Revealing Cascading Failure Vulnerability in Power Grids Using

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TPDS.2013.2295814, IEEE Transactions on Parallel and Distributed Systems

1 Revealing Cascading Failure Vulnerability in Power Grids using Risk-Graph Yihai Zhu, Student Member, IEEE, Jun Yan, Student Member, IEEE, Yan Sun, Member, IEEE, and Haibo He, Senior Member, IEEE,

Abstract—Security issues related to power grid networks have damage [1]. For example, the well-known Northeast blackout attracted the attention of researchers in many fields. Recently, in 2003 affected 55 million people and caused an estimated a new network model that combines complex network theories economic loss between $7 billions and $10 billions [2]. with power flow models was proposed. This model, referred to as the extended model, is suitable for investigating vulnerabilities in Large-scale power outage is often caused by cascading power grid networks. In this paper, we study cascading failures of failure. A cascading failure refers to a sequence of dependent power grids under the extended model. Particularly, we discover events, where the initial failure of one or more components that attack strategies that select target nodes (TNs) based on (i.e. substations and transmission lines) triggers the sequential load and degree do not yield the strongest attacks. Instead, we failure of other components [3], [4]. Triggers of the initial propose a novel metric, called the risk graph, and develop novel attack strategies that are much stronger than the load-based failures can be natural damage (e.g. the fall of trees), aging and degree-based attack strategies. The proposed approaches equipment, human errors, software and hardware faults, and so and the comparison approaches are tested on IEEE 57 and on. Within recent years, power grids are facing new threats, 118 bus systems and Polish transmission system. The results e.g. cyber-physical attacks [5], [6]. Therefore, malicious at- demonstrate that the proposed approaches can reveal the power tacks become new and potential triggers of cascading failures. grid vulnerability in terms of causing cascading failures more effectively than the comparison approaches. Many existing works have been proposed to investigate the vulnerability of power grids from the attack perspective. Index Terms—Power grid, Extended model, Cascading failure, Important challenges, however, still remain. First, developing Security, Attack, Risk graph reasonable models that can mimic cascading failures in reality NOMENCLATURE is still a critical challenge. In current literatures, there are α System Tolerance three popular models, pure topological models [7]–[9], pure M The number of target nodes power flow models [4], [10] and hybrid models [11]–[13]. M Each category has its own advantages and disadvantages. NASdegree Degree-based Node Attack Strategy M Second, finding stronger malicious attack strategies is one of NASES Exhaustive Search Node Attack Strategy M the key ways to investigate cascading failures. Although the NASload Load-based Node Attack Strategy M exhaustive search approach can yield the best attack from the NASriskgraph Riskgraph-based Node Attack Strategy NASM Reduced Search Space Node Attack Strategy attack performance point of view, it is sometimes computa- RSS tionally infeasible in practice [9]. Thus, practical and efficient OCF Sor The time of launching CFSor once AIGL Average Inverse Geodesic Length attack strategies need to be found. Finally, attackers might CFSor Cascading Failure Simulator have different knowledge of power grids, such as topological CL Connectivity Loss structures, electric features and real-time information. Under NAS Node Attack Strategy different levels of knowledge, attackers may adopt different NIRG Node Integrated Risk Graph attack strategies. NRG Node Risk Graph In this paper, we do not tackle the first challenge. Instead, extended model PoDN Percentage of Drop in Netability we choose a hybrid model, called the . Al- PTDFs Power Transfer Distribution Factors though hybrid models [11], [13] have been adopted to study RG Risk Graph the vulnerability of power grids, few existing studies have RRCS Round Recommended Combination Set discussed how cascading failures occur under hybrid models. cascading failure simulator TNs Target Nodes A reasonable (CFSor) under the extended model will be introduced. To address the second challenge, we study the node attack I.INTRODUCTION strategy (NAS) under the extended model to address how OWER grid is considered as one of the most signifi- to find stronger attacks. In this paper, an attack means an P cant infrastructures on the Earth. Within recent decades, attacker knocks down one or more nodes (i.e. substations). several large-scale power outages around the world seriously These removed nodes are referred to as target nodes (TNs). affected the livelihood of many people and caused great From the attacker’s point of view, attackers need to carefully choose a few TNs, aiming to maximize the damage. the The authors are with the Department of Electrical, Computer, and Biomed- ical Engineering, University of Rhode Island, Kingston, RI, 02881 USA(e- node attack strategy describes how the attacker chooses TNs. mail: {yhzhu,jyan,yansun,he}@ele.uri.edu) In addition, a stronger attack means that the initial removal

1045-9219 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information. This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TPDS.2013.2295814, IEEE Transactions on Parallel and Distributed Systems

of the TNs could yield larger percentage of drop in net- distribution factors (PTDFs). More discussions about existing ability (PoDN), which will be discussed in Section III-D. If cascading failure models are given in Section I in [16], the the attacker knows everything about a power grid and can supplementary file of this paper. model how cascading failures occur, the exhaustive search Different models have different advantages and disadvan- node attack strategy can yield the most serious damage. The tages. First, although pure topological models are useful to exhaustive search, however, is often not practical due to its develop malicious attack strategies, the related concepts and huge search space on a large-scale, even moderate-scale, power metrics are far from the physical characteristics of power grids. grid networks. Instead, we propose a reduced search space Thereby, these models are far from reflecting the fundamental node attack strategy or RSS node attack strategy in short. behaviors of cascading failures. Second, pure power flow The RSS node attack strategy can sharply reduce the search models are more accurate to reveal vulnerability of power space and achieve comparable attack performance to that of grids, and are mainly used to assess the security and reliability the exhaustive search node attack strategy. of power grid networks [10], [17]. However, a detailed analysis We also investigate the third challenge. To adopt the pro- of large-scale power grid is usually computationally expensive posed RSS node attack strategy, an attacker needs to know due to its complexity, nonlinearity, and dynamics [4]. Finally, the topology of power grid networks, as well as the system the extended model in [13] is a new angle in modeling tolerance factor that is defined as the capacity divided by the cascading failures. The power distribution under the extended initial load of a node. In practice, such tolerance factors may model is based on PTDFs [12]. Thus, the extended model not be known to attackers. Therefore, as the third task of this is more accurate than pure topological models in terms of paper, we investigate attack strategies under the assumption studying cascading failures. In addition, the calculation of that an attacker does not know the tolerance factors. We PTDFs is less complex than the detailed analysis of power propose a novel metric, called the risk graph (RG), to show the flows in a power grid [18]. That is, the extended model is less criticality of important nodes in a grid network and the hidden complex than pure power flow models. relationship among them. Using the risk graph, we develop When discussing about malicious attack strategies, we as- the riskgraph-based node attack strategy. The riskgraph-based sume that attackers might have certain information of power node attack strategy is conducted on IEEE 118 bus system and grid networks, such as topological structures, electric fea- Polish transmission system, and compared with the load-based, tures, and system tolerances. For instance, the topological the degree-based and the proposed RSS node attack strategies. structure information can be purchased from companies (e.g. The simulation results demonstrate the surprising strength of Platts [19]), the electric features, such as impedance, can be the riskgraph-based approach even if an attacker has limited estimated based on the topological information. The system knowledge of power grids. tolerances of real power systems are hard to be clearly known The paper is structured as follows. The related work is by attackers due to various reasons [7]–[9]. Thus, the attack presented in Section II. In Section III we set up the cascading strategies in prior studies can be divided into two categories: failure simulator under the extended model. In Section IV we unknown system tolerance, e.g. degree, load, RIF and LVD, describe the reduced search space node attack strategy, risk and known system tolerance, e.g. PoF and the exhaustive graph, and the riskgraph-based node attack strategy in detail. search approach. The more information attackers know about In Section V, the details of simulation and observation are power grids, the stronger attacks they might find. made. Finally, discussions and conclusions are provided in Section VI. III.THE EXTENDED MODELFOR CASCADING FAILURES ANALYSIS IN POWER GRIDS

II.RELATED WORK A. Network Topology Generally speaking, a power grid composes of substations In this paper, we study node attack strategies under the (e.g. generators, transmission and distribution substations) and extended model considering two scenarios: attackers know or transmission lines. In this paper, we model the power grid do not know the system tolerance factor. We briefly summarize network as a directed graph, G = {B,L}, where B is the existing works as follows. set of nodes (i.e. substations) and L is the set of links (i.e. In the current literature, from the attack perspective, there transmission lines). We put all generators and all distribution are three prevailing models in studying cascading failures, substations into different sets G and D, respectively, where pure topological models, pure power flow models and hybrid G ⊆ B and D ⊆ B. In addition, N , N , N and N are models. Pure topological models [7], [8] are rooted in complex B L G D used to represent the number of nodes, links, generation nodes network theories, and useful to develop strong attack metrics, and distribution nodes, respectively. e.g. degree and load in [14], percentage of failure (PoF) and risk if failure (RIF) in [9], and load distribution vector (LDV) in [15]. Originating from circuit theories, e.g. Kirchoff’s and B. Introduction of the Extended Model Ohm’s Laws, pure power flow models provide the fundamental The extended model was originally established in [12], insights and understanding of cascading behaviors. Recently, [13]. The introduction of the extended model and comparisons hybrid models [11], [13] are proposed to investigate the vulner- among different models can be found in Section II in [16]. We ability of power grids by combining complex network theory briefly summarize three important concepts about the extended with basic features of power systems, e.g. power transmission model as follows.

1) PTDFs: Power Transfer Distribution Factors (PTDFs) the cascading failures process till it stops; (3) measuring the can represent the sensitivity of power flow change in damage using assessment metrics. A similar CFSor under the each transmission line for power injection/withdrawal extended model can be found in our previous work [20]. at a pair of nodes [12], [18]. In reality, power is only transmitted from generation nodes to distribution nodes. D. Assessment Metric Under the extended model, power flow on links is In this paper, the primary assessment metric is percentage considered to be caused by the node pairs that one node of drop in net-ability (PoDN), which is defined as follows. is generator and the other node is transmission node. 0 2) Extended Betweenness: The link extended betweenness E(G) − E(G ) η = (1) is the summation of power flows caused by each E(G)

generation-distribution-node pair. The node extended 0 betweenness is defined as the summation of extended where E(G) and E(G ) represents the net-ability of power betweenness on links that connect to a node. The ex- grids before and after the occurrence of cascading failures. tended betweenness is adopted as the load definition of The larger η is, the stronger the attack is. nodes/links in this paper. The second and third assessment metrics are average inverse 3) Net-ability: For a grid network G, the net-ability, de- geodesic length (AIGL) [21] and connectivity loss (CL) [22]. noted by E(G), is defined as 1 P P Pgd , Geodesic length is the shortest path between a pair of nodes NGND g∈G d∈D Zgd where Pgd represents power injection limitation and Zgd in a graph [21]. When a pair of nodes are in different subnets, represents the impedance between the generator g and the geodesic length between this pair is ∞ (i.e. infinity). the distribution node d. Net-ability is the measure to The metric AIGL, denoted by `−1, is defined as `−1 = 1 P P 1 , where B is the node evaluate how well a power grid supplies power [12]. NB (NB −1) ni∈B nj 6=ni∈B d(ni,nj ) set and d(ni, nj) is the geodesic length between ni and nj. C. Cascading Failure Simulator under the Extended Model The metric CL represents the connectivity between generators and distribution nodes in a power grid. The definition of CL k In the current literature [7]–[9], cascading failure simulators NG k is 1 − h i , where NG is the number of generators and N (CFSors) under pure topological models are well established. NG k G is the number of generators connected to the distribution node However, few researchers have conducted in-depth study on k. The averaging, h•i, is done over all surviving distribution cascading failures under the extended model. In this sub- nodes after cascading failure. Referring to AIGL, the smaller section, we setup the CFSor under the extended model by `−1 represents the stronger attack, while by using CL a introducing several important concepts as follows. stronger attack is with larger CL. • Load: We employ the extended betweenness as the definition of load. During cascading failures, the grid network IV. ATTACK STRATEGIES UNDER THE EXTENDED MODEL is often broken into more than one subnets after several In this section, we investigate malicious attack strategies rounds. At round t, the load of node i, or ni, is denoted by discussing node attack strategy (NAS). The similar link by An (t), and is updated by recalculating the extended i attack strategy (LAS) is introduced in Section III in [16]. betweenness of ni in the subnet that contains ni. In this From the attack perspective, the biggest challenge is to find paper, the load of a node (e.g. ni) before an attack is the attacks that can cause larger damage. In the context of called the initial load of ni and denoted by An . i studying cascading failures, an attacker’s goal is to identify a • Capacity: The capacity of ni, denoted by Cn , is the i set of TNs, whose simultaneous failures could yield as large maximum amount of load that ni can carry. PoDN as possible. • Overloading: When the load of a node exceeds its capacity, the overloading will occur. Under the extended model, the overloaded nodes are assumed to be removed A. Complexity Measure of Attack Strategies from the power grid network immediately. In this paper, the complexity analysis of different attack • System tolerance: The system tolerance, α (α > 1), is the strategies is based on the size of search space for each attack parameter describing the relationship between the initial strategy. In order words, it is the calculation of how many load of a node and its capacity. For example, the capacity times an attack strategy needs to launch CFSor before finding of ni is assumed to be α = Cni /Ani [7]. In general, we its best attack. O(CF Sor) is adopted to represent the time assume α values for all nodes are the same, and calculate of launching CFSor once and as the unit to compare the

the capacity as Cni = α × Ani . complexity of different attack strategies. Theoretically, it is • Load redistribution: When the topology of a grid network very hard to precisely analyze the computational complexity changes due to the removals of nodes, the load on of CFSor, due to different power grid network sizes, network nodes will be redistributed by recalculating the extended topologies, system tolerances, attack strategies, and so on. betweenness for all surviving nodes. If the entire grid However, the network size and topology are the major factors. network is broken into more than one subnets, the calcu- For instance, in order to compute the extended betweenness, lation will be conducted in each subnet separately. CFSor needs to examine each pair of generation-distribution The CFSor under the extended model includes three parts: nodes. For each pair, it needs to determine the sensitivity (1) initializing the CFSor and removing the TNs; (2) starting value of each link. Roughly speaking, assume there are NG

TABLE I generators, ND distribution nodes, and NL links in a grid THE TARGET NODE COMBINATIONS OF THE TOP-TEN STRONGEST ATTACK M network. The number of sensitivity values needed to be OF NASES ON IEEE 118 BUSSYSTEM, WHERE M=1,2,3 AND α = 1.5. computed is close to NG × ND × NL. After obtaining all NAS1 NAS2 NAS3 Index ES ES ES sensitivity values, summation operation is performed for each TNs PoDN(%) TNs PoDN(%) TNs PoDN(%) 1 65 64.5 30,68 81.3 30,65,80 88 node, in order to obtain the extended betweenness (i.e. load) 2 38 55.7 30,80 79.2 30,65,96 87.8 for all nodes. The above operation is performed in each 3 68 52.9 30,65 77.9 30,68,96 87.2 4 30 48.2 65,69 77.8 30,68,94 86.8 round of cascading failure. From the above discussion, we can 5 80 46.7 38,68 77.4 30,68,103 86.2 see that it is very difficult to have a closed-form expression 6 81 42.3 38,80 77.1 38,69,94 85.9 7 77 33.4 38,69 76.1 30,65,94 85.5 of O(CF Sor), because it depends on the network size and 8 49 31.1 17,65 76.1 38,69,96 85.2 topology, as well as how a cascading failure occurs. We do 9 64 30.8 38,77 75.9 30,66,68 85.2 10 17 30.6 30,81 75.3 30,68,92 85 not address how to reduce the computation complexity of CFSor itself. Instead, we focus on analyzing the complexity of different attack strategies based on the number of times power grid networks are often much bigger than IEEE 118 launching CFSor before making decision. For instance, if an bus system. Even if parallel computing is available, adopting M M NAS on large-scale networks is still impractical. attack strategy needs to launch (NB) times of CFSor in ES order to find its best attack, the complexity of this attack (N )M × O (N )M strategy is B (CF Sor), or B in short. D. Reduced Search Space Node Attack Strategy It is the goal to develop practical attack strategy in this B. Load-based and Degree-based Node Attack Strategies paper. Although the exhaustive search is often infeasible, it In this subsection, we introduce the well-studied load-based is still doable at small M values on the moderate-scale grid and degree-based approaches [9], [21]. The load of a node network, and can provide some useful insights. We conducted is defined as the node extended betweenness, discussed in M experiments on IEEE 118 bus system by using NASES, where Section III-B, while the degree of a node is defined the number M is set to be 1, 2 and 3 and α is set to be 1.5. The node of the links connecting to this node [21]. When an attacker combinations of the top ten strongest attacks are shown in aims to knock down M target nodes (TNs), the load-based Table I. M and degree-based node attack strategies, denoted by NASload M There is a helpful observation made from Table I. For and NASdegree, respectively, are shown as follows, 2 instance, in NASES, at least one TN in the two-node combi- * NASM : Choose nodes with the top M largest load 1 load nation is from the TNs of the top ten attacks in NASES. In values as TNs. 3 NASES, all three-node combinations contains the two-node * NASM : Choose nodes with the top M largest degree 2 degree combinations that in NASES. In Table I, the highlighted nodes values as TNs. or node combinations illustrate such observation. M M M Let Cdegree and Cload denote the complexity of NASdegree This observation is easy to understand. If a M-TN combi- M and NASload. Because these approaches do not need to launch nation can result in severe damage to a power grid, adding M M CFSor before selecting TNs. Both Cdegree and Cload are 0. another TN to this combination will most likely be a strong attack. It is important to point out that the new (M+1)-TN M+1 C. Exhaustive Search node Attack Strategy combination may not be the strongest attack of NASES . However, as long as the resulted PoDN is large enough, the For an attacker, the strongest node attack strategy is no new combination will be a strong attack of NASM+1. doubt the exhaustive search. The exhaustive search NAS is ES Inspired by the above discussions, we propose a novel denoted by NASM and conducted below, ES search based attack strategy, called reduced search space M * NASES: Find the M TNs, whose simultaneous failure attack strategy or RSS attack strategy in short, which can yields the largest PoDN under a given α. be applied to both nodes and links. The RSS node attack Let CM denote the complexity of NASM . Theoretically, M ES ES strategy is denoted by NASRSS. Before discussing in detail the complexity is, M about the algorithm procedure of NASRSS, we need to give N some explanations. First, the procedure of searching TNs is CM = B × O (2) ES M (CF Sor) an iterative process, which includes one initial round and M − 1 successive rounds. Second, the criticality of a node NB NB (NB −1)×···×(NB −M+1) M where M = M! . Therefore, CES is combination (or a node) is determined by PoDN. The larger M the same order as (NB) , which increases as a power function the PoDN is, the more critical the node combination is. Third, th with NB and explodes as an exponential function with M. in each iterative round, e.g. m round (1 ≤ m ≤ M), The exhaustive search is very time-consuming, and often the top R critical combinations are chosen as the round m computationally infeasible. Numerically, take IEEE 118 bus recommended combination set (RRCS), denoted by SRRC . system as an example. Running CFSor once on IEEE 118 bus Those combinations are used to find the strong attacks in system needs an average time of 0.06 second by using Matlab (m + 1)th round. Finally, there are two important parameters, M under Window 7 OS with 4 GB memory and dual-core i5 CPU P and R, of NASRSS. The parameter P is adopted to control 118 (2.4GHz each). The time for simulating 5 = 174, 963, 438 the size of candidate node set, denoted by SC ; the parameter m node combinations is roughly 4 months. Note that, the real R is used to control the size of SRRC .

Procedure 1 M M Initialize the iterative process and obtain the TN Procedure 3 Find TNs for NASRSS under given SRRC 1 for NASRSS M 1: There are R node combinations in SRRC . The nodes in the combination 1: Set up a system tolerance, e.g. α = 1.5, and initialize a vector x with all M that can cause the largest PoDN are the TNs for NASRSS . values as 0. 2: //The indices of nodes are consecutive from 1 to NB . 3: for i = 1 : NB do 4: Conduct one-node attack by knocking down node i under given α. NASM Calculate the PoDN after the cascading failure and set the value of xi can analyze a much bigger network than ES. In other M M as the corresponding PoDN value. words, NASRSS scales much better than NASES. Further- 5: end for 1 more, we can adjust the parameters P and R to achieve a good 6: Choose the node with the largest PoDN in x as the TN for NASRSS . 7: Choose the nodes with the top P largest PoDNs in x as candidate nodes, balance between the complexity and the attack performance. M M and put them into SC . For example, suppose NASES and NASRSS are both tested 8: Choose the nodes with the top R largest PoDNs in x as the 1st round 1 on IEEE 118 bus system, where M = 5 for both schemes, and recommended combination, and put them into SRRC . M 5 NB = 118, P = 118, R = 16 for NASRSS. NASES needs to launch 174, 963, 438 times of CFSor and its calculation probably needs four months; whereas NAS5 only needs Procedure 2 Find the Sm+1 under given Sm RSS RRC RRC to launch 7, 670 times of CFSor, which needs 7.8 minutes. 1: Perform the Procedure 1, and obtain S . C The improvement about the complexity of NASM is a big 2: Initialize a candidate combination set, SCC , and a vector y with all values RSS M as 0. step. Second, the performance of NASRSS is comparable to 3: //Construct the candidate combinations in (m + 1)th round. M that of NASES, which will be shown in Section V. Finally, 4: for i = 1 : R do M th m during the procedures to find the best attacks, NAS keeps 5: Get the i node combination in SRRC , denoted by Ci. RSS 6: for j = 1 : P do the track of the round recommended combination set, which th 7: Get the j candidate node in SC , denoted by nj . is useful to construct the risk graph. The details of the risk 8: Combine C and n to get a new candidate combination, and put it i j graph will be discussed in subsection IV-F. into SCC . 9: end for 10: end for E. Limitations of Reduced Search Space Attack Strategy 11: //Conduct multi-node attack for each candidate combination in SCC . th M 12: for k combination in SCC do Although NAS can sharply reduce the complexity of th RSS 13: Conduct multi-node attack by knocking down all nodes in the k NASM and reach comparable attack performance, which will combination under given α. Calculate the PoDN when CFSor stops, ES and set y to the corresponding PoDN. be discussed in Section V-A, it still has limitations. k M 14: end for First, NASRSS relies on the system tolerance (α). As 15: Choose the candidate combinations with the top R largest PoDNs in y shown in Procedure 1, if attackers adopt NASM to launch as the (m + 1)th round recommended combination, and put them into RSS m+1 attacks, they must first estimate the system tolerance. In reality, SRRC . system tolerances of power grids are rarely known by attackers due to various reasons, e.g. security concerns. Furthermore, although many existing works assume that the capacity of a There are three procedures working together to select TNs node is defined as the initial load multiplying α, and assume M for NASRSS. Procedure 1 shows the steps to obtain the TNs that α is the same for all nodes, these assumptions could be 1 for NASRSS. When M = 1 (launching one-node attack), over-simplifying the case. The nodes in a power grid surely can attackers only need to use Procedure 1, without considering have different tolerance factors. It is surely not an easy task for the other two procedures. When M > 1 (launching multi-node an attacker to estimate the tolerance factors for all nodes in a attack), attackers need to first use Procedure 1 to initialize the power grid. Therefore, from the attack point of view, requiring iterative process, then use Procedure 2 to complete the iterative the knowledge of system tolerance is a drawback. M M process, and finally use Procedure 3 to find TNs for NASRSS. Second, although NASRSS has greatly reduced the com- M M Let CRSS denote the complexity of NASRSS. Searching plexity, it is still a search based approach and not suitable M st TNs for NASRSS is performed in M rounds. In the 1 round, for real-time attacks. For example, if an attacker knows that a th Procedure 1 needs to run CFSor NB times. In m round few substations are currently down due to some reasons, e.g. (2 ≤ m ≤ M), Procedure 2 needs to run CFSor P × R times. a winter storm, the attacker wants to determine TNs in this Therefore, the theoretical complexity is, situation and launch an attack. Similarly, the defense side may

M also want to know the vulnerability of the power grid network CRSS = {P × R × (M − 1) + NB} × O(CF Sor) (3) in this situation. Recall that the worst case of the complexity M 2 where P and R are set to limit the search space. At the worst of NASRSS is M × (NB) , which is still much higher than M M M 2 0 of NASdegree and NASload, discussed in Section IV-B. case, when P = R = NB, CRSS equals to (M − 1) × (NB) , 2 M Further reduction in the complexity of NASM is desirable. the same order as M × (NB) . Therefore, CRSS increases as RSS In summary, a practical real-time attack strategy should have a power function with NB and increases linearly with M. M two features: fast and not depending on system tolerances. From the above discussions, we know that NASRSS has M M three advantages. First, compared with NASES, NASRSS M F. Construction of Risk Graph has sharply-reduced complexity (or search space). CRSS is 2 M approximate to M ×(NB) , which is much lower than (NB) Is it possible to obtain an attack strategy without knowing M M of CES. Given the available computing resources, NASRSS the information of system tolerances? We ﬁnd the “relation-

TABLE II ship” among nodes in a power grid and can conduct strong AN REALIZATION OF RRCS ON 118 BUSSYSTEM. 1 2 3 4 5 6 attacks based on such relationships. This is particularly useful SRRC SRRC SRRC SRRC SRRC SRRC to choose multiple TNs. In this subsection, we propose a 65 68,30 30,80,65 38,69,96,17 38,69,96,17,103 38,69,96,17,103,66 38 30,80 65,30,96 38,69,94,17 38,69,94,17,103 30,80,65,94,11,56 novel metric, called the risk graph (RG), to describe such 68 65,30 68,30,96 30,80,65,94 38,69,96,17,66 38,69,94,17,103,83 relationship. Here, we demonstrate the procedure of building 30 65,69 68,30,94 30,80,65,96 38,69,96,17,23 38,69,96,17,66,92 80 38,68 68,30,103 38,69,94,30 30,80,65,94,11 30,80,65,94,11,103 the risk graph for nodes, called the node risk graph (NRG). 81 38,80 38,69,94 30,80,65,103 38,69,96,17,92 38,69,94,17,103,82 In the procedures to search the strongest attack for 77 38,69 65,30,94 68,30,94,66 38,69,96,17,105 38,69,96,17,66,94 M 49 65,17 38,69,96 38,69,96,30 38,69,96,17,94 38,69,94,17,103,98 NASRSS, we keep a track of the top R strongest node 64 38,77 68,30,66 30,80,65,92 38,69,94,17,89 30,80,65,94,11,54 combinations in each round, called RRCS and denoted by 17 30,81 68,30,92 30,80,65,89 30,80,65,94,7 30,80,65,94,7,56 1 2 M 96 65,80 68,30,80 38,69,94,5 30,80,65,96,11 38,69,94,17,98,66 SRRC ,SRRC , ..., SRRC . One realization of the RRCS are 94 68,17 65,30,103 68,30,96,63 38,69,94,17,98 38,69,94,17,99,66 shown in Table II, from which we have basic observations. 63 65,96 65,17,80 68,30,96,66 38,69,94,17,83 30,80,65,96,11,56 8 65,38 65,17,96 65,30,96,68 38,69,94,17,97 38,69,94,17,103,66 First, several nodes, e.g. nodes 30, 38, 68, 65 and 80, appear 100 38,81 65,69,96 65,30,96,81 30,80,65,94,103 30,80,65,94,103,56 more frequently than others. Second, several node combina- 37 65,37 30,80,64 68,30,96,11 38,69,94,17,99 30,80,65,94,11,105 tions, e.g. {30, 68}, {38, 69, 96}, happen frequently. These observations demonstrate there probably are some fixed node II, is shown in Fig. 1(a). The size and color of a vertex is combinations, the failure of which may seriously threaten decided by its VOF. And the width and color of an edge is the safety of the power grid. Studying these fixed node determined by its EOF. The bigger (wider) and redder of a combinations or the relationship among nodes is helpful to vertex (or an edge), the larger its VOF (EOF). find strong malicious attack strategy. There are two important factors affecting the construction To demonstrate such relationship of nodes, we construct of risk graphs, the system tolerance (α) and the parameters M (P and R). The former is the major factor and the latter is NRG according to the intermediate results of NASRSS under a given system tolerance. Furthermore, we merge single NRGs the minor factor. Different values of the parameters, P and R, under different system tolerances into an node integrated risk may slightly change the nodes in the RRCS; whereas different graph (NIRG) to describe such relationship among nodes. If values of the system tolerance, α, could probably lead to major several nodes are closely related in NIRG, their combination changes of nodes in the RRCS. In other words, single risk is expected to cause severe damage to the power grid network. graphs are sensitive to the system tolerance. Next, we describe the procedure of constructing single NRG Risk Graph Additivity: The risk graphs constructed under under a given system tolerance value α. different system tolerances of the same power grid network are additive. If two NRGs are added together, the vertices and α * Step 1: Given an , performing the procedures of edges in the new NRG are obtained as, (1) all vertices in the NASM S1 , ..., SM RSS and obtain RRC RRC . two NRGs will be in the new NRG, and the VOF of vertices in * Step 2: Examine those sets (an example is shwon in Table the new NRG is calculated as either adding the corresponding II), and find how many times a node appears in such sets. VOF of the vertex in the two NRGs, if the vertex appears in If a node appears at least once, this node becomes a vertex both NRGs; or keep its own VOF, if it just appears in one vertex of the risk graph. In addition, each vertex has a NRG; (2) for edges, the procedure is the same as vertices. occurrence frequency (VOF), defined as the number of By adding single NRGs, we can obtain NIRG. As discussed the corresponding node appears in those sets. above, single NRG is sensitive to α, while the NIRG is more Step 3 * : Add an edge between each pair of vertices and robust in terms of reflecting the relationship between candidate assign the weight of this edge as zero. The edge weight nodes. Based on prior knowledge and construction restrictions edge occurrence frequency is referred to as the (EOF). of power grids [7], [8], the range of the system tolerance is Step 4 Sk * : Examine the node combinations in each RRC set to be 1 < α ≤ 2. Without losing the generality, the NIRG k = 1, 2, ··· ,M i ( ). If a pair of nodes, say node and node here is generated by adding 20 NRGs, where α is from 1.05 j m , appears in the combination with nodes, increase the to 2 with an interval 0.05. The NIRG of IEEE 118 bus system EOF of the edge between node i and j by adding 2 . m(m−1) is shown in Fig. 1(b). For example, for the combination {30, 80, 65}, we increase the EOF of three edges, edge30−80, edge80−65, edge30−65, by 1/3. If the pair of nodes appear in more G. Risk-Graph Based Node Attack Strategy than one node combinations, the final EOF of the edge The NIRG provide a good way to find stronger attack between this pair of nodes is to summarize all EOF values strategy, which is not sensitive to system tolerances. Suppose from the combinations this pair of nodes are in. For attackers have already had the NIRG of a power grid, they can another example, assume nodes 30 and 80 appear simul- launch node attacks as follows, taneously in {30, 80}, {30, 80, 65} and {30, 80, 65, 94}, M * NASriskgraph: The riskgraph-based node attack strategy. the EOF of edge30−80 is 1 + 1/3 + 1/6 = 3/2. If M equals 1, select the node with the largest VOF * Step 5: Remove the edges having EOF values as zero. 1 in the NIRG as the TN for NASriskgraph. Otherwise, * Step 6: Remove the vertices that are not connected with we choose the M nodes from the NIGR as the TNs 1 other vertices. This occurs when some nodes are in SRRC M for NASriskgraph by meeting two requirements. First, but not in other round recommend combination sets. each pair of nodes should have a direct edge in the M(M−1) A NRG of IEEE 118 bus system, built directly from Table NIGR. In total, there are 2 edges among these

TABLE III THE SUMMARY OF DIFFERENT NODE ATTACK STRATEGIES Attack NASM NASM NASM NASM NASM Strategy degree load riskgrph RSS ES 2 M O(CF Sor) 0 0 0 M × (NB ) (NB ) Effectiveness Low Low High High High System No No No Yes Yes tolerance

V. SIMULATION RESULTS In this section, the simulations and observations are presented in detail. The simulation experiments are conducted in Matlab, including the setup of power grid network, PDTFs calculation and the process of CFSor. The proposed attack (a) Node Risk Graph (b) Node Integrated Risk Graph strategies are tested on the well-known IEEE 57 and 118 Fig. 1. The node risk graphs on IEEE 118 bus system. The parameters of bus systems [24], and Polish transmission system [18]. The NASM are set to be P = N , R = 16 and M = 6; for (a) α = 1.5, RSS B details of the three benchmarks are listed in Table IV. Here, for (b) α is from 1.05 to 2 with an interval of 0.5. Figures are visualized by Gephi [23]. we will give our major experiment results and observations, and additional results are given in Section IV in [16].

TABLE IV M chosen nodes. Second, the summation of all EOF of THE SUMMARY OF DIFFERENT TEST BENCHMARKS. M(M−1) Test Benchmarks NB NL NG ND those 2 edges is the largest among these of all other M nodes selections. In other words, we select the IEEE 57 bus system 57 80 7 42 IEEE 118 bus system 118 179 54 99 M TNs, whose summation of EOF is maximal. Polish transmission system 2383 2896 327 1817

Although the nodes with large VOF often have more impact on the power grid, their combination does not necessarily yield A. Performance Comparisons between the Exhaustive Search strong attacks. For instance, in Fig. 1(b) the vertices marked NAS and the Reduced Search Space NAS with labels as 17 and 30 are important candidate nodes, which In this subsection, the proposed RSS node attack strategy, have large VOF values and are represented by bigger circles. NASRSS, is compared with the exhaustive search node attack However, there is no direct edge between them. This means strategy, NASES. Both node attack strategies are tested on the node combination {17, 30} is not a strong two-node attack. IEEE 57 bus system. Due to the huge search space of the M M Therefore, the basic idea of NASriskgraph is to find the exhaustive search, we conducted experiments for NASES M set of M nodes with the strongest connection. The rationale with M ≤ 5. The maximum M for NASRSS is set to 6. M M behind the first requirement is to avoid including nodes that The comparisons between NASES and NASRSS are shown never appear together in any node combinations in RRCS. The in Fig. 2. In the subplots, x-axis represents the number of rationale behind the second requirement is to choose the nodes, TNs (M), while y-axis represents PoDN, AIGL, and CL, whose pair combinations appear most frequently in RRCS. respectively. In each subplot, the solid blue-hexagram curves NASM Let CM denote the complexity of NASM . represents ES, and the dashdotted red-plus curves rep- riskgraph riskgrph resents NASM . The system tolerance (α) is set to 1.5. CM includes two parts: the construction of the NIRG and RSS riskgrph Theoretically, it is very difficult to analyze how close the attack the selection of TNs. The former has the similar complexity as performance of NASM is to that of NASM . The CFSor that of NASM , because single risk graphs are based on the RSS ES RSS under the extended model is too complex to yield theoretical intermediate results of NASM . It is important to point out RSS bounds for the attack performance. Therefore, researchers that this computation can be done “offline”: first obtain single often judge the efficiency of different approaches based on risk graphs under a set of representative system tolerances, numerical evaluation [7], [22], [25]–[27]. Several important and then construct the NIGR. The latter is to find TNs from observations are made from Fig. 2. the NIGR. This procedure does not rely on CFSor, which First, the attack performance of NASM can compete with means its complexity is 0, similar to that of the load-based and RSS that of NASM . Within these subfigures, the dashdotted red- the degree-based approaches. This can be done in “real-time”. ES plus curves match the blue-square solid curves in terms of the For example, if an attacker has observed that n , node 103, 103 three measurement metrics. The match is reasonable, because in Fig. 1(b) is down for some reasons (e.g. nature disaster), the TNs selected by NASM are often the same as those the attacker can quickly identify an attack strategy adding RSS of NASM . We do expect a small gap between those two one more TN, e.g. n , to the already-down n . Therefore, ES 38 103 approaches when M is large. Such results are not included considering on-line attacks, CM is 0. riskgraph because performing the exhaustive search for a large M value In summary, the comparison of the real-time complexity is computationally prohibitive. M M of different node attack strategies is Cdegree ≈ Cload ≈ Second, from the attackers point of view, launching attacks M M M Criskgraph CRSS CES. More comparisons among on a few critical nodes will cause serious damage to power different node attack strategies are shown in Table III. grid networks. In power grid networks, usually there are a few

1 100 0.1 0.9 95 0.08 0.8 90 NASM ES NASM 0.06 NASM ES ES 0.7 NASM RSS 85 NASM NASM RSS RSS 0.04 0.6 80 Connectivity Loss

0.02 0.5 75 Percentage of Drop in Net−ability Average Inverse Geodesic Length 0.4 70 0 1 2 3 4 5 6 1 2 3 4 5 6 1 2 3 4 5 6 The Number of Target Node The Number of Target Node The Number of Target Node (a) Measured by PoDN (b) Measured by AIGL (c) Measured by CL

M M Fig. 2. The comparison between NASES and NASRSS on IEEE 57 bus system, when α = 1.5.

100 0.08 1

90 0.07 0.9

0.06 NASM 0.8 80 RSS NASM 0.05 riskgraph 0.7 70 NASM 0.04 load 0.6 NASM 60 degree NASM NASM RSS 0.03 0.5 RSS M Connectivity Loss M 50 NAS NAS riskgraph 0.02 0.4 riskgraph NASM NASM Percentage of Drop in Net−ability

load Average Inverse Geodesic Length load 40 0.01 0.3 NASM NASM degree degree 30 0 0.2 1 2 3 4 5 6 1 2 3 4 5 6 1 2 3 4 5 6 The Number of Target Node The Number of Target Node The Number of Target Node

(a) Measured by PoDN (b) Measured by AIGL (c) Measured by CL

M M M M Fig. 3. The comparisons among NASRSS , NASriskgraph, NASload and NASdegree on IEEE 118 bus system, when α = 1.2.

100 0.025 1

M 0.9 90 NAS 0.02 RSS NASM riskgraph 0.8 80 NASM 0.015 load 0.7 NASM 70 degree NASM RSS 0.6 M M 0.01 NAS NAS riskgraph RSS

60 Connectivity Loss M M NAS NAS 0.5 load riskgraph M NASM 0.005 NAS

Percentage of Drop in Net−ability degree 50 Average Inverse Geodesic Length load 0.4 NASM degree 40 0 1 2 3 4 5 6 1 2 3 4 5 6 1 2 3 4 5 6 The Number of Target Node The Number of Target Node The Number of Target Node

(a) Measured by PoDN (b) Measured by AIGL (c) Measured by CL

M M M M Fig. 4. The comparisons among NASRSS , NASriskgraph, NASload and NASdegree on Polish transmission system, when α = 1.2.

critical nodes, the failure of which will cause serious enough be launched. Furthermore, increasing M will not signiﬁcantly damage. The prior study shows that cascading failures have increase the attack performance if the smaller M value already the power-law distribution of blackout sizes in both theoretical causes large damage to power grids. More important, with M models and empirical blackouts [4]. Thus, from the attack appropriate parameter values, P and R, NASRSS has sharply- perspective studying cascading failures by initially triggering reduced complexity and is doable. a few TNs is practicable and meaningful. M M B. Comparison among Different Node Attack Strategies Finally, NASRSS is an ideal substitution of NASES. As M discussed above, the attack performance of NASRSS is very In this subsection, comparisons are made among M M M M M close to that of NASES. In addition, it is important for NASriskgraph, NASload, NASdegree, and NASRSS attackers to determine the number of TNs (i.e. M). When M on IEEE 118 bus system and Polish transmission system. is small, the attacker may not be able to cause serious damage The comparisons among these four node attack strategies to power grid networks. When M is large, the attacker needs are shown in Figs. 3, 4 and 5. In simulations, there are two to take down more nodes, which makes the attack difﬁcult to important parameters for all approaches, the number of TNs

100 0.08 1

90 0.9 0.07 80 0.8 NAS4 0.06 RSS NAS4 70 0.7 RSS NAS4 0.05 riskgraph NAS4 60 4 0.6 riskgraph NAS load NAS4 50 0.04 4 0.5 load NAS degree NAS4 40 NAS4 0.4 degree RSS 0.03 Connectivity Loss 30 NAS4 0.3 riskgraph 0.02 20 4 0.2

Percentage of Drop in Net−ability NAS load Average Inverse Geodesic Length 0.01 10 NAS4 0.1 degree 0 0 0 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 System Tolerance (α) System Tolerance (α) System Tolerance (α)

(a) Measured by PoDN (b) Measured by AIGL (c) Measured by CL

4 4 4 4 Fig. 5. The comparisons among NASRSS , NASriskgraph, NASload and NASdegree on IEEE 118 bus system, when α = 1.1, 1.2, ..., 2.

(M) and the system tolerance (α). Figs. 3 and 4 show the their TNs according to the degree or load distribution. The change of attack performance against M, while Fig. 5 shows failure of those high-degree or high-load nodes might quickly the performance change against α. In addition, there are three break the whole power grid network into several subnets. For M subplots in each figure, which shows the results evaluated the NASriskgraph, the regression sometimes occurs, when the by the three different metrics. The y-axis noted by (a), (b) number of TNs is large, e.g. M ≥ 3. The reason is that the and (c) represents percentage of drop in neb-ablity, average NIRG is mainly reflecting the hidden relationship between a inverse geodesic length and connectivity loss, respectively; pair of nodes. Thus, when the number of TNs increases, the the x-axis represents the number of TNs in Figs. 3 and 4, and TNs selected from NIRG might not represent the strongest the system tolerance in Fig. 5. In each subplot, the dashdotted attacks, and then the attack performances downgrade a little. red-plus curve, solid magenta-pentagram curve, solid blue- As a summary, when the system tolerance value is un- M M M square curve and solid green-star curve represent NASRSS, known, NASriskgraph is much stronger than NASdegree and M M M M M NASriskgraph, NASload and NASdegree, respectively. For NASload. Furthermore, NASriskgraph has similar perfor- M example, Fig. 3(a) demonstrates the comparison among mance to that of NASRSS, but do not require performing the four node attack strategies on IEEE 118 bus system, search in real time. In other words, after the NIRG is es- when M is set from 1 to 6, α is set to 1.5, and results tablished, there is no need to launch CFSor before making M are measured by PoDN. From these figures, we have the attacks. The major advantages of NASriskgraph are: (a) not following observations and discussions. requiring the knowledge of system tolerance, (b) low real-time M First, the attack performances of NASriskgraph are a lit- complexity, and (c) comparable attack performance with that M M tle weaker than that of NASRSS, but much stronger than of NASRSS. Detailed comparisons are given in Table III. M M those of NASload and NASdegree. As discussed in Section M VI.DISCUSSIONAND CONCLUSION V-A, NASRSS could be employed as the substitution of the exhaustive search node attack strategy. From all subplots in In this paper, we investigated cascading failures of power Figs. 3 and 4, the attack performance against M, the solid grids under the extended model. The major contributions are magenta-pentagram curves are very close to the dashdotted summarized as follows, red-plus curves, which means the attack performances of • Proposed a new search based node attack strategy, called M M NASriskgraph are close to those of NASRSS. In addition, the reduced search space node attack strategy, which can the solid green-star curves are far from the dashdotted red- sharply reduce the complexity of the exhaustive search plus curves, while the solid blue-square curves are closer node attack strategy, and yields the attack performance than those green-star curves, but still are not comparable with very close to that of the exhaustive search. By using the magenta-pentagram curves. Similar observations are made the proposed approach, we can analyze a much bigger in Fig. 5, the attack performance against α. In conclusion, network than using the exhaustive search. Furthermore, M from the attack performance perspective NASRSS is the best we can adjust the parameters in the proposed approach M achievable node attack strategy, and NASdegree is the worst; to achieve a good balance between the complexity and M M while the NASriskgraph is very close to NASRSS, and much the attack performance. M M better than NASload and NASdegree. • Proposed a novel metric, called the risk graph, to de- Second, as M increases, the regression on the attack per- scribe the hidden relationship among potential TNs in M M M formance of NASriskgraph, NASdegree and NASload might terms of causing cascading failures. In other words, if occur. Such examples could be found in Figs. 3 and 4. The several nodes are closely tied together in the NIRG, the reason of the regression happens is that the cascading failure simultaneous failure of these nodes is more likely to raise under the extended model quickly stop when the whole power serious cascading failures. grid network is broken into more than one balanced subnets. • Proposed a practical node attack strategy, called the M M NASdegree and NASload do not consider this fact and select riskgraph-based node attack strategy, whose attack per-

formance is comparable to that of the reduce search space [8] J. Wang and L. Rong, “Cascade-based attack vulnerability on the US node attack strategy, but its complexity is extremely low power grid,” Safety Science, vol. 47, pp. 1332–1336, 2009. [9] W. Wang, Q. Cai, Y. Sun, and H. He, “Risk-aware attacks and when used in real-time situations. catastrophic cascading failures in U.S. power grid,” in IEEE Global Although we investigated cascading failures from the attack Telecommunications Conference, Houston, TX, USA, Dec.5-9 2011. [10] Q. Chen and J. D. McCalley, “Identifying high risk N-k contingencies perspective, the results can be very useful for the research on for online security assessment,” IEEE Transactions on Power Systems, defense side. In particular, the risk graph is a concise and vol. 20, no. 2, pp. 823–834, 2005. effective way to describe the criticality of nodes in power [11] G. Chen, Z. Dong, D. J. Hill, G. H. Zhang, and K. Hua, “Attack structural vulnerability of power grids: A hybrid approach based on complex grids. Furthermore, the RSS node attack strategy can be used networks,” Physica A: Statistical Mechanics and its Applications, vol. to evaluate the effectiveness of defense approaches by finding 389, pp. 595–603, 2010. the strong attacks after a certain defense approach is applied. [12] S. Arianos, E. Bompard, A. Carbone, and F. Xue, “Powergrid vulnerability: a complex network approach,” Chaos, vol. 19, pp. 1–6, 2009. In the future work, the proposed approaches can be further [13] E. Bompard, D. Wu, and F. Xue, “Structural vulnerability of power improved from several aspects. First, the risk graph shows systems: A topological approach,” Electrical Power Systems Research, the hidden relationship of node pairs. The risk graph may vol. 81, pp. 1334–1340, 2011. [14] A. Motter and Y. Lai, “Cascade-based attacks on complex networks,” not accurately describe the relationship among a group of Phys. Rev. E, vol. 66, 065102(R), 2002. nodes, when the group size is larger than 2. We have seen the [15] Y. Zhu, Y. Sun, and H. He, “Load distribution vector based attack strate- degradation of attack performance when M > 5. In the future, gies against power grid systems,” in IEEE Global Telecommunications Conference, Anaheim, CA, USA, Dec.3-7 2012. the risk graph construction procedure may consider more than [16] Y. Zhu, J. Yan, Y. Sun, and H. He, “Supplementary file: Revealing two-node combinations. Second, the riskgraph-based NAS can cascading failure vulnerability in power grids using risk-graph.” handle the situation when each node has different tolerance [17] NERC standards, “Transmission system standards - normal andemergency conditions.” [Online]. Available: www.nerc.com factors. The next step may be evaluating its performance after [18] R. Zimmerman, C. Murillo-Sanchez, and R. Thomas, “Matpower: being given some practical data, describing the distribution of Steady-state operations,planning, and analysis tools for power systems tolerance factors. Third, the proposed node attack strategies research and education,” IEEE Transactions on Power Systems, vol. 26, no. 1, pp. 12–19, 2011. can also work on links. Therefore, the proposed approaches [19] Platts, “GIS data.” [Online]. Available: www.platts.com can be extended to address joint-node-link attacks. Fourth, [20] Y. Zhu, J. Yan, Y. Sun, and H. He, “Risk-aware vulnerability analysis investigating the cascading failures in large-scale power grids, of electric grids from attacker’s perspective,” in IEEE Innovative Smart Grid Technologies Conference, Washington, USA, Feb.24-27 2013. e.g. the entire North America power grid benchmark, will be [21] P. Holme, B. J. Kim, C. N. Yoon, and S. K. Han, “Attack vulnerability more meaningful. Fifth, the RSS node attack strategy in this of complex networks,” Phys. Rev. E, vol. 65, 056109, 2002. paper is pretty intuitive and straightforward. As an interesting [22] R. Albert, I. Albert, and G. L. Nakarado, “Structural vulnerability of the north american power grid,” Phys. Rev. E, vol. 69, 025103(R), 2004. future research direction, more advanced methods could be [23] M. Bastian, S. Heymann, and M. Jacomy, “Gephi: An open source used to improve the search efficiency and results. For instance, software for exploring and manipulating networks,” in Proceedings of dynamic programming (DP) [28] and approximate dynamic the Third International ICWSM Conference, San Jose, California, USA, May17-20 2009. programming (ADP) [29], [30] are the popular techniques in [24] “Power systems test case archive,” University of Washington. [Online]. solving the problems that have the properties of overlapping Available: http://www.ee.washington.edu/research/pstca/ subproblems. Integrating them with the search-based approach [25] P. Crucitti, V. Latora, and M. Marchiori, “Model for cascading failures in complex networks,” Phys. Rev. E, vol. 69, 045104(R), 2004. here will be an interesting and possible direction to improve [26] P. Hines, S. Blumsack, E. C. Sanchez, and C. Barrows, “The topological the proposed approach. Finally, we plan to investigate the risk- and electrical structure of power grids,” in 43rd Hawaii International graph idea in as stochastic models [31] and temporal features Conference on System Sciences (HICSS), Kauai, Hawaii, USA, Jan.5-8 2010. of cascading failures [32]. [27] J. Yan, Y. Zhu, H. He, and Y. Sun, “Multi-contingency cascading analysis of smart grid based on self-organizing map,” IEEE Transactions on REFERENCES Information Forensics and Security, vol. 8, no. 4, pp. 646–656, 2013. [28] D. P. Bertsekas, Dynamic Programming and Optimal Control. Athena [1] U.S.-Canada Power System Outage Task Force, “Final report on the Scientific, Jan.29 2007. august 14, 2003 blackout in the united states and canada: Causes and [29] F. Lewis and D. Liu, Reinforcement Learning and Approximate Dynamic recommendations,” April 2004. Programming for Feedback Control. Wiley-IEEE Press, Dec.26 2012. [2] The Electricity Consumers Resource Council (ELCON), “The economic [30] H. He, Self-Adaptive Systems for Machine Intelligence. Wiley- impacts of the august 2003 blackout,” February 2004. Interscience, Aug.9 2011. [3] IEEE PES CAMS Task Force on Understanding, Prediction, Mitigation [31] I. Dobson, B. A. Carreras, and D. E. Newman, “A loading-dependent and Restoration of Cascading Failures, “Initial review of methods for model of probabilistic cascading failure,” Probab. Eng. Inf. Sci., vol. 19, cascading failure analysis in electric power transmission systems,” in no. 1, pp. 15–32, 2005. IEEE Power and Energy Society General Meeting, Pittsburgh, PA, USA, [32] J. Yan, Y. Zhu, Y. Sun, and H. He, “Revealing temporal features of Jul.20-24 2008. attacks against smart grid,” in IEEE Innovative Smart Grid Technologies [4] M. Vaiman, K. Bell, Y. Chen, B. Chowdhury, I. Dobson, P. Hines, Conference, Washington, USA, Feb.24-27 2013. M. Papic, S. Miller, and P. Zhang, “Risk assessment of cascading outages: Methodologies and challenges,” IEEE Transactions on Power Systems, vol. 27, no. 2, pp. 631–641, 2012. [5] T. M. Chen, J. C. Sanchez-Aarnoutse, and J. Buford, “Petri net modeling of cyber-physical attacks on smart grid,” IEEE Transactions on Smart Grid, vol. 2, no. 4, pp. 741–749, 2011. [6] X. Liang, R. Lu, X. Shen, X. Lin, and H. Zhu, “Securing smart grid: Cyber attacks, countermeasures, and challenges,” IEEE Communications Magazine, vol. 50, no. 8, pp. 38–45, 2012. [7] R. Kinney, P. Crucitti, R. Albert, and V. Latora, “Modeling cascading failures in the North American power grid,” Eur. Phys. J. B, vol. 46, pp. 101–107, 2005.

Yihai Zhu (S’13) received the B.S. in Computer Haibo He (SM’11) is the Robert Haas Endowed Science and Technology from Hefei University of Professor in Electrical Engineering at the University Technology (HFUT) in 2007, and M.S. degree in of Rhode Island (Kingston, RI). He received the Automation from University of Science and Tech- B.S. and M.S. degrees in electrical engineering from nology of China (USTC), in 2010. Both universi- Huazhong University of Science and Technology ties are in Hefei, China. He is currently a Ph.D. (HUST), Wuhan, China, in 1999 and 2002, respec- candidate in the Department of Electrical, Computer tively, and the Ph.D. degree in electrical engineering and Biomedical Engineering at University of Rhode from Ohio University, Athens, in 2006. From 2006 Island, Kingston, Rhode Island, USA. His research to 2009, he was an assistant professor in the De- interests include power grid security and complex partment of Electrical and Computer Engineering, network. He works with the Network Security and Stevens Institute of Technology, Hoboken, New Jer- Trust (NEST) Laboratory. sey. His research interests include adaptive learning and control, cyber security, smart grid, computational intelligence, and hardware design for machine intelligence. He has published one research book (Wiley), edited 1 research book (Wiley-IEEE) and 6 conference proceedings (Springer), and authored and co- authored over 120 peer-reviewed journal and conference papers, including Cover Page Highlighted Paper in the IEEE Transactions on Information Forensics and Security, and highly cited papers in the IEEE Transactions on Knowledge and Data Engineering, IEEE Transactions on Neural Networks, and IEEE Transactions on Power Delivery. His researches have been covered by national and international media such as IEEE Smart Grid Newsletter, The Wall Street Journal, Providence Business News, among others. He serves as the Program Co-Chair of the International Joint Conference on Neural Networks (IJCNN’14) and General Chair of the IEEE Symposium Series on Computational Intelligence (SSCI’14). Currently, he is an Associate Editor of the IEEE Transactions on Neural Networks and Learning Systems, and IEEE Transactions on Smart Grid. He was a recipient of the IEEE CIS Outstanding Early Career Award (2014), K. C. Wong Research Award, Chinese Academy of Sciences (2012), National Jun Yan (S’13) received the B.S. degree in In- Science Foundation (NSF) CAREER Award (2011), Providence Business formation and Communication Engineering from News (PBN) ”Rising Star Innovator” Award (2011), and Best Master Thesis Zhejiang University, China, in 2011, and M.S. de- Award of Hubei Province, China (2002). gree in Electrical Engineering from University of Rhode Island, USA, in 2013. He is currently a graduate student in the Department of Electrical, Computer and Biomedical Engineering at Univer- sity of Rhode Island, USA. His research interest includes smart grid security analysis, computational intelligence and machine learning. He works with the Laboratory of Computational Intelligence and Self-Adaptive Systems (CISA).

Yan (Lindsay) Sun(M’04) received her B.S. degree with the highest honor from PekingUniversity in 1998, and the Ph.D. degree in electrical and computer engineering from the University of Maryland in 2004. She joined the University of Rhode Island in 2004, where she is currently an associate professor in the department of Electrical, Computer and Biomed- ical Engineering. Dr. Suns research interests include cyber security, trustworthy cyber-physical systems, and network security. She is an elected member of the Information Forensics and Security Technical Committee (IFS-TC), in IEEE Signal Processing Society. She is an associate editor of Signal Processing Letter since 2013, and an associate editor of Inside Signal Processing eNewslettersince 2010. She co-authored the book Network-aware security for group communications (Springer 2007). Dr. Sun was the recipient of NSF CAREER Award (2007), and also recipient of the best paper award at the IEEE International Conference on Social Computing (SocialCom10).