IEEE TRANSACTIONS ON INFORMATION FORENSICS AND … · 2014-10-10 · IEEE TRANSACTIONS ON...

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 9, NO. 3, MARCH 2014 451

Integrated Security Analysis on CascadingFailure in Complex Networks

Jun Yan, Student Member, IEEE, Haibo He, Senior Member, IEEE, and Yan (Lindsay) Sun, Member, IEEE

Abstract— The security issue of complex networks has drawnsignificant concerns recently. While pure topological analyzesfrom a network security perspective provide some effectivetechniques, their inability to characterize the physical principlesrequires a more comprehensive model to approximate failurebehavior of a complex network in reality. In this paper, basedon an extended topological metric, we proposed an approach toexamine the vulnerability of a specific type of complex network,i.e., the power system, against cascading failure threats. Theproposed approach adopts a model called extended betweennessthat combines network structure with electrical characteristicsto define the load of power grid components. By using thispower transfer distribution factor-based model, we simulatedattacks on different components (buses and branches) in the gridand evaluated the vulnerability of the system components withan extended topological cascading failure simulator. Influenceof different loading and overloading situations on cascadingfailures was also evaluated by testing different tolerance factors.Simulation results from a standard IEEE 118-bus test systemrevealed the vulnerability of network components, which wasthen validated on a dc power flow simulator with comparisonsto other topological measurements. Finally, potential extensionsof the approach were also discussed to exhibit both utility andchallenge in more complex scenarios and applications.

Index Terms— Complex network security, cascading failure,structural vulnerability, extended topological analysis.

I. INTRODUCTION

THE MODERN complex network systems, including com-munication network, social network and smart grid, have

become a key focus of security analysis nowadays. Withincreasing interconnection of local networks, growing commu-nication traffic and user demand, as well as diversifying ser-vices and emerging new technologies, the complex systems arebecoming increasingly sophisticated to operate coordinately.

One of many threats posed to complex network systems dueto the large scale inter-connectivity is the cascading failure.A small contingency or failure could trigger a series of chaineffects across the entire system, causing a massive impact to

Manuscript received June 21, 2013; revised October 25, 2013 andDecember 29, 2013; accepted January 7, 2014. Date of publication January 9,2014; date of current version February 12, 2014. This work was supported inpart by the National Science Foundation under Grants CNS 1117314, CNS0643532, and ECCS 1053717, and in part by the Army Research Office underGrant W911NF-12-1-0378. The associate editor coordinating the review ofthis manuscript and approving it for publication was Dr. Sen-Ching S. Cheung.

The authors are with the Department of Electrical, Computer andBiomedical Engineering, University of Rhode Island, Kingston, RI 02881USA (e-mail: [email protected]; [email protected]; [email protected]).

Color versions of one or more of the figures in this paper are availableonline at http://ieeexplore.ieee.org.

Digital Object Identifier 10.1109/TIFS.2014.2299404

the network operation and services [1]–[3]. A notable caseof cascading failure threats has been witnessed in powerinfrastructure, where blackouts, or large scale outages dueto failure propagation, have affected millions of people aftersome disastrous cascading failures [4], [5]. As a practical com-plex network system with unique physical properties affectingcascading failures, the electrical power infrastructure is chosenas a study case for the integrated security analysis of cascadingfailure against malicious attacks in this paper.

It is notable that the threat of cascading failures, which isusually caused by extreme random events in the past, canbe intensified by the growing integration and utilization ofcomputer-based control and communication networks. Whiledevelopment of automation and intelligence brings significantbenefits to the complex systems and networks, e.g. the Internet,social and business networks, and power grids alike, it isinevitable that this upgrade also comes with growing risks andcomplexity of cyber-security issues. Take the future intelligentpower infrastructure, i.e. the Smart Grid, as an example:studies [6]–[9] have put forward the fact that intelligence willbring new security challenges to the power grid, a giganticsystem that already yields inherent structural vulnerability ofcascading failures due to its physical nature [10]. For instance,malicious attackers can take advantage of the potential openaccess from smart meters in the Advanced Metering Infrastruc-ture (AMI) [11] to plan the attack with intelligence collectedfrom their penetration, so that they can maximize the impactof their attacks [12]–[14]. Therefore, how to secure a complexnetwork system like power grid against cascading failures hasbeen motivating development of models and methodologies tosimulate potential selective attacks that result in cascading fail-ures in a power system [15] with the consideration of specificnetwork physical properties. These studies will contribute toboth defensive strategies and decision supports to protect thecritical components in the complex systems.

There have been many studies on the complex networksecurity analysis within the context of power grids. Forexample, R. Fitzmaurice et al. use a complex networkmodel to evaluate short term risk-aversive dispatch policiesin power systems [16]. I. Dobson, B. A. Carreras, andmany other researchers have studied the existence of self-organized criticality (SOC) in cascading failures and series ofblackouts [17]–[19]. Other researches have also pointed outthe relevant possibility that blackouts in a bulk complex net-work system are first-order phenomena [20]. Security analysisbased on deterministic models [21] as well as probabilisticmodels [22], [23] have also been proposed. More recently,

1556-6013 © 2014 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

452 IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 9, NO. 3, MARCH 2014

Y. Koç et al. introduce the entropy [24] in power systemanalysis, which has been utilized in other network securitystudies [25]. Last but not least, spectral method has also beendeveloped and utilized for topological analysis of complexnetworks [26].

Among the efforts to examine power system security undermalicious attack, one of the popular approaches is to analyzethe power grid from a topological perspective, using well-developed concepts, tools and algorithms from graph theoryand complex networks [27]–[30]. Traditional real power sys-tem analysis requires a very detailed set of power system oper-ating point information and involves a large cost of non-linearcalculations. As a result, topological models and vulnerabilitymeasurements are considered to be a proper simplification thatrequires only limited knowledge of the structure and reducesthe computational cost with proper simplifications of powergrid dynamics [31].

However, as a real world complex network with itsown physical characteristics, the power grid has someunique features that pure topological methods can notgeneralize [32]–[34]. A key difference between generalcomplex networks and real power grids lies in the definitionof load. For example, in complex networks the load is definedbased on the traffic of information, which is transmitted alonga single path between the source and destination. However, inpower system, the power does not follow the geodesic shortestpath from a generation bus to a load bus. Instead, it constantlyflows throughout the grid along all existing transmission linesbefore being distributed to the consumers in the distributionnetwork, regardless of the length of paths. Also, powersystems follow the Kirchhoff’s Law, a fundamental basisin traditional power system analysis [35], [36] but usuallysimplified by topological analyses. Therefore, as a trade-off,when complete information is inaccessible in reality andcomputational cost remains expensive for a thorough loadsolution, there is a strong motivation and interest for both thepower grid operator as well as the potential malicious attackerto investigate grid vulnerability with an integrative approachcombining both topological and power system theories.

The complex network structure under investigation is powertransmission networks, which plays a key role in deliveringpower from power plants to consumers via substations andtransmission lines. From the complex network perspective, itcan be regarded as a weighted, directed map with two majortypes of interconnected components, i.e. nodes and edges,referred to as buses and branches in the power system context,respectively. To an attacker in Smart Grid, buses in power gridsare ideal targets since the substations they representing are thehubs of control units to regulate power transmission, and theirfailures prevent any power transmission along transmissionlines connected to them. On the other hand, buses are generallybetter protected in reality, which cost more to attack thanbranches; also, overloading that leads to cascading failures alsooccurs more frequently on branches due to relay protectionsin a power system. Therefore, attacks on both components arecovered in this paper. Finally, because the failure propagationprocess is closely related to a system’s tolerance of fault,this paper also investigates the relationship between the final

impact of attacks and the tolerance factor of a system. The goalis to provide an integrative tool with a better balance betweenaccuracy and complexity to analyze power system behaviorunder potential attacks and identify critical components fromthis combined perspective.

The rest of this paper is organized as follows. First, theextended betweenness metric will be presented in Section II.Then, a simulator for cascading failure analysis and vulnera-bility assessment will be described in Section III. Simulations,run-time and validation results for the single victim attackschemes will be shown in Section IV. Further discussion onthe modeling of capacity and the extension to multiple-victimscenarios will be found in Section V. The conclusion andfuture work will be provided in Section VI.

II. MODELING TRANSMISSION NETWORK CRITICALITY

WITH EXTENDED BETWEENNESS

Among the efforts to overcome the drawbacks of puretopological measurements for power grid, a recent studyby E. Bompard et al. [37]–[39] implements an extendedtopological power-flow analysis using the Power TransferDistribution Factor (PTDF). In what follows, a transmissionline, a generation bus and a load bus in the power grid aredenoted as l, g and d , respectively. In addition, L, G and Dare the corresponding set of branches, generation buses andload buses, respectively.

A. Extended Topological Analysis With PTDF

PTDF, denoted as F , is a matrix of whose elements cor-respond to the power flow change on a branch l when oneunit of real power (1 p.u) is injected at a bus v in a powergrid [40], [41]. By definition, the magnitude of each PTDFelement can be interpreted as the sensitivity to nodal powerinjection of a transmission line, while its sign reflects the direc-tion of the actual flow to the reference direction of the systemmap; sensitivity analyses similar to this have become a popularresearch topic in network security studies [42], [43]. In powerflow analysis, based on the assumptions of transmission lossand reactive power, there are two types of models to calculatethe network equations of PTDF [44]: the DC model assumeslossless transmission and pure real/active power injection ina system, while the AC model considers the transmissionloss on branches and the existence of reactive power. DC-PTDF and related power flow models are more widely used inthe research community thanks to simplified assumptions forfast linear computation with relatively reliable accuracy [45].In this paper, the DC-PTDF based model is the primary focusin our cascading failure study, while extensions and discus-sions to the AC-PTDF model are also covered in simulationanalysis for the comprehensiveness of this study.

B. Extended Betweenness

Combining the power-flow based PTDF parameter withtopological analysis, a new definition of load in the networkcan be introduced to analyze the structural stability. The re-defined load on each bus v, proposed by E. Bompard et al.

YAN et al.: INTEGRATED SECURITY ANALYSIS ON CASCADING FAILURE 453

as the Extended Betweenness [37], [38], [46], involves threemajor steps:

First, the power flow sensitivity of branch l with respectiveto the pairwise unit power transmission is calculated by:

f dg (l) = Flg − Fld , g ∈ G, d ∈ D, l ∈ L (1)

where Flg and Fld are the power flow occurred on branch lwhen a unit power is injected on a generation bus g or a loadbus d and withdrawn from a reference slack bus, respectively.

Then, with the definition of power flow sensitivity, wecan calculate the capacity of power transmission between atransmission pair g and d . Specifically, because of differentsensitivities to power flow injection, a more sensitive branchwill reach its given power flow limit faster than less sensitiveones given the same capacity. Therefore, the maximal powerthat could be transferred between any given transmission pairis limited by the most sensitive branch in the whole grid.This assumption can be easily extended to a more realisticcase where the branch capacities are different. Assume thateach transmission line has a designed limit Pmax(l) (MW), apairwise power transmission capacity between g and d whenthe first branch in the grid reaches its limitation (denoted asPd

g ) is defined as:

Pdg = min

l∈L(

Pmax(l)

| f dg (l)| ), g ∈ G, d ∈ D (2)

where it should be noted that Pdg is defined and calculated

in pairs between any generation bus g and load bus d in thesystem. In other words, Pd

g is a theoretical pairwise powertransmission upper-bound between a transmission pair due tothe limit of branches.

Finally, the new defined load, i.e. the extended betweennessof a bus, is calculated as the overall power transmissioncapacity of a given bus v

T (v) = 1

2

∑

g∈G,d∈D,l∈Lv

Pdg · f d

g (l), g �= d �= v ∈ V (3)

where Lv is the set of branches directly connected to a busv in the set of all buses V . The product Pd

g · f dg (l) represents

the power flow transmitted via branch l when power betweena transmission pair g and d is transferred at its pairwisetransmission capacity. The discount factor is applied since thetotal power carried into a bus should equal the total powerflowing out of it.

Similarly, the extended betweenness for a branch is definedas the overall power transmitted across branch l in a powergrid. Since the PTDF F has either a positive or negative signaccording to power flow direction, the extended betweennessfor a branch l is determined by the greater of absolute in-flowand out-flow:

T (l) = maxl+,l−∈L

{∑

g∈G,d∈D

Pdg · f d

g (l+),∑

g∈G,d∈D

|Pdg · f d

g (l−)|}(4)

where l+ and l− corresponds to f dg (l) with a positive sign

and negative sign, respectively. It is notable that in [46]the extended betweenness is interpreted as a representation

of the total power transmitted on a branch l in the grid.However, in the power flow theories, the positive and negativepower flow on a branch will cancel each other; in this case,the actual load is measured differently as the sum of bothvalues. As the focus of this paper is to develop a CFSbased on extended betweenness for cascading failure analysis,we adopted the definition of T (l) as originally proposed byE. Bompard et al., while further modifications can be imple-mented to adapt to the power flow assumptions.

In this paper, we adopt extended betweenness as the loadon each bus and branch because of its strength to captureboth topological and electrical characteristics of power grids.Although the term extended betweenness resembles the con-cept of betweenness centrality in graphic theory and complexnetwork studies, it should be noted that there is a distinctivedifference between them as the extended betweenness is notbased on the geodesic shortest paths. Although it borrows theidea of pairwise transmission, the “extended betweenness” isnot purely topological as it does not characterize the powerflow as a geodesic shortest path. Instead, it is the overallpower transmission capacity according to a power systembased model; consequently, the measurement is closer tothe real power systems. In addition, this model utilizes thesensitivity and flow-limit on each branch to calculate the trans-mission capacity, thereby it provides a better approximation onpower transmission than pure topological approaches as well.In summary, it captures physical characteristics of a real powersystem that add to its robustness while still retains the strengthof security analyses of complex networks.

III. THE EXTENDED BETWEENNESS BASED CASCADING

FAILURE SIMULATOR (EB-CFS) FOR

VULNERABILITY MEASUREMENT

A. Extended Betweenness Based Cascading Failure Simulator

On top of the extended betweenness measurement proposedto assess the structural vulnerability of power grid, we also seethe potential of improving this model as a cascading failuresimulator (CFS). The motivation for developing this simulatorhas two folds. On one hand, without a complete knowledge ofreal-time loading information, the extended betweenness canbe used as a more power-related approximation of load thanpure topological methods, and the overall loss of extendedbetweenness can be used to approximate the portion ofblackout size related to embedded structural vulnerability inpower grids. But on the other hand, the extended betweennessis still merely a static structural measurement that cannotfully consider the effect of consequent failure propagationin a cascading failure. A further development of a CFS willhelp us simulate the consequence of power grid behaviors,including overloading and failure propagation triggered by theinitial attack, so that we can better evaluate and understandthe impact of attacks that may cause the collapse of powertransmission networks.

Based on the considerations above, we proposed anextended betweenness based CFS (EB-CFS) below to evaluatea simple attack scheme, in which the attacker can completelyknock down a number of victims (either buses or branches) to


TABLE I

EXTENDED BETWEENNESS BASED CASCADING FAILURE SIMULATOR

trigger a potential cascading failure. Using the same informa-tion of power system required in the calculation of extendedbetweenness, the proposed EB-CFS and corresponding metricdo not depend on the complete real-time generation or loadstatus of a given bulk power grid. This allows power gridoperators to assess the inherent structural vulnerability for anycomponent in the events of cascading failures.

The attack scenario is similar to the N − k contingency[47] analyzed in traditional power system studies, but it comesfrom the attacker’s perspective on cascading failure threats.Results obtained through simulations of malicious attacks arenot limited to the application of evaluating the structuralvulnerability and locating the critical components; they canalso provide insights on more complex attack schemes thatcould be further investigated to examine the vulnerability ofcomplex networks thoroughly.

In the rest of this section, we will describe the iterativeextended betweenness based cascading failure simulator indetails. The general procedure of the EB-CFS is shown aspseudo codes in Table I, and details of implementation aredescribed as follows:

1) Initialization: The first step is to setup initial status of allnetwork components and related parameters. The capacity inthe context of extended betweenness is usually calculated asa function of the initial load of a given benchmark, whichassumes that branches carrying heavier power transmissionload will be designed to have greater capacity [21]. Therefore,we refer to our previous work [48]–[50] and assume thereis a global overload tolerance in a system, denoted as T ol.Numerically, this can be defined as T ol = Cap(c)/T0(c),where Cap(c) is the capacity and T0(c) is the initial load(extended betweenness) of a component c in the given system.Note that by definition, the T ol should always be larger thanone, and it can also be viewed as the system redundancybetween the initial load and its maximal capacity. In reality,the loading of a transmission network is dynamic which variesover time, resulting in different remaining tolerance ratioeven with a constant capacity. Therefore, to evaluate differentpossible tolerances in reality, a numerical analysis on therelationship between tolerance and the cascading impact willbe evaluated. By varying the value of T ol used in simulation,we can generate different situations of system tolerance to

measure the vulnerability of cascading failures for differentsystem states.

2) Initial Attack: To initiate an attack, we simply choose anumber of victims, either buses or branches, and cut them offfrom the original grid. Then we start the following iterativeprocess of cascading failures in the EB-CFS.

3) Update System Parameters in the Post-Attack/Post-Failure Stage: The structure of a power grid will be changedafter a direct victim of the initial attack or a componentfailed by the cascading effect is cut off. Consequently, theextended betweenness should be recalculated to reflect thelatest state. It is notable that in this recalculation, updatesshould be made through the computations from the PTDFmatrix F to the extended betweenness T , as all intermediateparameters depend on the current network topology. To bespecific, whenever a new grid topology is set up, we will firstrecalculate the PTDF depending on whether DC or AC modelis chosen. Then, the branch sensitivity f d

g (l) and the pairwisepower transmission capacity Pd

g will be updated to f ′dg (l)

and P ′dg , respectively. Afterwards, the power flow of branch

l generated by a transmission pair g and d will be changedto P ′d

g · f ′dg (l). Hence a post-attack extended betweenness T ′

at any given moment is calculated with Eqn. (3) and (4).Also, in the cases where the initially fully-connected grid isbroken down into disconnected islands, we will set up a newtopology for each of the sub-area and re-calculate the extendedbetweenness T ′ locally within each sub-area. As a special case,if a new sub-grid contains no generation buses or load buses,by definition the extended betweenness of all components inthis isolated sub-grid will be set to zero.

4) Detect Failure Components: A failure that occurs oneither a bus or a branch will affect other components in thegrid, but it may or may not result in a fatal overloadingdepending on the capacity of a system and the real-timeloading. Meanwhile, as in any CFS, the post-attack overload-ing degree (if overloading exists) is a critical index affectingwhether an overloading is turning fatal. Hereby we define theoverloading ratio of a component c, denoted as r(c), as thepost-attack extended betweenness over the initial pre-attackbetweenness, i.e. r(c) = T ′(c)/T (c). It reflects the impact ofthe previous failure on each component during the cascadingprocess. Because the components in the system subject to amaximal degree of overloading ratio, they will be shut off anddisconnected if the upper-bound is reached so as to protect theremaining facilities. Therefore, we consider a component cis fatally overloaded, or failed, if r(c) > T ol; if, however,an overloading occurs but not fatal (1 < r(c) ≤ T ol), thenc is regarded as deficient but still in operation.

5) Trip Failed Components: For any failure occurs in thepower grid due to direct attack or the failure caused by post-attack overloading, the network topology needs to be modifiedaccordingly. In this paper, the following policy will be carriedto update the grid topology:

1) If a bus fails, no more can be transmitted through thisnodal connection in the system, and so any branchconnecting to it will also lose the ability to transmit anypower. Therefore, for any bus failure, the bus itself with


all connected branches are removed from the topology;2) For a branch failure, because a bus connecting to its

end can still be linked to the remaining system by otherbranches, the EB-CFS only performs a removal of thefailed branch from the network.

B. Cascading Failure Impact Measurement

In order to identify the most vulnerable buses or branches asan attack target, it is necessary to define an assessment metricto illustrate the influence of attacks. In this paper we use theloss of extended betweenness, denoted as �E B , to evaluatethe impact of an attack. It is defined as the fraction of totalextended betweenness lost after the cascading

�E B(c) =∑

T ′(c′) − ∑T (c)∑

T (c), c′ ∈ C ′ and c ∈ C (5)

where C is the initial set of buses (V ) or branches (L)according to the type of attack, and C ′ is the corresponding setof the same type of components in a stabilized power systemafter a cascading failure.

Since we are interested in finding the most effective attackschemes in the grid using the extended topological method,we will perform an exhaustive search in a power systembenchmark to identify its most vulnerable buses or branchesthat maximize the final loss, or �E B , as the most vulnerablecomponent in single victim attacks. This metric is in theorymore robust than pure topological measurements or extendedbetweenness alone, since it covers not only the initial structuralvulnerability but also the effect of potential cascading failurefollowing possible attacks. Being independent of the specificoperation status, this method is still able to provide reasonableresults in identifying the most vulnerable and critical compo-nent in the power grid. However, it should be notable that dueto combinatorial explosion, the feasibility of exhaustive searchcan be significantly limited in N − k analysis if the order k orthe size grid is greatly increased. In this case, other techniquesto improve the searching efficiency should be incorporatedaccordingly.

IV. SIMULATION AND ANALYSIS

A. Simulation Setup

1) Benchmark Power System: The proposed method in thispaper requires information on electrical properties of a powergrid, so we choose to test it on a modified IEEE 118-bussystem [46], [51]. With this modification, only one branchis allowed to connect to a given pair of buses, and thus thenumber of transmission lines in this benchmark is reduced to179. To decide the value of Pmax for the benchmark, we assignthe branch emergent rating limits to all the 179 branches,whose values are described in Table II. These values areobtained from the Appendix of [52], which remain as aconstant physical property of the system during the simulation.

2) Topological Measurements for Comparison: To compareour integrated cascading failure model and metric againstother pure topological measurements, we follow the work ofP. Hines et al. [33], [34] where two topological metricsare chosen for comparison. The two measurements are the

TABLE II

Pmax OF ALL 179 BRANCHES IN IEEE 118-BUS BENCHMARK

connectivity loss (δC) and the change of characteristic pathlength (�λ), which will be validated and compared to exhibitthe advantage of our integrated EB-CFS.

First, the connectivity loss is defined as the average decreaseof the percentage of generation buses no longer connected toany load bus after an attack:

δC = 1 − 1

ND

∑

i∈D

NiG (c)

NG(6)

where NG and ND are the number of generation and loadbuses in the original grid, respectively. Ni

G (c) is the numberof generation bus that can still be reached by bus i after acomponent c (either a bus or a branch) has been attacked inthe grid.

Secondly, let λ0 be the characteristic path length of theoriginal grid, i.e. the average length of all pairwise shortestpath from generation buses G to load buses D; also, let λ(c)be the characteristic path length after a component c is takendown. Then the change of characteristic path, or �λ, is definedas �λ = λ(c) − λ0.

3) Validation Simulator Setup: To evaluate our proposedmetric, we utilize a DC power flow based cascading failuresimulator (DC-CFS) adopted from [21] for the validation ofsimulation of both bus and branch attacks. Specifically, whena given component (either a bus or a branch) is failed by adirect attack, the following iterative process will be executedin the DC-CFS:

1) A generation dispatch process will be first performed. Itwill either ramp up the generation output (with restrictedrate and capacity) if there is a deficiency, or trip theredundant generation if there is a surplus;

2) A load shedding process will be executed if, after thedispatch, the demand of load is still greater than thegeneration capacity. Step 1 and 2 will regain the requiredbalance between overall generation and load to maintainconsistent and stable operation of generation units;

3) When the generation-load balance is re-established,a DC power flow model in [53] is applied to calculatethe subsequent power flow on each branch;

4) A thresholded accumulative function of overloadingratio and duration [21], will be updated to determinewhich branch should be tripped due to the violation ofrelay-based protection policy;

5) After the tripping, the system topology is updated andthe operating point is re-calculated through step (1)–(4).

The above process is repeated until no branches in theremaining power grid is found to be overloaded, which indi-


cates that the cascading failure has already ended. Then theDC-CFS calculates the total loss of load (in MW) caused bythe failure propagation as the blackout size, which is used forvalidation and comparison purposes in this paper.

B. Pre-Cascading Analysis

As mentioned previously, the system tolerance T ol is animportant factor affecting the simulation of cascading failures,as it decides to what degree an overloaded component is con-sidered “tolerable” with respect to its initial loading status. Todetermine a proper range for T ol in simulation, we considereda system that is designed to avoid any cascading failure aftera single victim attack. In this case, there shall be a requiredfault tolerance above which no overloading will become fataland no cascading failure will occur. This required tolerance,denoted as R, is calculated as the maximum of overloadingratio r immediately after the initial attack. Our simulationhas shown that in the DC-PTDF model, the maximum andmean values of R are 3.90 and 1.29 among all 118 buses, and4.26 and 1.38 among all 179 branches, respectively. In theAC-PTDF model, the corresponding values are 2.96 and1.28 for buses, 4.20 and 1.38 for branches, respectively.These results help us refine the range of T ol to be within1.0 and 2.0, as in following simulations presented in the restof the paper.

With the refined range of T ol, we can now evaluate thenumber of effective attacks, in which at least one componentin the system other than the victim being attacked fails.Table III lists the number of effective single-bus and single-branch attacks under the evaluated system tolerance valuesfor both models of PTDF and both types of attacks. The tableexhibits how the tolerance parameter can affect the cascadingfailure simulation as they resulting in the number of buses orbranches failed after the initial attack. For instance, in singlevictim attacks under DC-PTDF model, when T ol = 1.5, only23 of all 118 single-bus attacks and 42 of all 179 single-branch attacks can lead to a cascading effect. However, ifT ol is set to 1.2, the corresponding numbers will rise to43 and 95, respectively.

C. Cascading Failure of Single-Bus Attack

For the single-bus attack schemes, we perform an exhaustivesearch over the set of loaded buses D (buses with non-zeroload so they will directly lead to a blackout) to calculatetheir �E B under each tested tolerance value T ol. Then foreach value of T ol, we identify the bus with the greatest�E B as the most vulnerable victim in cascading failure basedattacks. Values of �E B of the most vulnerable buses are listedin Table IV for both DC-PTDF and AC-PTDF model, andtrajectories of �E B over the chosen T ol range are plotted inFig. 1. These buses (Bus 30, 38, and 65 in the DC model,and Bus 30, 68, 65, 68, 69, and 80 in the AC model) aremore structurally vulnerable than other buses in cascadingfailures, as attacking them lead to the largest loss of overallpower transmission in the grid. However, it is notable that inDC-PTDF model �E B of the most vulnerable victim staysabove 80% when T ol ≤ 1.8; meanwhile, in AC-PTDF model,

TABLE III

NUMBER OF EFFECTIVE SINGLE-BUS AND SINGLE-BRANCH ATTACKS

UNDER DIFFERENT T ol. NOTE THAT THERE ARE 118 BUSES

AND 179 BRANCHES IN THE 118-BUS BENCHMARK

Fig. 1. In (a) DC-PTDF and (b) AC-PTDF model, �E B of the most effectivesingle-bus attacks in IEEE 118-Bus system.

the simulator will declare the top victims more vulnerable asthe loss of �E B will always stay above 80% for all testedtolerance values in simulation. This reflects the difference insystem modeling can contribute to the eventual vulnerabilitymeasurements, which can be an interesting topic in futurestudies.

There is also another observation regarding the trend of�E B when T ol is increased. In Fig. 1, while �E B varieswith respect to different T ol, the maximal value of �E B thata single-bus attack can achieve is in general non-increasingwith the increase of T ol. However, we have also observedthat �E B for each victim bus alone may not decreasingmonotonically, which is consistent in both PTDF models.Although intuitively greater tolerance/redundancy with respectto the initial load should increase the system’s resilience and


TABLE IV

THE MOST VULNERABLE VICTIMS IN SINGLE-BUS ATTACKS

TABLE V

THE MOST VULNERABLE VICTIMS IN SINGLE-BRANCH ATTACKS

lead to smaller impact of cascading, this observation is yetreasonable due to the complex mechanism behind cascadingfailure. In some single-bus attacks, e.g. attack on Bus 65, aslightly increased tolerance from 1.6 to 1.7 may not be able toreduce the loss of load across the whole grid, as the power flowcan be redirected and then concentrate elsewhere in anotherregion of the 118-bus system. As a result, this can cause moresevere overloading in the new area and resulting in greaterload loss.

Finally, the number of failed components (N f ail ) aftercascading failures is provided for each of the most vulnerablebuses in Table IV. While N f ail is correlated to the cascadingfailure process and thus the value of �E B , it is noted thatit drops significantly when T ol is increased. Meanwhile,�E B remains relatively high under most T ol tested. Thisdiscrepancy can be interpreted by varying load on differentbuses, a factor greatly influences the cascading effect but isnot taken in account in the measurement of N f ail . In practice,even when there is only a small number of failed componentsin the grid, the power system can fail to maintain stability dueto the loss of some critical buses.

D. Cascading Failure of Single Branch Attack

In this part, we utilize the EB-CFS for vulnerability assess-ment of single branch attack schemes. Similar to single-bus

attacks, the most vulnerable branches identified by �E Bare presented in Table V with corresponding branch IDsand T ol. To illustrate differences of �E B of the most vul-nerable branches under different T ol, we also visualize theirvalues in Fig. 2. For all the branches identified in Table V,their �E B are plotted as a bar graph in Fig. 2 with respect toeach T ol. IDs of the most vulnerable branch for each valueof T ol are shown on top of the corresponding bar of �E B ,respectively.

In the �E B bar graph, it is shown that in single-branchattacks maxima of �E B exhibit a trend of decreasing withincreased system tolerance. Meanwhile, in specific cases, thecascading failure caused by single-branch attacks can stillyield an increase of �E B within given range of T ol. Thisis similar to the scenario discussed in single-bus attacks,where a greater tolerance can re-direct the cascading failureto somewhere else in the grid. Branches in this new cascadingarea can be more sensitive and overloaded more severely withaggregated pairwise power transmission, and their failurescan lead to increased loss of extended betweenness. FromFig. 2(a) and (b) we can also see that in both PTDF models,�E B of Branch 93 and 100 both remain comparativelygreater than other branches when T ol becomes larger. In otherwords, vulnerability of these two branches identified in theDC model are confirmed by the corresponding measurementsin the AC model. By looking into the 118-bus system, it is


Fig. 2. �E B of the most vulnerable branches identified by (a) DC-PTDF and (b) AC-PTDF model. The most vulnerable branch IDs identified under eachT ol are labeled on top of the corresponding bars, respectively.

found that Branch 93 connects Bus 38 to 65, and Branch100 connects Bus 65 to 68, and these buses have beenidentified as the most vulnerable buses in single-bus attackschemes in Section IV-C. This consistency suggests that thesetwo branches, which appear to be two of the most vulnerablebranches in both models that are connecting the most vulner-able buses, shall require more protection effort in this 118-buspower system.

It is also notable that for some tolerances, the values of�E B in a single-branch attack can be greater than they are ina single-bus attack. For instance, in DC-PTDF model, whenT ol = 1.9 the greatest value of branch �E B is 65.02% (onBranch 93), while the maximal bus �E B has already droppedto 51.70% (on Bus 65); similar observations are also foundwith T ol = 2.0 in both models. Recall that in pre-cascadinganalyses, the mean and maximum of required tolerance Rfor branches are both greater than the corresponding valuesof buses. These consistent observations suggest that for apower system to operate in normal condition, the branchesshould generally ensure larger redundancy for overloadingthan the buses; otherwise, with a given value of T ol, somebranches will be more vulnerable than buses in cascadingfailures caused by malicious attacks.

Finally, the number of failed branches after attacking eachmost vulnerable branch is also included in Table V. As we can

see, the value of N f ail also decreases drastically when T ol isincreased. It is also shown that a small number of criticalbranch failed in the cascading process can nevertheless resultin a severe disturbance or outage in the power grid. In reality,this is one of the reasons behind the N−1 security requirementin modern power systems [54].

E. Run-Time of Single Victim Attacks

According to a series of research and publications fromthe IEEE Cascading Failure Working Group [55]–[57],the complexity of a CFS can still pose a challenge to the studyof cascading failures, so we also provide run-time analysis forour EB-CFS. The complexity can be roughly viewed as four-fold from the top down:

1) The number of system tolerance (NT ol) to be simulated;2) The size of a given grid (Ngrid ) and the number of

victims (Nv ) in each attack.3) The run-time of an attack O(Attack), or the overall

number of failures (N f ) occurred in a complete cascad-ing process triggered by attackers;

4) The run-time to update extended betweenness T for eachnew failure occurrence in the grid. It can be roughlydefined as NG × ND × NL × O(T (c)), where O(T (c))denotes the approximate computational complexity of


TABLE VI

EMPIRICAL SIMULATION TIME ON AVERAGE FOR SINGLE-VICTIM

ATTACKS IN THE 118-BUS SYSTEM WITH 179 BRANCHES

calculating the extended betweenness of a power gridcomponent.

Among these four levels of complexity, N f is the mostdifficult to obtain analytically as it depends on the structuraltopology (i.e. connectivity and scale), the electrical property ofpower systems, as well as the specific victim being attacked.These dependencies render it difficult to express N f in anclosed form. Nevertheless, if we only consider single-victimattacks (Nv = 1) and assume that the complexity of the worstcase to simulate a complete cascading failure is O(Attack),then the overall complexity O(E B-C FS) can be approximatedby O(E B-C FS) = NT ol × Ngrid × O(Attack).

Although an analytic and explicit form of the complexityof EB-CFS is difficult to obtain, we can still acquire empir-ical run-time information of the exhaustive search approachin simulation. Specifically, we implemented the EB-CFS inMATLAB 2010b on a Windows 7 64-bit operating sys-tem, with 8 GB DDR5 memory and Intel Xeon W35653.20 GHz quad-core processors. The average simulation run-time is obtained from 100 runs of exhaustive search for themost vulnerable victims under single-victim attacks on IEEE118-bus system. The run-time of each complete search(denoted as RT (Run)) is recorded along with the averagerun-time per each given tolerance (denoted as RT (T ol)) andper each attack (denoted as RT (Attack)). The results areshown in Table VI with corresponding victim types andPTDF models. Note that in this setting, when RT (Run) isobtained from 100 runs and 11 T ol values are tested ineach run, RT (T ol) will be the average of 1100 samples, andRT (Attack) will be the average of 129,800 samples in single-bus attacks and average of 196,900 samples in single-branchattacks, respectively.

As an example, with the information of RT (Attack), tosimulate all 118 single-bus attacks in DC-PTDF model withT ol = 1.0, 1.1, ..., 2.0, the average run-time of a completeexhaustive search can be approximated by RT (DC-BU S) =NT ol ×Ngrid ×RT (Attack) = 11×118×0.116 = 150.57 sec-onds, which is very close to the actual run-time per searchRT (Run) = 151.22 seconds. Similarly, the estimated overallrun-time for single-branch attacks in the DC-PTDF model isRT (DC-B R ANC H ) = 329.07 seconds, while the actual run-time is also very close as RT (Run) = 329.06 seconds.

According to the second row of Table VI, for the grid oper-ator, if the tolerance of the 118-bus system is known before-hand and an attack can also be instantly detected, then theEB-CFS can provide a decently fast vulnerability measurementin less than two seconds, although the AC model takes muchlonger than the DC model. However, it should be noted that

TABLE VII

VALIDATION RESULTS OF �E B AS AN ATTACK VECTOR (�P IN MW)

if the tolerance is unknown or an evaluation of all possibleattack victims is requested, fast victim selection algorithmsor parallel computing techniques should be incorporated intothe EB-CFS models to improve the computation efficiency.Meanwhile, to perform a fully online screening and evaluationfor a large power network with over ten thousand substationsand branches, an exhaustive search over all candidates andtolerances can still be prohibitive due to the combinatorialexplosion in a bulk system.

F. Validation for Our Vulnerability Measurement in SingleVictim Attack

This section exhibits the validity of using �E B as a vulner-ability measurement by using single-bus attacks as an example.Specifically, we validated the EB-CFS with the power flowbased DC-CFS described in Section IV-F, and compared theactual size of power outage caused by attacking the mostvulnerable buses with the other pure topological metrics.

First, regarding the two topological metrics δC and �λ forcomparison, we select the loaded buses with the largest δCand �λ as two candidate sets of single-bus attacks, respec-tively. A third candidate set are formed by the most vulnerablebuses identified by �E B . Note that we did not chooseunloaded Bus 38 as a candidate, because it is a transmissionbus serving as an transitional transformer connected by onlytwo branches, which can cause no outage without beingactually loaded.

Then, with the selected candidate sets, we simulate attackson each candidate therein individually in the DC-CFS, andthen measure the blackout size �P (loss of real power inMW). The validation results are shown in Table VII, wherethe subscripts denote the corresponding metric used to selectthe attack candidates. The IDs are also sorted according to�P , respectively. �E B successfully identifies Bus 80 thatis the most vulnerable bus in all candidate sets, and othercandidates chosen by �E B have greater blackout sizes thanthe buses picked by δC and �λ. Moreover, among the buseschosen by N f ail from Table IV, Bus 65 ranks as the third mostvulnerable victim in terms of �P , as shown in Table VII. Withunderlying relation between �E B and N f ail , it is reasonablethat N f ail is helpful in vulnerability measurements. However,without involving electrical parameters of buses in the system,this purely statistical metric should be regarded as an auxiliaryindicator of the vulnerability or attack strength in cascadingfailure analysis. Finally, it is notable that none of theseapproaches require real-time, dynamic loading or generationinformation of the system. Therefore from attackers’ point of


view, this means that they have a better chance of creatingworse scenarios in the system if they choose to launch attackson the victim candidates indicated by �E B . Meanwhile, fromthe operators’ perspective, they shall be aware that potentialattackers can still locate some of the critical buses even withincomplete information of the power system dynamics.

As a summary, the validation results presented above haveshown that the EB-CFS can be used to evaluate the struc-tural vulnerability of the IEEE 118-bus power grid withoutthe accurate knowledge of loading information on all buses.The proposed approach has shown better ability over othertopological measurements to find more vulnerable and criticalcomponents in a power system, as it captures the electricalcharacteristics in the vulnerability measurement. This will behelpful in understanding the attacking schemes and vulnerabil-ity assessments in large scale power grids, especially when theattackers have limited access to the complete information ofpower systems, or do not have sufficient computing resourceor manpower to obtain a thorough system state operation.

V. FURTHER DISCUSSION ON EB-CFS BASED

VULNERABILITY MEASUREMENT

In this section we will cover two extended discussions onthe EB-CFS in more complex scenarios. First, as we merelyassumed a global tolerance factor T ol in previous simulationsthat leads to various capacities, it could be helpful to evaluateanother assumption where the system has a uniform capacityregardless of the initial load. Then following the single-victimscenarios, we will also extend the EB-CFS based vulnerabilityassessment for multiple-victim attacks, in which a certainnumber of components are taken down simultaneously bymalicious attackers.

A. Modeling of Branch Capacities

The first factor to discuss in this section is the influenceof power grid modeling on cascading failure simulation andgrid vulnerability assessment. In previous discussions, a globaltolerance factor T ol is used as a criteria for fatal overloadingin the EB-CFS. However, for transmission lines in a realpower grid, it is notable that the actual branch capacitiesare divided into an small, finite set of categories accordingto the designed material and transmission requirement at theplanning stage. Therefore, in this part we will discuss a morerealistic setting by assuming that there is only one category ofpower grid capacity in the EB-CFS. In this setting, insteadof simulation based on a global tolerance factor, we alsomodify the simulator by assigning a constant capacity to thebranch extended betweenness, and re-evaluate the cascadingeffect under the DC-PTDF model with no other changes to theEB-CFS and the �E B metric.

Specifically, in the modified EB-CFS a constant capacity isdefined for all branches, denoted as C APE B . It is calculatedas the product of the greatest initial load and a correspondingpseudo-tolerance:

C APE B = maxl

{T0(l)} × T ol ′ (7)

where T ol ′ is a pseudo-tolerance used to obtain a globalcapacity C APE B with respect to the maximum of initialbranch extended betweenness T0(l), such that no branches willbe overloaded with their initial T0(l).

With the modifications above, the most vulnerablebranches under different T ol ′ become significantly different:for T ol ′ = 1.0, the most vulnerable branch is Branch 108, andits �E B is merely 5.40%. For ∀T ol ′ ≥ 1.1, the most vul-nerable branch is always Branch 30, whose �E B = 10.82%.Further investigation into these two tolerance intervals showedthat Branch 108 is the most vulnerable when T ol ′ ≤ 1.07,while it is replaced by Branch 30 when T ol ′ ≥ 1.08.The reason is that after the modification the global capacityC APE B is sufficiently large, so that there is no cascadingfailure triggered by most single-victim attacks on the 118-bussystem. As a result, the majority of �E B are only contributedby the loss of the initial victim being attacked directly. Whilethese most vulnerable branches in the modified EB-CFS canalso be considered as the most critical components in thegrid, a single global capacity is not suitable to generalizevarious categories of transmission line capacities in prac-tice. As a matter of fact, both the global constant capacityand the global constant tolerance assumptions yield certaindegree of simplifications of branch capacity. Since a generallyaccepted cascading failure model has not been establishedyet [10], further improvement on the modeling of capacity inEB-CFS can be helpful in understanding the complex powergrid security against cascading failure threats.

B. EB-CFS Based Vulnerability Measurement forMulti-Victims

Similar to multi-contingency study in power systems, themulti-victim attack scheme is also an important extension tothe application of EB-CFS. It is intuitive to design multi-victim attack schemes by combining the most vulnerabletargets in single-victim cases and launching an attack on themsimultaneously, which is similar to the N − k contingencyanalysis of branch security studies in traditional power sys-tem [21], [47], [58], but we also include an extension to busattacks. In the EB-CFS, multi-victim attacks are implementedsimply by adding additional buses or branches in a set ofinitial attack targets. It is notable that with 118 buses and179 branches, the complete candidate set of 2-victim sce-narios will be exploded to 6,903 for double-bus attacks and15,931 double-branch attacks. An exhaustive search in thesetwo sets is computationally expensive, so we have only shownsimulation results of double-bus and double-branch attacksunder DC-PTDF model in Table VIII. A larger step distance(�T ol = 0.2) in the same range of T ol is also used to reducethe simulation run-time.

As shown in Table VIII, while the most vulnerable com-ponents in single-victim attacks appear in some of the mostvulnerable double-victim combinations (e.g. Bus 30, 38, 65and Branch 30, 76, respectively), it is notable that manydouble-victim attacks are strengthened by combining thebuses ranking somehow lower in the single-victim candi-date list. For instance, under T ol = 2.0, Bus 65 ranks as


TABLE VIII

THE MOST VULNERABLE CANDIDATE SETS IN SIMULTANEOUS

DOUBLE-VICTIM ATTACKS UNDER DC-PTDF MODEL

the second vulnerable among all buses with its �E B =32.48%; meanwhile, Bus 24 ranks only as the 8th with its�E B = 15.92%. Nonetheless, attacking these two victimssimultaneously results in �E B24,65 = 85.17%, whichbecomes the most vulnerable combination of two buses,whose final loss is significantly greater than any ofthe two single-victim attacks alone. These results showedthat although the final impact can be strengthened byattacking more victims simultaneously, the most effectivemulti-victim schemes require careful and efficient selec-tion of targets. Similar observations can also be foundin another multi-victim security study with a real powersystem on a much larger scale [29]. However, as ahybrid model considering the electrical properties, theEB-CFS proposed in this paper is an improvement to the puretopological model in [29], which is more suitable for securityanalysis.

It is also notable that for buses appeared in correspondingdouble-bus combinations, the lowest ranking of them in single-bus attacks under corresponding T ol is merely the 9th. Inother words, the most vulnerable two-bus attack candidatesin this system can be found within the combined sets of thetop nine most effective single-bus attacks. As a result, themost vulnerable 2-bus combination in this 118-bus system canbe found within the 36 combinations of the top-9 single-busattack victims, which is comparably smaller than the originalsearch space of 6,903 combinations. However, in the double-branch attacks, the corresponding lowest ranking is 125, andthe corresponding search space is only reduced from 15,931 to7,750. While it is only an empirical example, we can see thatattack strategies need to be further developed to make use ofthe information of �E B obtained from single-victim attacksto effectively shrink the search space of multi-victim attackcandidates.

VI. CONCLUSION

This paper proposed an extended topological vulnerabilityassessment approach for cascading failure analysis of complexnetwork system via a case study of power grid. By introducingthe electrical property based extended betweenness, we pro-posed an integrated failure cascading simulator. Vulnerabilitymeasurements under selective victim attack strategies andcascading failure simulation for both bus and branch attackswere presented. To consider the complex power transmissionand the power loss on transmission lines, we also developed anAC model to calculate PTDF in the extended betweenness

based cascading failure analysis. Cascading failures weresimulated on the IEEE 118-Bus system to evaluate structuralvulnerability of the components. The influence of systemtolerance and the information of run-time were also discussedto consider differences in real world applications. Simulationresults were validated in a DC power-flow based cascad-ing failure simulator to reveal its advantage compared toother topological measurements. Finally, modeling of complexpower networks and multi-victim attack schemes were alsodiscussed in the paper to reveal both the utility and thefuture works of the EB-CFS based vulnerability measurementfor cascading failures under more complex attack schemes.Combined with the run-time information, these additionaldiscussions will exhibit that vulnerability assessment for cas-cading failures needs to consider not only the complexity ofcascading failure itself, but also the challenges in power gridmodeling, the choice of attack strategies, and computationalcost of simulations.

According to the simulation results, our extended topologi-cal approach is able to assess the vulnerability of power gridcomponents in cascading failures with only limited knowledgeon dynamic real-time information of a power system. Based onthe simulations and discussions, we conclude that our approachis not only helpful to evaluate the criticality of componentsthat pose most threats to the power system; it is also usefulto facilitate the understanding defense and protection of a realworld complex network systems like power grids by furtherdeveloping better strategies based on the understanding ofpotential selective attack threats.

For the future work, first we are aware that in our currentstudy, the tolerance is a global constant across the powergrid in simulation. Some simulation results show that thevulnerability of branches measured at a low system tolerancecan vary by a large extent when the tolerance is increaseddramatically. Although it is reasonable for the power trans-mission network in practice, the complexity indeed poseschallenges to the cascading failure analysis and calls for futurework to improve this model with less tolerance dependency.In addition, further development of fast multi-victim selectionmethods and intelligent attack strategies can also extend theutilization of the EB-CFS approach in more complex attackand defense scenarios.

REFERENCES

[1] A. E. Motter and Y.-C. Lai, “Cascade-based attacks on complex net-works,” Phys. Rev. E, vol. 66, no. 6, pp. 065102-1–065102-4, Dec. 2002.

[2] P. Crucitti, V. Latora, and M. Mariori, “Model for cascadingfailures in complex networks,” Phys. Rev. E, vol. 69, no. 4,pp. 045104-1–045104-4, Apr. 2004.

[3] W.-X. Wang and G. Chen, “Universal robustness characteristic ofweighted networks against cascading failure,” Phys. Rev. E, vol. 77,no. 2, pp. 026101-1–026101-4, Feb. 2008.

[4] U.S.-Canada Power System Outage Task Force, “Final report on theAug. 14, 2003 blackout in the United States and Canada: Causes andrecommendations,” Power System Outage Task Force, Ottawa, Canada,Apr. 2004.

[5] S. C. Srivastava, A. Velayutham, and A. S. Bakshi, “Report of theenquiry committee on grid disturbance in northern region on 30th July2012 and in northern, eastern & north-eastern region on 31st July 2012,”Enquiry Committee of the Ministry of Power, New Delhi, India, Tech.Rep., Aug. 2012.


[6] Y. Mo, T.-J. Kim, K. Brancik, D. Dickinson, H. Lee, A. Perrig, et al.,“Cyber-physical security of a smart grid infrastructure,” Proc. IEEE,vol. 100, no. 1, pp. 195–209, Jan. 2012.

[7] S. Sridhar, A. Hahn, and M. Govindarasu, “Cyber-physical systemsecurity for the electric power grid,” Proc. IEEE, vol. 100, no. 1,pp. 210–224, Jan. 2012.

[8] X. Li, X. Liang, R. Lu, X. Shen, X. Lin, and H. Zhu, “Securing smartgrid: Cyber attacks, countermeasures, and challenges,” IEEE Commun.Mag., vol. 50, no. 8, pp. 38–45, Aug. 2012.

[9] P.-Y. Chen, S.-M. Cheng, and K.-C. Chen, “Smart attacks in smartgrid communication networks,” IEEE Commun. Mag., vol. 50, no. 8,pp. 24–29, Aug. 2012.

[10] M. Vaiman, K. Bell, Y. Chen, B. Chowdhury, I. Dobson, P. Hines, et al.,“Risk assessment of cascading outages: Methodologies and challenges,”IEEE Trans. Power Syst., vol. 27, no. 2, pp. 631–641, May 2012.

[11] O. Kosut, L. Jia, R. Thomas, and L. Tong, “Malicious data attacks onthe smart grid,” IEEE Trans. Smart Grid, vol. 2, no. 4, pp. 645–658,Dec. 2011.

[12] A. Mohsenian-Rad and A. Leon-Garcia, “Distributed Internet-based loadaltering attacks against smart power grids,” IEEE Trans. Smart Grid,vol. 2, no. 4, pp. 667–674, Dec. 2011.

[13] G. Hug and J. Giampapa, “Vulnerability assessment of ac state esti-mation with respect to false data injection cyber-attacks,” IEEE Trans.Smart Grid, vol. 3, no. 3, pp. 1362–1370, Sep. 2012.

[14] Y. Zhu, J. Yan, Y. Sun, and H. He, “Revealing cascading failurevulnerability in power grids using risk-graph,” IEEE Trans. ParallelDistrib. Syst., to be published, doi: 10.1109/TPDS.2013.2295814

[15] J. Salmeron, K. Wood, and R. Baldick, “Analysis of electric gridsecurity under terrorist threat,” IEEE Trans. Power Syst., vol. 19, no. 2,pp. 905–912, May 2004.

[16] R. Fitzmaurice, A. Keane, and M. O’Malley, “Effect of short-term risk-aversive dispatch on a complex system model for power systems,” IEEETrans. Power Syst., vol. 26, no. 1, pp. 460–469, Feb. 2011.

[17] I. Dobson, B. A. Carreras, V. E. Lynch, and D. E. Newman, “Complexsystems analysis of series of blackouts: Cascading failure, critical points,and self-organization,” Chaos, Interdiscipl. J. Nonlinear Sci., vol. 17,no. 2, p. 026103, 2007.

[18] B. A. Carreras, D. E. Newman, I. Dobson, and A. B. Poole, “Evidencefor self-organized criticality in a time series of electric power systemblackouts,” IEEE Trans. Circuits Syst. I, Reg. Papers, vol. 51, no. 9,pp. 1733–1740, Sep. 2004.

[19] B. A. Carreras, V. E. Lynch, I. Dobson, and D. E. Newman, “Criticalpoints and transitions in an electric power transmission model forcascading failure blackouts,” Chaos, Interdiscipl. J. Nonlinear Sci.,vol. 12, no. 4, pp. 985–994, 2002.

[20] A. Scala, S. Pahwa, and C. Scoglio. (2012, Sep.). Cascade failures fromdistributed generation in power grids. arXiv preprint arXiv:1209.3733[Online]. Available: http://arxiv.org/abs/1209.3733v2

[21] M. Eppstein and P. Hines, “A ‘random chemistry’ algorithm for iden-tifying collections of multiple contingencies that initiate cascadingfailure,” IEEE Trans. Power Syst., vol. 27, no. 3, pp. 1698–1705,Aug. 2012.

[22] I. Dobson, B. A. Carreras, and D. E. Newman, “A loading-dependentmodel of probabilistic cascading failure,” Probab. Eng. Inf. Sci., vol. 19,no. 01, pp. 15–32, 2005.

[23] C. Ma, D. Yau, X. Lou, and N. Rao, “Markov game analysis for attack-defense of power networks under possible misinformation,” IEEE Trans.Power Syst., vol. 28, no. 2, pp. 1676–1686, May 2013.

[24] Y. Koç, M. Warnier, R. E. Kooij, and F. M. Brazier, “An entropy-based metric to quantify the robustness of power grids against cascadingfailures,” Safety Sci., vol. 59, pp. 126–134, Mar. 2013.

[25] Z. Chen and C. Ji, “An information-theoretic view of network-awaremalware attacks,” IEEE Trans. Inf. Forensics Security, vol. 4, no. 3,pp. 530–541, Sep. 2009.

[26] V. Fioriti, M. Sforna, and G. D’Agostino, “Spectral analysis of a realpower network,” Int. J. Critical Infrastruct., vol. 8, no. 4, pp. 354–367,2012.

[27] R. V. Solè, M. Rosas-Casals, B. Corominas-Murtra, and S. Valverde,“Robustness of the European power grids under intentional attack,” Phys.Rev. E, vol. 77, no. 2, pp. 026102-1–026102-7, 2008.

[28] S. Jonnavithula and R. Billinton, “Topological analysis in bulk powersystem reliability evaluation,” IEEE Trans. Power Syst., vol. 12, no. 1,pp. 456–463, Feb. 1997.

[29] J. Yan, Y. Zhu, H. He, and Y. Sun, “Multi-contingency cascading analysisof smart grid based on self-organizing map,” IEEE Trans. Inf. ForensicsSecurity, vol. 8, no. 4, pp. 646–656, Apr. 2013.

[30] R. Albert, I. Albert, and G. L. Nakarado, “Structural vulnerability ofthe North American power grid,” Phys. Rev. E, vol. 69, p. 025103,Feb. 2004.

[31] M. Ouyang, “Comparisons of purely topological model, betweennessbased model and direct current power flow model to analyze powergrid vulnerability,” Chaos, Interdiscipl. J. Nonlinear Sci., vol. 23, no. 2,p. 023114, 2013.

[32] E. Cotilla-Sanchez, P. Hines, C. Barrows, and S. Blumsack, “Comparingthe topological and electrical structure of the North American elec-tric power infrastructure,” IEEE Syst. J., vol. 6, no. 4, pp. 616–626,Dec. 2012.

[33] P. Hines, E. Cotilla-Sanchez, and S. Blumsack, “Topological models andcritical slowing down: Two approaches to power system blackout riskanalysis,” in Proc. 44th HICSS, Jan. 2011, pp. 1–10.

[34] P. Hines, E. Cotilla-Sanchez, and S. Blumsack, “Do topological modelsprovide good information about electricity infrastructure vulnerability?”Chaos, Interdiscipl. J. Nonlinear Sci., vol. 20, no. 3, p. 033122, 2010.

[35] J. M. Arroyo, “Bilevel programming applied to power system vulnera-bility analysis under multiple contingencies,” IET Generat., Transmiss.& Distrib., vol. 4, no. 2, pp. 178–190, Feb. 2010.

[36] N. Fan, H. Xu, F. Pan, and P. Pardalos, “Economic analysis of the N-kpower grid contingency selection and evaluation by graph algorithmsand interdiction methods,” Energy Syst., vol. 2, nos. 3–4, pp. 313–324,2011.

[37] E. Bompard, E. Pons, and D. Wu, “Extended topological metrics forthe analysis of power grid vulnerability,” IEEE Syst. J., vol. 6, no. 3,pp. 481–487, Sep. 2012.

[38] E. Bompard, R. Napoli, and F. Xue, “Extended topological approach forthe assessment of structural vulnerability in transmission networks,” IETGenerat., Transmiss. Distrib., vol. 4, no. 6, pp. 716–724, Jun. 2010.

[39] E. Bompard, M. Masera, R. Napoli, and F. Xue, “Assessment ofstructural vulnerability for power grids by network performance basedon complex networks,” in Proc. Critical Inf. Infrastruct. Security,pp. 144–154, 2009.

[40] I. Dobson, S. Greene, R. Rajaraman, L. R. C. Associates, C. L. Demarco,F. L. Alvarado, et al., “Electric power transfer capability: Concepts,applications, sensitivity, uncertainty,” PSerc Publication. vol. 3, pp. 1–34, Nov. 2001.

[41] A. J. Wood and B. F. Wollenberg, Power Generation, Operation, andControl, 2nd ed. Hoboken, NJ, USA: Wiley, 1996.

[42] M. El Choubassi and P. Moulin, “Noniterative algorithms for sensitivityanalysis attacks,” IEEE Trans. Inf. Forensics Security, vol. 2, no. 2,pp. 113–126, Jun. 2007.

[43] M. El Choubassi and P. Moulin, “On reliability and security of ran-domized detectors against sensitivity analysis attacks,” IEEE Trans. Inf.Forensics Security, vol. 4, no. 3, pp. 273–283, Sep. 2009.

[44] R. Baldick, “Variation of distribution factors with loading,” IEEE Trans.Power Syst., vol. 18, no. 4, pp. 1316–1323, Nov. 2003.

[45] B. Stott, J. Jardim, and O. Alsac, “DC power flow revisited,” IEEETrans. Power Syst., vol. 24, no. 3, pp. 1290–1300, Aug. 2009.

[46] E. Bompard, D. Wu, and F. Xue, “Structural vulnerability of powersystems: A topological approach,” Electr. Power Syst. Res., vol. 81, no. 7,pp. 1334–1340, 2011.

[47] V. Donde, V. Lòpez, B. Lesieutre, A. Pinar, C. Yang, and J. Meza,“Severe multiple contingency screening in electric power systems,” IEEETrans. Power Syst., vol. 23, no. 2, pp. 406–417, May 2008.

[48] W. Wang, Q. Cai, Y. Sun, and H. He, “Risk-aware attacks andcatastrophic cascading failures in U.S. power grid,” in Proc. IEEEGLOBECOM, Dec. 2011, pp. 1–6.

[49] J. Yan, Y. Zhu, H. He, and Y. Sun, “Revealing temporal featuresof attacks against smart grid,” in Proc. IEEE PES ISGT, Feb. 2013,pp. 1–6.

[50] Y. Zhu, J. Yan, Y. Sun, and H. He, “Risk-aware vulnerability analysisof electric grids from attacker’s perspective,” in Proc. IEEE PES ISGT,Feb. 2013, pp. 1–6.

[51] U. Washington. (1999). Power System Test Case Archive [Online].Available: http://www.ee.washington.edu/research/pstca/index.htm

[52] S. Blumsack, “Network topologies and transmission investment underelectric-industry restructuring,” Ph.D. dissertation, Dept. Comput. Sci.,Carnegie Mellon Univ., Pittsburgh, PA, USA, 2006.


[53] R. Zimmerman, C. Murillo-Sanchez, and R. Thomas, “Matpower:Steady-state operations, planning, and analysis tools for power systemsresearch and education,” IEEE Trans. Power Syst., vol. 26, no. 1,pp. 12–19, Feb. 2011.

[54] X. Wang, Y. Song, and M. Irving, Modern Power Systems Analysis.New York, NY, USA: Springer-Verlag, 2008.

[55] R. Baldick, B. Chowdhury, I. Dobson, Z. Dong, B. Gou, D. Hawkins,et al., “Initial review of methods for cascading failure analysis in electricpower transmission systems IEEE PES CAMS task force on under-standing, prediction, mitigation and restoration of cascading failures,” inProc. IEEE 21st Century Power Energy Soc. General Meeting Convers.Delivery Electr. Energy, Jul. 2008, pp. 1–8.

[56] M. Vaiman, K. Bell, Y. Chen, B. Chowdhury, I. Dobson, P. Hines,et al., “Risk assessment of cascading outages: Part I—Overview ofmethodologies,” in Proc. IEEE Power Energy Soc. General Meeting,Jul. 2011, pp. 1–10.

[57] M. Papic, K. Bell, Y. Chen, I. Dobson, L. Fonte, E. Haq, et al., “Surveyof tools for risk assessment of cascading outages,” in Proc. IEEE PowerEnergy Soc. General Meeting, Jul. 2011, pp. 1–9.

[58] Q. Chen and J. McCalley, “Identifying high risk N-k contingencies foronline security assessment,” IEEE Trans. Power Syst., vol. 20, no. 2,pp. 823–834, May 2005.

Jun Yan (S’13) received the B.S. degree in informa-tion and communication engineering from ZhejiangUniversity, Hangzhou, China, in 2011, and the M.S.degree in electrical engineering from the Universityof Rhode Island, Kingston, RI, USA, in 2013, wherehe is currently pursuing the Ph.D. degree with theDepartment of Electrical, Computer and BiomedicalEngineering. His research interests include smartgrid security analysis, cyber physical systems, cybersecurity, computational intelligence, and machinelearning. He is with the Laboratory of Computational

Intelligence and Self-Adaptive Systems.

Haibo He (SM’11) received the B.S. and M.S.degrees in electrical engineering from the HuazhongUniversity of Science and Technology, Wuhan,China, in 1999 and 2002, respectively, and thePh.D. degree in electrical engineering from OhioUniversity, Athens, in 2006. From 2006 to 2009,he was an Assistant Professor with the Departmentof Electrical and Computer Engineering, StevensInstitute of Technology, Hoboken, NJ, USA. He iscurrently the Robert Haas Endowed Professor ofelectrical engineering with the University of Rhode

Island, Kingston, RI, USA.His research interests include smart grid, cyber security, cyber physical sys-

tems, adaptive dynamic programming, machine learning, and computationalintelligence and applications. He has published one research book (Wiley),edited one research book (Wiley-IEEE) and six conference proceedings(Springer), and authored or coauthored over 120 peer-reviewed journal andconference papers. His research has been covered by national and internationalmedia, such as the IEEE SMART GRID NEWSLETTER, The Wall StreetJournal, and Providence Business News. Currently, he is an Associate Editorof the IEEE TRANSACTIONS ON NEURAL NETWORKS AND LEARNINGSYSTEMS and IEEE TRANSACTIONS ON SMART GRID. He was a recipientof the IEEE Computational Intelligence Society Outstanding Early CareerAward in 2014, the National Science Foundation CAREER Award in 2011,and Providence Business News Rising Star Innovator Award in 2011.

Yan (Lindsay) Sun received the B.S. (Hons.) degreefrom Peking University in 1998 and the Ph.D.degree in electrical and computer engineering fromthe University of Maryland in 2004. She joinedthe University of Rhode Island in 2004, whereshe is currently an Associate Professor with theDepartment of Electrical, Computer and BiomedicalEngineering. Dr. Sun’s research interests includecyber security, trustworthy cyber-physical systems,and network security. She is an Elected Memberof the Information Forensics and Security Technical

Committee from the IEEE Signal Processing Society. She has been anAssociate Editor of Signal Processing Letters since 2013 and Inside SignalProcessing eNewsletter since 2010. She coauthored the book Network-AwareSecurity for Group Communications (Springer, 2007). Dr. Sun was a recipientof the National Science Foundation CAREER Award in 2007 and the BestPaper Award from the IEEE International Conference on Social Computingin 2010.

IEEE TRANSACTIONS ON INFORMATION FORENSICS AND … · 2014-10-10 · IEEE TRANSACTIONS ON...

Documents

Transcript of IEEE TRANSACTIONS ON INFORMATION FORENSICS AND … · 2014-10-10 · IEEE TRANSACTIONS ON...