Hc whichdoes not attack the measurements inMA. As a result, protectingthese measurements will guarantee that no stealthy attack can becarried out. This set is a minimum set since if one measurementm ∈MA is not protected, a SDIA can be successfully launchedby attacking the critical set Cm (by definition of a critical set, nomeasurement in Cm is part of MA except for m, which makesattacking Cm valid). Hence, protecting the system against anySDIA requires at least defending N − 1 linearly independentrows of H , which constitute the assigned measurementsMA ofT .

Note that, the solution to Problem 3 may not be unique, sincethe subset of measurements which can be assigned to lines toform a spanning tree over G(N ,L) is not necessarily unique.However, by Theorem 6, we can find one of the solutions toProblem 3. Starting from a different spanning tree, and followingthe same steps, would result in another valid solution to Problem3. All these solutions have the same minimum cardinality.

Characterizing a solution to Problem 3 provides importantinformation regarding the size of investments needed to makea power system immune to SDIAs. In this regard, regardless ofhow high the number of measurements in an N -bus system is,

the number of measurements that must be protected to renderthe system immune to SDIAs is always equal to N − 1.

Example 2: Applying the results in Theorem 6 to our treatedIEEE 14-bus system case analysis, protecting the measurementsin the first column of Table II is a set of measurements ofminimum cardinality which when protected renders the IEEE14-bus system in Fig. 1 immune to any SDIA.

Theorem 4 can be used to characterize a solution to Problem4 which was proposed in [16] and which is presented next.The work in [16] focused on deriving an l1 relaxation and anapproximate numerical solution of the corresponding optimiza-tion problem. Here, we focus on an analytical analysis of thisproblem.

Problem 4: What is a minimum set of measurements to protectas to force the attacker to manipulate at least τa measurementsto stay stealthy?

A solution to Problem 4 is presented in Proposition 3.Proposition 3: Consider MCS-SMBG

τa to be a set of measure-ments including one distinct measurement from each critical setwhose cardinality is lower than τa for a certain CS-SMBG. Then,a minimum set of measurements to protect so that no attack withcardinality ||a||0 < τa can be stealthy, corresponds to findinga minimum set of measurements whose elements include, oneMCS-SMBG

τa for each possible CS-SMBG.Proof: For a certain CS-SMBG and following from The-

orem 4, for an attack with cardinality lower than τa to bestealthy, the attacked measurements must constitute a union ofobservability sets, whose cardinality must be lower than τa.Hence, if all critical sets whose cardinalities are lower thanτa are guaranteed to be matched in any maximum matchingover this CS-SMBG, attacking a union of observability sets ofcardinality lower than τa would be made impossible. This couldonly be achieved by securing one distinct measurement in each ofthese sets. Thus, in a certain CS-SMBG, protecting one distinctmeasurement from each critical set whose cardinality is less thanτa is a necessary condition for thwarting all possible SDIAs withcardinality lower than τa, which could target this CS-SMBG.Now, considering all possible spanning trees and all the possiblesets of critical sets which could be generated from each originalspanning tree (giving rise to different CS-SMBGs), preventingall possible SDIAs whose ||a||0 < τa requires protecting onedistinct measurement from each critical set whose cardinalityis less than τa within each CS-SMBG. Hence, for each CS-SMBG, a distinct measurement must be protected from eachcritical set whose cardinality is lower than τa. For a CS-SMBG,let MCS-SMBG

τa be a set of measurements containing one distinctmeasurement from each critical set whose cardinality is lowerthan τa. We note that different MCS-SMBG

τa can be obtained foreach CS-SMBG. As such, considering all possible CS-SMBG,and all possible MCS-SMBG

τa for each CS-SMBG, the solution toProblem 4 consists of finding a minimum set of measurementswhose elements include one MCS-SMBG

τa for each possible CS-SMBG.

Considering the set of measurements VCS-SMBG to be com-posed of the different MCS-SMBG

τa for each possible CS-SMBG,and considering U to be the union of all such VCS-SMBG, solving

Problem 4 corresponds to the known “hitting set problem” [29],[30], in which the universe is given by U , the subsets aregiven by VCS-SMBG, and the elements within each VCS-SMBG

are the collection of the possible MCS-SMBGτa . This problem is

equivalent to the “vertex cover problem” and is a known NP-hard problem [29], [30]. Approximate methods for the “hittingset problem” are discussed in [29] and the references therein.

Hence, using the proposed graph-theoretic framework enablesus to characterize the solutions to various well-studied SDIAproblems.

V. CONCLUSION AND FUTURE OUTLOOK

In this paper, we have introduced a novel graph-theoreticframework which enables a fundamental modeling of observ-ability attacks targeting power systems and have proven thatthe widely-studied stealthy data injection attacks are a specialcase of such observability attacks. Based on this proposedframework, we have characterized analytical solutions to variouscentral observability and data injection attack problems focusingon the sparsest SDIA, the sparsest SDIA including a certainmeasurement, the minimum set of measurements to defend tothwart all possible SDIAs, and the minimum set of measurementswhose defense guarantees that no DIA below a certain cardinalitycan be stealthy.

The proposed graph-theoretic framework provides a generalanalytical tool using which a wide set of key observabilityattacks and data injection attacks problems can be modeled andanalyzed, and is not limited to the set of problem exampleswhich are studied in this paper. In addition, the ability toanalytically characterize attack and defense policies using theproposed framework allows studying problems that involve in-teractions between attackers and defenders from a game-theoreticperspective. Such analyses can account for the opponent’s po-tential attack or defense strategies when designing, respectively,defense policies or attack vectors. As a result, such analysesallow the modeling and investigation of practical competitiveattack vs. defense settings. This enables studying the effects ofsophisticated observability attacks and data injection attacks onthe system as well as the impact of proposed defense strategieswithin various application domains such as electricity markets,congestion management, and contingency analysis, among oth-ers, thus taking the application of our framework beyond thedomain of power systems which motivated this study.

REFERENCES

[1] Y. Mo, T. H. J. Kim, K. Brancik, D. Dickinson, H. Lee, A. Perrig,and B. Sinopoli, “Cyber–physical security of a smart grid infrastructure,”Proceedings of the IEEE, vol. 100, no. 1, pp. 195–209, Jan 2012.

[2] Y. Liu, P. Ning, and M. K. Reiter, “False data injection attacks againststate estimation in electric power grids,” in Proc. 16th ACM Conference onComputer and Communications Security, Chicago, Illinois, USA, Novem-ber 2009, pp. 21–32.

[3] A. Sanjab and W. Saad, “Data injection attacks on smart grids with multipleadversaries: A game-theoretic perspective,” IEEE Transactions on SmartGrid, vol. 7, no. 4, pp. 2038–2049, July 2016.

[4] ——, “Smart grid data injection attacks: To defend or not?” in Proc.IEEE International Conference on Smart Grid Communications (Smart-GridComm), Nov 2015, pp. 380–385.

[5] L. Xie, Y. Mo, and B. Sinopoli, “Integrity data attacks in power marketoperations,” IEEE Transactions on Smart Grid, vol. 2, no. 4, pp. 659–666,Dec 2011.

[6] F. Pasqualetti, F. Dorfler, and F. Bullo, “Attack detection and identificationin cyber-physical systems,” IEEE Transactions on Automatic Control,vol. 58, no. 11, pp. 2715–2729, Nov 2013.

[7] Q. Zhu and T. Basar, “Robust and resilient control design for cyber-physical systems with an application to power systems,” in Proc. 50th IEEEConference on Decision and Control and European Control Conference(CDC-ECC), Dec 2011, pp. 4066–4071.

[8] A. Abur and A. G. Exposito, Power System State Estimation: Theory andImplementation. New York: Marcel Dekker, 2004.

[9] A. J. Wood and B. F. Wollenberg, Power Generation, Operation, andControl. John Wiley & Sons, 2012.

[10] J. B. A. London, L. F. C. Alberto, and N. G. Bretas, “Network observability:identification of the measurements redundancy level,” in Proc. InternationalConference on Power System Technology (PowerCon), vol. 2, 2000, pp.577–582.

[11] K. C. Sou, H. Sandberg, and K. H. Johansson, “Computing critical k-tuplesin power networks,” IEEE Transactions on Power Systems, vol. 27, no. 3,pp. 1511–1520, Aug 2012.

[12] O. Kosut, L. Jia, R. J. Thomas, and L. Tong, “Malicious data attacks on thesmart grid,” IEEE Transactions on Smart Grid, vol. 2, no. 4, pp. 645–658,Dec 2011.

[13] H. Sandberg, A. Teixeira, and K. H. Johansson, “On security indices forstate estimators in power networks,” in First Workshop on Secure ControlSystems (SCS), 2010.

[14] K. C. Sou, H. Sandberg, and K. H. Johansson, “Electric power networksecurity analysis via minimum cut relaxation,” in Proc. 50th IEEE Con-ference on Decision and Control and European Control Conference, Dec2011, pp. 4054–4059.

[15] J. M. Hendrickx, K. H. Johansson, R. M. Jungers, H. Sandberg, and K. C.Sou, “Efficient computations of a security index for false data attacks inpower networks,” IEEE Transactions on Automatic Control, vol. 59, no. 12,pp. 3194–3208, Dec 2014.

[16] T. Kim and H. V. Poor, “Strategic protection against data injection attackson power grids,” IEEE Transactions on Smart Grid, vol. 2, no. 2, pp. 326–333, June 2011.

[17] S. Cui, Z. Han, S. Kar, T. T. Kim, H. V. Poor, and A. Tajer, “Coordinateddata-injection attack and detection in the smart grid: A detailed look atenriching detection solutions,” IEEE Signal Processing Magazine, vol. 29,no. 5, pp. 106–115, Sept 2012.

[18] J. London, A. Bretas, and N. Bretas, “Algorithms to solve qualitativeproblems in power system state estimation,” International Journal ofElectrical Power and Energy Systems, vol. 26, no. 8, pp. 583 – 592, 2004.

[19] E. Castillo, A. J. Conejo, R. E. Pruneda, C. Solares, and J. M. Menendez,“m − k robust observability in state estimation,” IEEE Transactions onPower Systems, vol. 23, no. 2, pp. 296–305, May 2008.

[20] K. C. Sou, H. Sandberg, and K. H. Johansson, “On the exact solution to asmart grid cyber-security analysis problem,” IEEE Transactions on SmartGrid, vol. 4, no. 2, pp. 856–865, June 2013.

[21] Y. Zhao, A. Goldsmith, and H. V. Poor, “Minimum sparsity of unobservablepower network attacks,” IEEE Transactions on Automatic Control, vol. 62,no. 7, pp. 3354–3368, July 2017.

[22] ——, “A polynomial-time method to find the sparsest unobservable attacksin power networks,” in Proc. American Control Conference (ACC), July2016, pp. 276–282.

[23] G. R. Krumpholz, K. A. Clements, and P. W. Davis, “Power system observ-ability: A practical algorithm using network topology,” IEEE Transactionson Power Apparatus and Systems, vol. PAS-99, no. 4, pp. 1534–1542, July1980.

[24] V. H. Quintana, A. Simoes-Costa, and A. Mandel, “Power system topolog-ical observability using a direct graph-theoretic approach,” IEEE Transac-tions on Power Apparatus and Systems, vol. PAS-101, no. 3, pp. 617–626,March 1982.

[25] A. Bargiela, M. R. Irving, and M. J. H. Sterling, “Observability determi-nation in power system state estimation using a network flow technique,”IEEE Transactions on Power Systems, vol. 1, no. 2, pp. 108–112, May1986.

[26] D. B. West, Introduction to Graph Theory, 2nd ed. Upper Saddle River,N.J: Prentice Hall, 2001.

[27] Y. Liu, P. Ning, and M. Reiter, “False data injection attacks against stateestimation in electric power grids,” ACM Transactions on Information andSystem Security (TISSEC), vol. 14, no. 1, pp. 1–33, May 2011.

[28] R. Zimmerman, C. Murillo-Sanchez, and R. Thomas, “Matpower: Steady-state operations, planning, and analysis tools for power systems researchand education,” IEEE Transactions on Power Systems, vol. 26, no. 1, pp.12–19, Feb 2011.

[29] K. Chandrasekaran, R. Karp, E. Moreno-Centeno, and S. Vempala, “Al-gorithms for implicit hitting set problems,” in Proceedings of the Twenty-second Annual ACM-SIAM Symposium on Discrete Algorithms, ser. SODA’11, 2011, pp. 614–629.

[30] R. M. Karp, Reducibility among Combinatorial Problems. Boston, MA:Springer US, 1972, pp. 85–103.