Coordination of DERs in Microgrids with Cybersecure ResilientDecentralized Secondary Frequency Control

Hao Jan Liu, Matthew Backes, Richard Macwan, and Alfonso Valdes ∗

Department of ECE and ITI, University of Illinois at Urbana-ChampaignEmails: {haoliu6,mbackes2,rmacwan,avaldes}@illinois.edu

Abstract

Microgrids are emerging as an important strategy toadvance resiliency of modern electric power systems. Inthis paper, a robust decentralized secondary frequencycontrol design for islanded microgrids is developedto enable resilient coordination and integration ofdistributed energy resources (DERs). We cast thecontrol problem centrally under steady state andadopt the feedback-based Alternating Direction Methodof Multipliers (ADMM) algorithm for solving thedecentralized control updates. The ADMM algorithmuses measurements at various points in the system tosolve for control signals. Measurements and controlcommands are sent over communication networkssuch as Ethernet-based local area networks in theIEC 61850 standard. To enhance the robustness tocyber intrusions, we modify the ADMM algorithmusing the Round-Robin technique to detect maliciousDERs. As a complementary defense, an agreementalgorithm based on a fast computation of Kirchhoff lawconditions is implemented for continuously detectingfalse measurements. The results are demonstratedthrough simulation for a representative microgridtopology.

∗The work described here was performed with funding fromthe Dept. of Energy (DOE) under Cooperative AgreementDE-OE0000831, under subcontract to ABB US Corporate ResearchCenter. The views expressed are those of the authors. This reportwas prepared as an account of work sponsored by an agency of theUnited States Government. Neither the United States Government norany agency thereof, nor any of their employees, makes any warranty,express or implied, or assumes any legal liability or responsibilityfor the accuracy, completeness, or usefulness of any information,apparatus, product, or process disclosed, or represents that its usewould not infringe privately owned rights. Reference herein toany specific commercial product, process, or service by trade name,trademark, manufacturer, or otherwise does not necessarily constituteor imply its endorsement, recommendation, or favoring by the UnitedStates Government or any agency thereof. The views and opinions ofauthors expressed herein do not necessarily state or reflect those of theUnited States Government or any agency thereof.

1. Introduction

Grid modernization envisions the adoption ofinformation and communication technologies inthe electrical power system for measurement, stateestimation, and control [1]. This enables the increasingpenetration of distributed energy resources (DERs)in microgrids (MGs), defined as a collection ofcontrollable loads, DERs, and controls to maintainstability and serve loads. MGs provide a framework forDER integration, optimization of local power systems,ability to serve critical loads, and the intelligence torecover after outages [2].

When connected to the AEPS, frequency regulationis provided by rotational inertia from legacy generationin the AEPS. In island mode, frequency regulation isa challenge because many DERs inherently have norotational inertia. Thus, maintaining MG stability is thecritical concern when inertia-less DERs, such as solarphotovoltaic (PV) and a variety of battery and storagesystems, are integrated in a network. Additionally,coupling DERs to the grid involves fast-acting powerelectronics inverters, requiring sophisticated embeddedcontrollers for each resource [3]. Accordingly, accuratemeasurements at high sampling rates as well as controlcommands must be reliably delivered and trusted. Tothis end, the hierarchical control of DERs has recentlybeen adopted as a standard operational paradigm forislanded MGs [4, 5]. The conventional droop controldesign, along with the faster inner voltage and currentcontrol loops, is implemented at the primary level.Such autonomous local droop control design aimsto stabilize the system frequency and voltage underrandom disturbances while ensuring proportional powersharing among DERs that is proportional to the ratedcapacity of the DERs [6]. However, this primary controlmay lead to steady state mismatches from nominalfrequency. Meanwhile, the secondary control design,enabled by the communication network, coordinates thesystem-wide information regarding the status of DERsto further minimize the mismatch error from the primary

Proceedings of the 51st Hawaii International Conference on System Sciences | 2018

URI: http://hdl.handle.net/10125/50226ISBN: 978-0-9981331-1-9(CC BY-NC-ND 4.0)

Page 2670

level in a centralized fashion [7].We formulate the secondary frequency control under

steady state as a consensus optimization problem, asin [8]. To avoid a single point of failure and enhanceDERs’ plug-and-play capability, we propose to solvethis problem in a decentralized fashion by adopting theAlternating Direction Method of Multipliers (ADMM)algorithm [9]. The ADMM is a splitting optimizationtechnique that has been widely used in a varietyof scientific disciplines such as signal processing,statistical learning, and more recently, power systemoperations [10]. Based on this algorithm, a DERcontroller uses local sensor measurements of voltageand current to perform a simple algorithmic computationfor generating a local estimate. This estimate isthen communicated to a central supervisor, whichcomputes the average consensus of all estimates andbroadcasts this consensus variable back to each DERcontroller. Our implementation differs from that ofmost decentralized frequency control designs [7,11–13]in that we advocate modifying the ADMM updatesoriginally derived for the steady state objective toan online feedback-based scheme, incorporating theinstantaneous power measurements. Interestingly, itturns out that we do not need to explicitly model theMG power flow as the instantaneous power feedbacksignal couples DERs with power system networks.The proposed control design has been extensivelyvalidated using a realistic MG, and its performance canbe guaranteed in terms of achieving zero frequencydeviation with proportional power sharing amongDERs.

While the cyber infrastructure enables the proposeddecentralized control design, there is growing concernthat it also exposes an attack surface for cyberadversaries. This is not hypothetical, as evidencedby recent cyber-induced outages in the Ukraine powersystem [14]. Hence, our control framework requirescyber defenses for controls and DERs against potentialmalicious cyber attacks. We consider an adversarymodel whereby an adversary can inject syntacticallycorrect but destabilizing spoofed measurements andcontrol commands, causing the secondary frequencycontrol to fail and possibly resulting in an outage. Theutilization of syntactically correct control commandsduring an attack to cause power outages has recentlybeen reported [15], which motivates this work asaddressing realistic attack scenarios.

Our contribution is to develop a collaborativedefense strategy against these attacks by leveragingthe communication capabilities under the IEC 61850standard [16]. To enhance the robustness to maliciouscontrol command attacks, we employ the Round-Robin

(RR) technique at the central supervisor for generatingthe consensus variable based on the ADMM algorithm[17]. Interestingly, by tracking the evolution of thisRR-based variable, we are able to effectively identifycompromised DER controllers. As for the measurementattack, we adopt a complementary defense based on anAgreement Algorithm (AA) to detect and locate falsemeasurements on which the secondary control is based[18, 19]. It should be noted that these two approachesgive visibility into where the attack is happening. Thus,this can not only enable appropriate response with thecorrect mitigation, but also can alert an operator to thespecific root cause. Together with the RR and AAdetection algorithms, the central supervisor would beable to either isolate the malicious communication linksfrom control updates or trip the malicious DERs off-line.This provides a multi-pronged approach to resilientand efficient MG operation in the face of adversarialconditions. These algorithms are demonstrated throughsimulation analysis of several use cases of interest.

The remainder of this paper is organized as follows.Section 2 defines the reference MG topology andcommunication architecture, as well as attack scenarios.Section 3 introduces the droop control characteristicfor islanded MGs while formulating the steady stateconsensus problem for the secondary control design.Section 4 develops the decentralized frequency controldesign by adopting the ADMM updates with theinstantaneous power measurement feedback approach.Considering the attack scenarios in Section 2, we derivedetection mechanisms and propose mitigation strategiesin Section 5. Section 6 showcases the numerical resultsto validate our analytical claims. Concluding remarksare presented in Section 7.

2. Microgrid Modeling andCommunication Architecture

In this section, we define a reference MG topologyfor this work and build a narrative around the attackscenarios. We also describe the IEC 61850 standard andits architecture which facilitates the control architecturedesign in Section 3. Additionally, we qualitativelydetail the attack scenarios that the proposed mitigationstrategies attempt to address.

2.1. Reference Microgrid Topology

Fig. 1 shows the reference topology considered inthis paper. The MG is connected to the AEPS via asubstation, with a corresponding POI where islandingdecisions and requests can be executed. In normaloperations the MG will be connected to the AEPS, butas a strategy for resilience, the MG has the ability to

Page 2671

Figure 1. Reference microgrid topology for this work.

island from the AEPS in the event of an outage or otherdegraded operation, including cyber or physical attacksas well as widespread outage due to a major storm.

There are a variety of DERs and loads within theMG. Two DERs and an interruptible load are connecteddirectly to the MG feeder head. The MG also containsa critical load and DER that essentially serves as thebackup source dedicated to the critical load. With bothcritical load and DER buses, they have the ability toisland themselves from the rest of the MG as a resilientstrategy for the critical load. In effect, DER-1 and thecritical load, with the associated bus, would become anested microgrid.

2.2. Communication Architecture: IEC 61850

As communication networks continue to advancein electric power systems, an industry standardhas emerged for metering, protection, and controlfunctions. IEC 61850 provides a standard forconfiguring Intelligent Electronic Devices (IEDs) forelectrical substation automation systems to be ableto communicate with each other. It has sincefound applications in new domains, including MGs,see e.g., [20]. IEC 61850 defines a number ofprotocols for various classes of substation messages.Among the protocols relevant for our proposed MGcontrol system are Sampled Values (SV) and GenericObject Oriented Sub- station Events (GOOSE). SampledValues transmit digitized measurements of voltageand current from a merging unit to an IED. Amerging unit accepts inputs from current transformers(CTs) and potential transformers (PTs), and producesdigital, time-synchronized outputs communicated toother nodes via an Ethernet bus, known as the ProcessBus in IEC 61850; see Fig. 2. GOOSE messagescontaining status, data, and control commands canbe sent from one IED to another. The reason for

Figure 2. Notional representation of a standard IEC61850 substation architecture.

introducing this architecture is two-fold. First, thisstandard is seeing increased applications in MGs, and assuch, we find it relevant to design practical algorithmsfor field implementation. Second, using this standardprovides a realistic attack surface that adversaries searchout. We find it useful to provide specific solutionsfor a widely-used standard, especially considering arecent cyber attack impacting IEC 61850 [15]. Sincewe are dealing with MGs and not with bulk powersystems, the number of nodes such as DER and othercomponents is in the tens to at most low hundreds. Thus,modern substation communication architectures basedon Ethernet are easily able to meet the transmissiontime and bandwidth requirements of the ensuing controlarchitecture. As detailed soon, we consider maliciouscommunication and control signal inputs which attemptto alter the MG operating points. Based on IEC 61850,such attacks can effectively drive the frequency awayfrom the nominal, which is of extremely high stabilityconcerns.

2.3. Attack Scenarios

Emerging MGs include a central MG controller,denoted in this paper as Microgrid Controller(MGC), which communicates with individual DERcontrollers. Measurements and commands travel overcommunication networks, as given by IEC 61850.This communication structure potentially exposes thesystem to cyber attack, which can assume the formof invalid commands (which can cause a DER toperform potentially destabilizing power injections) aswell as falsified measurements (which can lead even acorrectly functioning MGC to issue erroneous controlcommands).

2.3.1. Communication Link Attack on ControlCommand

The scenario is a communication link attack on thecontrol command (not measurements) from the MGCwhich is used to exchange ADMM-related variablesvia the Ethernet-based IEC 61850 station bus. Theattack would result in the MGC calculating the wrong

Page 2672

consensus variable, which would thus send the MGto a calculated off-nominal frequency setpoint. Theattack detection mechanism examines the consensusvariable and monitors for any rapid changes that exceeda threshold. If one is found, the mechanism looks for theerrant local variable and sets the corresponding DER tolocal droop control. The remaining DERs participate inthe secondary frequency control while the spoofed DERoperates in local droop mode only.

2.3.2. Local Attack on DER Control CommandThe second scenario considers a local control

command attack. An attacker compromises the DERcontroller by some mechanism. The attacker can thencause the system frequency and consensus variable todeviate from the appropriate references. This attackdetection again relies on monitoring the consensusvariable. Therefore, when it detects which DER ismalicious, it again sets the malicious DER to localcontrol mode since it is not yet known if it is acommunication link or local controller attack at thispoint. By setting the malicious DER to local droopmode, if the system frequency and consensus variableare not converging to reference setpoints after a shorttime period, the MGC then determines such attack mustbe a local DER controller attack and issues a trip signalto the relay connecting the DER unit to the MG.

2.3.3. Local Measurement AttackFor the last attack scenario, we assume that the

attacker has access either locally to the merging unit (thesensor), or can have access to the Ethernet-based processbus and is thus able to inject false measurement data.The DER controller that subscribes to the measurementmessages would thus calculate incorrect power injectioncommands due to the faulty measurements. Thiscould drive the MG to an unstable state. We assumethat the attack is large enough to cause a reasonablefrequency disturbance within the MG. Accordingly, alocal merging unit attack may result in the tripping ofthe DER while a communication link attack on datameasurements leads to reconfigure the control algorithmand exclude the malicious DERs by setting them tothe local droop mode. We next present the secondaryfrequency control problem statement with the proposedADMM-based solver and Round-Robin-based detectionmechanism.

3. System Modeling and ProblemStatement

The islanded MG consists of m buses, where thebuses in N := {1, · · ·n} are DER buses and the rest

are in the subset of load buses NL := {n + 1, · · ·m}.Per bus-i, we represent the complex voltage and itsphase angle as vi and θi, respectively. The activepower injection of DER-i is denoted by Pi while P ∗icorresponds to its active power rating. Additionally,ωi := (θi − ωb) is the frequency deviation withθi := dθi/dt and ωb representing the frequency andnominal frequency set-point, respectively. To facilitatethe ensuing control design, we introduce the followingassumptions that are commonly used in the microgridliterature [8, 21, 22].

(A1) The power lines are relatively short and thuslossless.

(A2) The voltage magnitude |vi| at each bus is regulatedto stay constant.

(A3) All possible load variations can be fully supportedby the DERs without violating their active powerrating limits.

(A4) The load stays constant and is independent offrequency while executing the proposed frequencycontrol.

The short distance property in (A1) typically holds forpower lines in MGs. Hence, line losses are negligiblecompared to line flows. Through the fast inner controlloops along with the voltage-droop control design,DERs’ reactive power output is used to track a referencevoltage level, at a much faster time-scale than that of thefrequency control. This time-scale separation betweenfrequency and voltage dynamics is well supported byearlier work on MG modeling [23]. Accordingly, thisleads to (A2) where the voltage magnitude at all nodescan be assumed to be fixed (see, e.g., [4, 21, 22]).Additionally, (A3) can be guaranteed through a carefulsystem planning at the MG deployment stage; see e.g.,[24, Remark 1]. Last, under a load disturbance, theproposed frequency control design is fast enough torestore the system frequency to its nominal value beforeanother load change occurs. Additionally, the frequencyindependent load assumption in (A4) is needed fordeveloping and analyzing the proposed control design.It is true that there could exist different types of loadsin MGs, such as the prior work in [22, 25] which hasconsidered frequency dependent loads. Motivated by[25], it is potentially feasible to generalize the proposedcontrol design to include frequency dependent loads.This direction will be pursued in future work.

The goal of a secondary frequency control is to 1)ensure a steady state zero frequency deviation (i.e., ωi =0,∀i) and 2) guarantee autonomous active power sharing

Page 2673

P ⇤i

✓i

Pi pi

!b

!i

✓

P

1

Di

Figure 3. Frequency droop characteristics withproposed secondary control design.

in proportion to active power ratings among all DERssuch that

P1

P ∗1=P2

P ∗2= · · · Pn

P ∗n.

To this end, the active power-frequency (P -ω) droopcontrol is adopted to achieve these objectives [26]. Fig.3 depicts the droop characteristics which mimics thedynamical swing equation of a synchronous generatorwith zero machine inertia, as given by

Diωi = P ∗i − Pi − pi (1)

where the droop coefficient Di is determined by therating of DER-i. Herein we set a uniformDi/P

∗i among

all DERs. Compared to conventional P -ω droop control,an additional control input pi is introduced in (1). SinceP ∗i and Di are fixed parameters, the operating set-pointof DER-i can only be changed by judiciously controllingpi. Under (A2), the model (1) holds because of thedecoupled dynamics between frequency and voltagecontrol. Accordingly, the frequency will be controlledby adjusting the active power only assuming voltagemagnitudes stay constant [4, 21, 22].

Upon concatenating all scalar variables into vectorform, we formulate the secondary control problem as aconsensus optimization problem, as given by

minp‖P∗ −P− p‖2D−1

subject topiDi

=pjDj

, ∀i, j ∈ N(2)

where D := diag(D1, ...Dn) is an n×n diagonal matrixand the weighted norm ‖v‖2D := vTDv for any vectorv. Under steady state and (A3), the objective of (2) turnsout to be zero, corresponding to achieving a zero systemfrequency deviation. In addition, due to a uniformDi/P

∗i , the equality constraints in (2) equivalently

enforce a proportional active power sharing. Notethat the quadratic program (2) could be solved using

off-the-shelf convex solvers. Nonetheless, the challengelies in that the active power injection P is dynamicaland coupled to the power system network. To tacklethis problem, we adopt the feedback approach from[8] to account for system dynamics. We refer thereader therein for detailed derivations. To sum up,under (A1)-(A4), the optimizer of (2) can effectivelyarchive the aforementioned goal of secondary frequencyregulation.

4. ADMM-based Decentralized Solver

This section introduces our proposed ADMM-baseddecentralized secondary control design. The dynamicscoupling P and p are neglected initially. As detailedbelow, the feedback approach will be introduced toaccount for such interactions. Hence, the objective in (2)is fully separable. Using the IEC 61850 communicationprotocol for measurement and control messages, we cansolve the consensus optimization problem (2) in a fullydecentralized fashion. For notational convenience, welet the optimization variable xi := pi/Di and the inputvariable ci := (P ∗i − Pi)/Di where Pi is the activepower injection from DER-i and locally measurable.Accordingly, (2) can be reformulated as

minimizex,z

1

2‖c− x‖2D (3a)

subject to x = z1 (3b)

where z is a consensus value among the DERs. Notethat the equality constraints in (2) are equivalentto (3b) under a connected communication network.Defining the multipliers λ and a constant ρ > 0, weintroduce the augmented Lagrangian function as L =∑∀i∈N Li(xi, z, λi) where

Li(xi, z, λi) =Di

2(ci − xi)2 + λi(xi − z) +

ρ

2(xi − z)2.

(4)

Based on the (4), the ADMM algorithm is invoked andits (k+ 1)-st iteration for DER-i has the following threesteps [9]:

(S1) Update x: As L totally decouples into Li for eachDER-i, minimizing xi involves only the variableszk and λki . Thus, upon receiving zk from theMGC, the update is

xk+1i := arg min

xi

Li(xi, zk, λki ). (5)

Taking the gradient of Li with respect to xi and

Page 2674

setting it to zero, we have

xk+1i =

ρzk +Dicki − λki

Di + ρ(6)

where cki is the feedback measurement signal,corresponding to the active power injection ofDER-i.

(S2) Update z: Likewise, the consensus variable isupdated as

zk+1 := arg minz

L(xk+1, z,λk).

By initializing λ0 = 0, the summation∑i∈N λ

k+1i is guaranteed to stay zero. Thus, we

have

zk+1 =

∑ni=1 x

k+1i

|N |. (7)

(S3) Update λ: Each multiplier is linearly updated bythe iterative mismatch of the constraint (3b), asgiven by

λk+1i = λki + ρ(xk+1

i − zk+1). (8)

Because λ0 = 0, we have

∑i∈N

λk+1i = ρ

∑i∈N

k+1∑t=1

(xti − zt) = 0.

This fact corroborates the derivation in (7).

5. Detection and Localization Strategies

Under IEC 61850 communication network, weassume that attackers have compromised the local DERcontrollers such that the local variable x is altered, e.g.,xk+1i = xk+1

i +δk+1i where δk+1

i is the bias appended toxk+1i at the DER-i. Therefore, zk+1 in (7) at the MGC

becomes

zk+1 =

∑ni=1(xk+1

i + δk+1i )

n= ∆k+1 +

∑ni=1 x

k+1i

n(9)

with ∆k+1 :=∑n

i=1 δk+1i

n being the average attackbias signal with time-varying and arbitrary magnitude.Under the presence of this attack, the consensusvariable zk+1 would diverge unless ∆k+1 is designed

specifically so the effect on the consensus variable istrivial. This is, however, unlikely to happen as theattacker does not have the full system information. Inany case, such an attack bias signal may drive the MGto unstable conditions and/or damage system equipment,e.g., causing divergence of zk+1.

It is imperative to detect and localize the maliciousattack signals promptly since the control design is basedon zk+1. To this end, we monitor the evolution ofzk+1 and design a flag to trigger the ensuing detectionalgorithm. Assuming the convergence of zk+1 after k?

iterations, we would trigger the detection algorithm oncethe following condition has been satisfied:

|zk+1 − zk| > ε

where ε > 0 is a pre-defined threshold.

5.1. Round-Robin-Based ADMM DetectionAlgorithm

The RR-ADMM detection algorithm to discover themalicious DERs is adapted from [17]. The RR is anarrangement of selecting the DER in a fixed rationalorder, i.e., DER-1, DER-2, . . . , DER-n. For notationalconvenience, we denote the consensus variable for theRR-ADMM at iteration k as zk. Given α > 0, the steps(S1)-(S3) become

xk+1 = (D + ρI)−1(ρzk1 + Dck − λk), (10a)

zk+1 = α(xk+1

i+ δk+1

i), (10b)

λk+1 = λk + ρ(xk+1 − zk+11) (10c)

where I is the identity matrix with i = 1, · · · , nrepresenting the fixed Round-Robin iteration index. Fora non-malicious DER, we set δk+1

i= 0. Hence, we have

the consensus variable zk+1 as

zk+1 = αδk+1

i+ α

ρzk +Dicki− λk

i

Di + ρ. (11)

For k ≥ 1, (11) can be expressed as

zk+1 = αδk+1

i+ α

ρzk +Dicki− ρ

∑kt=1(xt

i− zt)

Di + ρ.

(12)

Let zr := {zr,1, · · · , zr,n} ∈ Rn gather the all thevalues of the consensus variable at the r-th round ofthe RR-ADMM algorithm. To determine a thresholdto separate malicious DER controllers from the rest of

Page 2675

Algorithm 1 Detection and Localization Strategies1: for every iteration k = 0, 1, 2, · · · do2: for i ∈ N do3: Compute xk+1

i as in (6) and send it to MGC4: end for5: MGC computes zk+1 as in (7)6: if |(zk+1 − zk| > ε) ∧ (k > k?) then7: if r = 1 then8: MGC computes zk+1 as in (10b)9: Broadcast the value of zk+1 to all DERs

10: Determine the index n for the minimumentry of z1

11: end if12: if (r = 2) ∧ (k ≤ k? + n+ n) then13: MGC computes zk+1 as in (10b)14: Broadcast the value of zk+1 to all DERs15: Identify malicious DER-i where{i | z1,i > z2,n,∀i ∈ N \ n}

16: MGC reconfigures the communicationnetwork, resets λk = 0, and/or trip malicious DERsoff-line

17: end if18: else19: Broadcast the value of zk+1 to all DERs20: end if21: for i ∈ N do22: Compute λk+1

i as in (8)23: end for24: end for

the system, we assume that the bias δk+1

iis sufficiently

large enough. Based on (12), one of the values fromthe non-malicious DERs during the r-th round mustbe zr,n with the index n corresponding to the smallestelement of zr. Given this index, the (r + 1)-st roundis carried out for obtaining the value of zr+1,n wheren is the same index as round 1, and this serves as thedetection threshold. Hence, any zr,i > zr+1,n,∀i ∈N \ n is identified as the malicious DER in the MG.For a given initialization time index k?, Algorithm 1tabulates the detection strategy. As for the localizationstrategy to isolate the aforementioned malicious attacksignals, the MGC first reconfigures the communicationnetwork so the malicious DERs no longer participatethe ADMM updates in (S1)-(S3) and thus switch toonly local droop (primary) control mode. Meanwhile,if zero frequency deviation is achieved, we concludethe isolation process. Otherwise, the malicious DERsare tripped off-line because of either measurement orcontrol signal attack. Last, note that there must beat least one non-malicious DER in the system for theRR-ADMM detection scheme to work. Such a scheme

is only for detection purposes. Thus, once the maliciousattacks are localized, the control design is reverted backto follow the ADMM algorithm in (S1)-(S3).

5.2. Measurement Attack Detection

We now describe a defense against falsemeasurement injection to complement defenses againstcontrol attacks given above. We adopt the AgreementAlgorithm (AA), which was developed in [18], todetermine and locate malicious measurement attacks onsubstation IEDs and controllers. Accordingly, assumingthe loads as constant impedances, the Kirchhoff’svoltage and current laws along with Ohm’s law areused to facilitate the development of agreement matrixA for a particular topology. Albeit we assume loadsas constant impedance, a general assumption in powerflow studies, the method for developing the AApresented herein remains valid for other load models.Elements of A corresponding to the currents reflectthe signed topology of the corresponding merging unitwhile others corresponding to voltages are reciprocalcomplex impedances on the corresponding lines.Fig. 1 showcases the reference MG topology withcorresponding measurement locations. The polarity ofthe complex current fi measured at i-th merging unit ispositive when current flows into the loads and DERs.By concatenating as x = (f ,v), the physical equationcan be rewritten as

Ax = 0. (13)

Considering that (13) is similar to the error correctingcode formulation from [18], if an attacker falsifiesone of the measurements, we would have a non-zerocorresponding element of the resultant vector, knownas the Syndrome vector. By injecting the maliciousvectors ∆f and ∆v to the measurements, we have x =(f + ∆f ,v + ∆v). Thus, the Syndrome vector is

s = Ax. (14)

By observing the pattern of vector s, we can classifymultiple subsets of potential malicious merging units.Accordingly, the largest magnitude element of a subsetcorresponds to the malicious location. This detectionmechanism is valid for a limited number of attacks. Werefer the reader to [19] for a detailed discussion.

6. Numerical Tests

In this section, we evaluate the proposed mitigationstrategies and responses for the communication andmeasurement link attack scenarios. The three-phase MGtopology and power system parameters are given in Fig.

Page 2676

Figure 4. Reference microgrid communicationarchitecure and data types.

1. The load is modeled as a constant impedance load,which is frequency independent. Fig. 4 depicts the MGcontrol system communication network topology. Toreiterate, the measurements are sent to the local DERsfrom a merging unit (which we omit from the figure),and the DERs and MGC communicate updates for theADMM algorithm. This is done over switched Ethernet,denoted by the Ethernet bus in Fig. 4. All numericaltests are performed in Mathworks® MATLAB 2013aand Simulink software.

6.1. Load Perturbations

In this scenario, we increase the system load by100% at t = 4s. Each DER is rated at P ∗i = 1500W, ∀i, and we let Di = 5 × 104 W.s.rad−1, ∀i tosatisfy the active power sharing. The ADMM algorithmis executed every 100 ms with ρ = 1 × 105. Theresulting bus frequencies and active power output areshown in Fig. 5. Within approximately 1.5 seconds,the secondary frequency control is able to obtain zerosystem frequency deviation from nominal, and theDERs have correctly achieved equal power sharing.Accordingly, each DER archives the the steady statefrequency of 60 Hz.

6.2. Local Attack on DER Controller

We generate an attack signal as a time-varyingrandom number from a uniform (0,3) distribution anddraw a new random value at a time step of 100ms. We multiply this by the steady state xi valueat the attack location, so that the attack is effectivelya random re-scaling of this value. Given the steadystate conditions, the attack is introduced at t = 4.1son the local xi issued to DER-3. The resultingsystem response and RR-ADMM attack detection and

3 3.5 4 4.5 5 5.5 6 6.5 7

59.996

59.997

59.998

59.999

60

60.001

Fre

quen

cy (

Hz)

3 3.5 4 4.5 5 5.5 6 6.5 70

500

1000

1500

Act

ive

Pow

er (

W)

Time (s)

DER−1DER−2DER−3

Figure 5. Frequency and active power output responseto a load disturbance.

3 3.5 4 4.5 5 5.5 6 6.5 759.996

59.998

60

60.002

Fre

quen

cy (

Hz)

DER−1DER−2DER−3

3 3.5 4 4.5 5 5.5 6 6.5 7

0

200

400

600

800A

ctiv

e P

ower

(W

)

3 3.5 4 4.5 5 5.5 6 6.5 70

5

10x 10

7

Loca

l xi U

pdat

e

Time (s)

Figure 6. Frequency, active power output, and local xi

update responses to a local controller attack in steadystate operation.

mitigation algorithm results are shown in Fig. 6. Fromthe plot of the local xi update, this particular attackintroduces a signal that is approximately 275% of thesteady state x3 signal. Clearly, the system diverges awayfrom its steady state while the attack is present. At t =5.4s with ε setting at 10% of the steady state x3 signal,the RR-ADMM algorithm successfully detects DER-3as malicious and trips it off-line, i.e., P3 = 0. For t> 5.5s, the ADMM algorithm changes to only includeDER-1 and DER-2, achieving the nominal frequency of60 Hz.

Next, we investigate the effectiveness of theRR-ADMM detection algorithm for an attack during aload disturbance. While a coincidental simultaneousoccurrence of these two events may seem unlikely, weare motivated to seek solutions to coordinated attacks,i.e., the attacker causes a load disruption and alters

Page 2677

3 4 5 6 7 8 9

59.996

59.998

60

60.002F

requ

ency

(H

z)

DER−1DER−2DER−3

3 4 5 6 7 8 90

500

1000

1500

Act

ive

Pow

er (

W)

3 4 5 6 7 8 9

0

2

4

6

x 107

Loca

l xi U

pdat

e

Time (s)

Figure 7. Frequency, active power output, and local xi

update responses to a local controller attack during aload disturbance.

the local controller updates, as depicted in Fig. 7.At t = 4s, we introduce a load disturbance of 25%and then subsequently cause an attack at t = 4.1s onthe xi update to DER-3, similar to the attack scenarioin the steady state case. We see that the randomattack signal is approximately 200% of the transientx3 signal. The RR-ADMM algorithm is still able toidentify the malicious DER even in the presence ofa load disturbance. After reconfiguring the ADMMalgorithm and tripping DER-3 off-line at t = 5.5s, thesystem achieves the nominal frequency of 60 Hz.

6.3. Communication Link Attack on ControlCommand

We consider that an attacker has gained access tothe station bus (Ethernet bus) that is exchanging controlcommands between the local DER controllers and theMGC. The attacker is able to spoof the MAC address ofa DER controller and thus can alter control commandsover the link. This is contrasted with the previousattack since it is not on the local DER controller, andthus the time-varying attack signal does not directlyaffect the power injection command to the DER. Theattack detection monitors the consensus variable andraises a flag when a deviation occurs that exceeds athreshold. In our simulation, we again use a 10%deviation as the threshold. As the consensus variableis the average across n DERs, an attack bias may not belarge, so that is the motivation for setting a relativelysensitive ε. After the flag is raised, the RR-ADMMis executed to determine which DER is malicious.The MGC then reconfigures the ADMM update toonly include the non-malicious DERs while issuing aconfiguration command to the spoofed DER to revert to

3 4 5 6 7 8 9

59.999

60

60.001

60.002

60.003

Fre

quen

cy (

Hz)

DER−1DER−2DER−3

3 4 5 6 7 8 90

500

1000

Act

ive

Pow

er (

W)

3 4 5 6 7 8 90

2

4

6x 10

7

Loca

l xi U

pdat

e

Time (s)

Figure 8. Frequency, active power output, and local xi

update responses to an communication link attack on acontrol command.

local frequency droop control. The spoofed DER shouldthen eventually return to its initial power setpoint whilethe non-malicious ones continue to regulate the systemfrequency for achieving 60 Hz. Fig. 8 depicts the resultsof this attack scenario. At t = 4.1s, an attack signal isintroduced on the x3 update sent from DER-3 controllerto the MGC. With the same random attack signal,the MGC then runs the detection mechanism from theRR-ADMM to find the malicious DER. At t = 5.3s, theMGC identifies that DER-3 is malicious and removes itfrom the ADMM update by setting it to local frequencycontrol mode. Note that the x3 update is a function ofp3, which is the power injection offset to the droop curvein Fig. 3. By setting x3 to zero, the correspondingDER controller equivalently becomes the local droopcontrol. By reconfiguring the ADMM algorithm, theDER-1 and DER-2 continue to execute the secondaryfrequency control while maintaining power sharing andachieving the nominal frequency of 60 Hz.

7. ConclusionsIn this paper, we introduce a decentralized

secondary frequency control that can successfullyachieve frequency regulation in islanded ac microgrids.This approach is based on formulating the DER droopcharacteristic equations as a consensus optimizationproblem with a power injection offset command asthe control variable. This quadratic program issolved with an ADMM-based decentralized algorithm.To this end, DER controllers locally compute theirpower injection offsets and communicate these valueswith the central controller, which then calculatesthe consensus of all DERs and broadcasts over thenetwork. This decentralized approach allows for cyberattack detection mechanisms on local controllers and

Page 2678

communication link attacks. The proposed detectionalgorithm is based on a Round-Robin ADMM algorithmwhich sequentially updates the consensus variable asa function of local controller updates to identifymalicious DERs. We pair this with a so-calledagreement algorithm, a complementary false datainjection detection mechanism. Mitigation strategiessuch as isolating attackers from the control algorithmor tripping a compromised DER off-line entirely arediscussed. Together with these algorithms, we canimplement a cybersecure resilient closed-loop controlarchitecture. Finally, we demonstrate the effectivenessof our decentralized secondary frequency control designand detection algorithms using three case studies.

References

[1] J. A. Momoh, “Smart grid design for efficient andflexible power networks operation and control,” in 2009IEEE/PES Power Systems Conference and Exposition,pp. 1–8, March 2009.

[2] N. Hatziargyriou, H. Asano, R. Iravani, and C. Marnay,“Microgrids,” IEEE Power and Energy Magazine, vol. 5,pp. 78–94, July 2007.

[3] J. M. Guerrero, J. C. Vasquez, J. Matas, L. G.de Vicuna, and M. Castilla, “Hierarchical control ofdroop-controlled ac and dc microgrids - a generalapproach toward standardization,” IEEE Transactions onIndustrial Electronics, vol. 58, pp. 158–172, Jan 2011.

[4] J. W. Simpson-Porco, F. Dörfler, and F. Bullo,“Synchronization and power sharing fordroop-controlled inverters in islanded microgrids,”Automatica, vol. 49, pp. 2603–2611, Sept. 2013.

[5] F. Dörfler, J. Simpson-Porco, and F. Bullo, “Breaking thehierarchy: Distributed control & economic optimalityin microgrids,” IEEE Trans. Control Netw. Syst., vol. 3,pp. 241–253, Sept 2016.

[6] F. Katiraei and M. R. Iravani, “Power managementstrategies for a microgrid with multiple distributedgeneration units,” IEEE Trans. Power Syst., vol. 21,pp. 1821–1831, Nov 2006.

[7] J. W. Simpson-Porco, Q. Shafiee, F. Dörfler, J. C.Vasquez, J. M. Guerrero, and F. Bullo, “Secondaryfrequency and voltage control of islanded microgridsvia distributed averaging,” IEEE Trans. Ind. Electron.,vol. 62, pp. 7025–7038, Nov 2015.

[8] L. Y. Lu, H. J. Liu, and H. Zhu, “Distributed secondarycontrol for isolated microgrids under malicious attacks,”in 2016 North American Power Symposium (NAPS),pp. 1–6, Sept 2016.

[9] S. Boyd, N. Parikh, E. Chu, B. Peleato, and J. Eckstein,“Distributed optimization and statistical learning viathe alternating direction method of multipliers,” Found.Trends Mach. Learn., vol. 3, pp. 1–122, Jan. 2011.

[10] H. J. Liu, W. Shi, and H. Zhu, “Distributed voltagecontrol in distribution networks: Online and robustimplementations,” IEEE Transactions on Smart Grid,2017. (to be published).

[11] A. Bidram, A. Davoudi, F. L. Lewis, and J. M. Guerrero,“Distributed cooperative secondary control of microgridsusing feedback linearization,” IEEE Transactions onPower Systems, vol. 28, pp. 3462–3470, Aug 2013.

[12] L. Y. Lu and C. C. Chu, “Consensus-based secondaryfrequency and voltage droop control of virtualsynchronous generators for isolated ac micro-grids,”IEEE Journal on Emerging and Selected Topics inCircuits and Systems, vol. 5, pp. 443–455, Sept 2015.

[13] L. Y. Lu and C. C. Chu, “Consensus-based droop controlof isolated micro-grids by admm implementations (to bepublished),” IEEE Transactions on Smart Grid, 2017.

[14] R. Lee, M. Assante, and T. Conway, “Analysis of thecyber attack on the Ukrainian power grid,” E-ISACReport, March 2016.

[15] R. Lee, “CRASHOVERRIDE: Analysis of the threat toelectric grid operations,” Dragos Inc., March 2017.

[16] “Communication networks and systems for power utilityautomation - all parts.”

[17] M. Liao and A. Chakrabortty, “Optimization algorithmsfor catching data manipulators in power systemestimation loops,” CoRR, vol. abs/1608.00299, 2016.

[18] A. Valdes, C. Hang, P. Panumpabi, N. Vaidya, C. Drew,and D. Ischenko, “Design and simulation of fastsubstation protection in IEC 61850 environments,”in 2015 Workshop on Modeling and Simulation ofCyber-Physical Energy Systems (MSCPES), pp. 1–6,April 2015.

[19] R. Macwan, C. Drew, P. Panumpabi, A. Valdes,N. Vaidya, P. Sauer, and D. Ishchenko, “Collaborativedefense against data injection attack in IEC 61850 basedsmart substations,” in 2016 IEEE Power and EnergySociety General Meeting (PESGM), pp. 1–5, July 2016.

[20] A. Ruiz-Alvarez, A. Colet-Subirachs, F. A.-C. Figuerola,O. Gomis-Bellmunt, and A. Sudria-Andreu, “Operationof a utility connected microgrid using an IEC61850-based multi-level management system,” IEEETransactions on Smart Grid, vol. 3, pp. 858–865, June2012.

[21] M. Zholbaryssov and A. D. Dominguez-Garcia,“Distributed enforcement of phase-cohesivenessfor frequency control of islanded inverter-basedmicrogrids,” IEEE Trans. Control Netw. Syst., 2017. (tobe published).

[22] S. T. Cady, A. D. Domínguez-García, and C. N.Hadjicostis, “A distributed generation controlarchitecture for islanded AC microgrids,” IEEETrans. Control Syst. Technol., vol. 23, pp. 1717–1735,Sept 2015.

[23] J. Schiffer, D. Zonetti, R. Ortega, A. M. Stankovic,T. Sezi, and J. Raisch, “A survey on modeling ofmicrogrids-from fundamental physics to phasors andvoltage sources,” Automatica, vol. 74, pp. 135–150, Dec.2016.

[24] X. Wu, C. Shen, and R. Iravani, “A distributed,cooperative frequency and voltage control formicrogrids,” IEEE Trans. Smart Grid, 2017. (to bepublished).

[25] C. Zhao, U. Topcu, N. Li, and S. Low, “Designand stability of load-side primary frequency control inpower systems,” IEEE Trans. Autom. Control, vol. 59,pp. 1177–1189, May 2014.

[26] M. C. Chandorkar, D. M. Divan, and R. Adapa, “Controlof parallel connected inverters in standalone AC supplysystems,” IEEE Trans. Ind. Appl., vol. 29, pp. 136–143,Jan 1993.

Page 2679