Introduction
The Smart Grid is an advanced and integrated power system that relies on sophisticated computer and communication technologies to ensure efficient, reliable, and sustainable electricity supply. However, the integration of these technologies makes the Smart Grid vulnerable to cyber-attacks, which can have serious implications for national security, economic stability, and public safety [1]. These attacks can disrupt the entire grid system, damage physical infrastructure, and compromise confidential information. As a result, ensuring the security of the Smart Grid is crucial for its successful implementation and operation. In recent years, the frequency and sophistication of cyber-attacks on the Smart Grid have increased significantly [2]. These attacks can target various components of the Smart Grid, such as software, hardware, data transfer systems, and operational procedures. Moreover, the introduction of new technologies and the increasing use of IoT devices have expanded the attack surface of the Smart Grid, making it even more vulnerable to cyber-attacks [3]. To address these challenges, various detection methodologies have been proposed to detect and prevent cyber-attacks on the Smart Grid [4]. These methodologies range from rule-based and signature-based approaches to more advanced anomaly detection and machine learning-based methods [5]. However, the effectiveness of these approaches varies, and new and more sophisticated attacks require more advanced and reliable detection methodologies [6]. In this paper, we provide a comprehensive review of the vulnerabilities of the Smart Grid, including system vulnerabilities and cyber-attacks. We also review the different detection methodologies introduced in previous studies, with a focus on their effectiveness and limitations. Furthermore, we discuss the prospective cybersecurity approaches for the Smart Grid, such as AI and blockchain, and their potential benefits and challenges. Finally, we present the future prospects of cyber-attacks on the Smart Grid, based on recent research and technological advancements as show in Figure 1.
![FIGURE 1. - Smart grid features [7].](https://ieeexplore.ieee.org/mediastore/IEEE/content/media/6287639/10380310/10452322/aljum1-3370911-large.gif)
Research Background
A smart grid is a vital national infrastructure that employs information and communication technologies to deliver reliable and efficient power transmission and distribution. However, smart grids are vulnerable to cyber-attacks due to their integration of physical and cyber space [8]. For instance, the 2015 Black Energy attack on Ukraine’s electricity infrastructure left around 700,000 users without power, highlighting the need for fast response to cyber-attacks [9]. Given the wide variety of attacks, it is essential to classify them to enable appropriate responses. Two primary approaches for detecting attacks are using an attack sample library to match and typical machine learning methods [10]. While the attack sample library can effectively recognize known attacks, it is limited in identifying new attacks not previously recorded in the library [11]. On the other hand, traditional machine learning can recognize and classify new types of attacks by learning from attack samples [12]. However, the success of traditional machine learning algorithms heavily relies on feature engineering, which may be problematic if the attacker conceals these attributes, reducing the effectiveness of the machine learning model [13].
Cyberattacks against smart grid CPSs, an essential infrastructure of all countries, have recently become more prevalent [14]. These attacks pose security challenges such as theft of sensitive data, insertion of fraudulent data, and loss of assets and information through compromised physical devices controlled by supervisory control and data acquisition (SCADA) systems [15]. Detecting these intrusions early is crucial to safeguard smart grid equipment and data, but existing research on intrusion detection systems in smart grids is inadequate [16]. Various machine learning (ML) algorithms that use supervised or unsupervised methods have been proposed in recent years to maintain the cybersecurity of smart grids by categorizing cyberattacks based on different network properties [17]. ML techniques are popular because they can scale to larger systems at a low computational cost. However, selecting the right features and parameters can significantly improve the computing efficiency of any ML method [18]. Many studies have presented ML-based techniques for identifying false data injection (FDI) assaults, such as anomaly detection techniques and support vector machines, which were effective in detecting FDI assaults based on statistical discrepancies in data [19]. Additionally, other methods such as k-nearest neighbors (KNN), single-layer perceptron, and linear and Gaussian support vector machine (SVM) were used as supervised learning techniques to compare and evaluate their performance in detecting FDI assaults [20]. Although these techniques have shown promise in identifying FDI assaults, there is a need for extensive cross-validation among algorithms with varied parameters, and testing should be conducted on power systems of varying sizes to assess the adaptability of the categorization algorithms [21].
One potential solution to the complex problem of identifying and categorizing cyberattacks is the use of neural networks. By employing deep network design, neural networks can extract high-dimensional characteristics, resulting in improved robustness and generalization performance [22], [23], [24], [25], [26], [27], [28]. Additionally, the smart grid’s unique ability to communicate with itself provides advantages in terms of effective energy utilization and distribution for a variety of smart devices and machines [29], [30], [31], [32]. However, because the smart grid may store sensitive information, cybersecurity is crucial, and a variety of security solutions must be evaluated and analyzed [33], [34], [35]. Although the smart grid uses communication and information technology to generate, distribute, and consume electricity, there are potential disadvantages such as compromised reliability during power outages and potential privacy concerns if critical data is lost or stolen [36], [37]. One growing method of cyberattack against smart grids is FDI, which can be difficult to detect using current methods [38], [39]. As an alternative to FDI detection, machine learning has been proposed. Injection attacks can also lead to the security breach of an entire web server, resulting in a denial-of-service attack [39], [40].
Hybrid systems are widely applied in industries such as aerospace, energy systems, and industrial control to achieve various objectives by using feedback functions from a specific family [41]. A methodology for developing and accessing a supervisory hybrid control scheme for a microgrid system is presented in [41], using a specialized configuration that includes wind power conversion technology [42], [43]. The microgrid system is represented as a probabilistic hybrid system with many functions for energy management, as depicted in [44]. A formal link between microgrids and stochastic hybrid systems has been established [45], while a state variable modeling technique is used to develop a hybrid large-scale system model of a microgrid system [46]. An intrusion detection system based on network measurements for detecting WBAN jamming attempts was introduced in [47], which employed deep neural networks (DNN) to reduce feature dimensionality [48].
The authors of [59] proposed a methodology called deep adversary learning (DAL) to detect network penetration by employing statistical learning and signals. The classifier’s objective is to decline intrusion improved data, whereas the producer generates intrusion enhanced datasets. SVM are used to differentiate between the dataset of the attack and normal incursion. The performance of the intrusion detection rate may be improved further by using a deep migrating training model with four steps: ideal feature, variables, knowledge, and feature sampling [60]. The researchers of [61] proposed a five-level restricted Boltzmann machine (RBM) model for identifying Distributed Denial of Service (DDoS) attacks in datasets from applications for smart cities, while [62] integrated the geometric differential module (GDM) and GDM/AG with a deep learning neural network structure to enhance the accuracy and detection of automobile security breaches. Table 1 provides a summary of various existing approaches.
Intrusion detection system (IDS)-based interruption recognition systems have exhibited great promise in certain scenarios [63]. However, to obtain critical information, IDS must be complemented with dynamic system monitoring tools along with traditional security components such as firewalls and antivirus software. To detect FDI attacks, many proposed detection systems employ spatial-transient links, continuous connections, and factual connections of meter estimates [64], [65]. The authors of [66] provide multiple strategies for FDI attack detection using state estimation. The connection between FDI and tiny signal/transient stability requires further investigation for future research. The broad area measuring system is widely used in the current power grid to detect power system irregularities.
The phasor measuring Units (PMUs) are transmitted to the control center for monitoring and damping [67]. FDI attacks can compromise communication between the PMU and the control center, reducing inter-area oscillation dampening and causing small-signal instability. Hence, sophisticated AI systems are needed. Several ML approaches have been recently implemented to detect cyberattacks on a smart grid [68]. For identifying cyberattacks in a CPS, the authors of [69] utilized KNN, decision trees, bootstrap aggregation, and random forest. An auto-associative kernel regression model was utilized to enhance detection performance. Wang et al. [70] advocated using recurrent neural networks with long short-term memory to anticipate the types of cyberattacks.
According to [71] and [72], random forest outperforms SVM and KNN for detecting anomalies in clean water supply systems. In [73], He et al. utilized various ML techniques to evaluate traffic data to identify assaults on thermal power production plants. Numerous studies have employed ML for anomaly/attack detection in SCADA systems, with varying degrees of effectiveness. Comprehensive reviews of these investigations are provided in [74] and [75]. However, previous research did not consider cross-validation of algorithms with variable parameters for detecting cyberattacks in smart-grid settings.
Additionally, ML algorithms are generally assessed on a single smart-grid scenario and may not be applicable to smart grids of various sizes. Secondary systems in smart grids are vulnerable, making security crucial. Previously, machine learning-based approaches have been presented for detecting smart grid assaults. For example, the authors of [76] developed a method based on classical machine learning methods that used KNN and SVM algorithms to classify assaults and explored online learning techniques for various attack situations.
In [78], the authors suggested a supervised learning-based approach that trains a distributed SVM to detect smart grid threats. The authors of [79] developed a deep learning-based cyberphysical technique using a DBN to prevent data corruption in WAMSs and evaluated performance through simulation. The authors of [80] proposed deep learning algorithms that utilize Conditional DBN to identify aspects of FDI attack behavior using historical measurement data. They also introduced a Long Short-Term Memory neural network in [81] to identify fraudulent input in smart terminals. FDI attacks are a prevalent type of smart grid cyber-attack [82]. Currently, it is challenging to identify FDI attacks that use subpar data detection technology. Machine learning has been suggested in the past to detect FDI attacks. A study [26], [104] investigates three distinct feature selection (FS) procedures and focuses on three varied supervised learning strategies. To test these approaches, IEEE 14-, 57-, and 118-bus systems are utilized as shown in Figure 2.
![FIGURE 2. - IEEE 118 bus test system [77].](https://ieeexplore.ieee.org/mediastore/IEEE/content/media/6287639/10380310/10452322/aljum2-3370911-large.gif)
The accuracy of detection methods for identifying specific threats is often compared. The integration of supervised learning and heuristic feature selection approaches in simulations has led to improved functionality of FDI attack detection systems [83]. Through simulations on a high-fidelity smart grid test bed, it has been demonstrated that machine-learned features can identify SCADA breaches in power transmission systems. Figure 3 illustrates a sample study on the defense system against FDI attacks, based on a conceptual and functional analysis of SCADA [84].
Smart grid protection through cyber-malware detection employing efficient and new machine learning techniques.
With the incorporation of Information and communication technologies (ICT), the traditional electrical grid is evolving into a smarter grid. However, the smart grid is vulnerable to cyber-attacks, with FDI attacks being among the most severe [85]. To detect such attacks, various ML techniques are under investigation [86]. Nevertheless, the skewed class distribution of the dataset presents a challenge, and prompt response is essential in a smart grid. Fake data injection attacks aim to disrupt microgrid power transmission by providing false information [87]. To combat state estimate attacks, data-driven machine learning is utilized, and ensemble classifiers are employed for classification [88].
Both supervised and unsupervised classifiers are utilized in this approach [89]. The evaluation of this technique is performed through simulation using IEEE 14-bus data [90]. The performance of specific and ensemble models is compared, with the latter outperforming individual classifiers in unsupervised models. Additionally, supervised learning may be used to detect malicious communications and assess their security risks. The Internet of Things (IoT) is a concept that seeks to connect people and things with any network and level of support, anytime and anywhere, through various means [91], [92]. IoT has numerous applications and is characterized by a four-layer architecture, as shown in Figure 4. It aims to seamlessly integrate the physical and digital worlds through a networking system of real-world objects equipped with sensors [45], [93].
![FIGURE 4. - Frameworks of IoT [5].](https://ieeexplore.ieee.org/mediastore/IEEE/content/media/6287639/10380310/10452322/aljum4-3370911-large.gif)
The Internet of Things (IoT) refers to the connection of physical and technological objects over the internet. However, as IoT devices become more common, so do Denial of Service (DoS) and spoofing attacks. Reference [94] have examined IoT network data using classification methods and supervised feature selection approaches. The smart grid security technologies, which were initially thought to be secure, have failed to meet modern cybersecurity requirements. Various tools and methods are required to tackle cyber threats. AI and data modeling may transform the security industry, as they can detect unknown threats using ML algorithms that adjust to a subject’s baseline attitude. Reference [35] discuss how technical improvements have shaped the contemporary electrical grid, with debates over its reliability, safety, and efficacy. The smart grid has the potential to increase dependability, visibility, efficiency, and control, but communication within it is critical, and hackers are becoming more interested in smart grid fraud. Cybersecurity and vulnerability risks associated with the smart grid are discussed in a report [95], which addresses attacks and provides responses. The security issues associated with smart grid communications networks, systems, and gadgets are becoming more common, and this research helps readers understand how to detect illegal sensor information tampering. ML algorithms have replaced residual based Bad Data Detection (BDD) in the detection of illegal sensor information tampering.
Semi-supervised anomaly detection methods using PMU data have been employed to identify cyber risks in smart grids. Cyberattacks on SCADA systems are particularly destructive and must be handled with utmost care. DML has been used to overcome intrusion prevention challenges, and the intrusion detection approach based on Deep Machine Learning (DML) has an accuracy rate of roughly 90.0 percent. The authors of [96] have enhanced the detection process by shifting the defensive aim from rejecting assaults to preventing outages, and the authors of [97] have evaluated the impact of a cyberattack on the PMU state estimation procedure.
The authors of [98] presented a defect detection, classification, and placement strategy in radial distribution systems based on sophisticated machine learning techniques. A lightweight technique was proposed in [99], [100], and [101] to detect aberrant state assessments in smart grids produced by FDI assaults in real-time by investigating the spatial-temporal connections between grid state estimations and using trust-voting. Chi-square sensor and cosine resemblance matching techniques were studied in [102] for detecting cyber assaults in smart grids. An adaptable cumulative sum technique for detecting FDI assaults in real-time was devised by the authors of [103].
Recently, machine learning (ML) has been popular for identifying cyber assaults in smart grids, with most suggested systems relying on supervised learning algorithms. [76] used ensemble learning and feature-level fusion with common supervised algorithms like KNN, SVMs, and SLR to anticipate FDI assaults. The authors of [101] examined SVM, KNN, and expanded nearest neighbor (ENN) for clarifying the FDI attacks in smart grids.
In [104], an abnormality detection system was suggested that used a decision tree-based approach based on PMU data to differentiate between normal tripping and power line failures and malicious assaults physically tripping connections. An Adaboost-based classification method was created in [105] using the random forest as the basic classifier for identifying power system problems and cyber threats utilizing individual PMU data.
Feature engineering procedures, such as feature selection, have been studied in previous research to increase detection performance and minimize computing complexity [78], [106], [107]. In [108] created an intrusion detection module for detecting malicious assaults in the SCADA system using network traces. They used One-Class support vector machine (OCSVM) with K-means recursive clustering to identify intrusions in SCADA systems in real-time [109]. Reference [26] investigated three distinct supervised learning strategies to be employed in conjunction with three distinct Feature Selection (FS) techniques. These approaches are evaluated for adaptability on 118-bus systems, 57-bus, and IEEE 14-bus. The simulation study shows that supervised learning mixed with heuristic FS approaches results in enhanced classification algorithm performance for FDI attack detection. SVM, KNN, and Artificial Neural Network (ANN) are the three ML methods employed. Heuristic FS approaches can pick a subset of features to achieve improved classification accuracy with a much smaller number of features.
The classification of feature selection techniques includes three main categories: filter, wrapper, and embedding approaches. Filter approaches evaluate characteristics individually, utilizing statistical metrics such as correlation, information gain, or chi-square. Wrapper approaches assess feature subsets by integrating the performance of the learning process, often by training and testing the model with various subsets. Embedded approaches incorporate feature selection inside the model training process, optimizing features as an integral component of the overall learning procedure. Genetic Algorithms (GA) are significant in the field of evolutionary computation for their ability to optimize feature subsets through the simulation of natural selection. Within the framework of a smart grid, GA has been utilized for the function of feature selection. This application was examined in research that aimed to discover pertinent attributes for machine learning models by utilizing smart grid data [110]. Genetic programming (GP) utilizes tree topologies to describe alternative solutions and employs evolutionary operations such as crossover and mutation. GP has been implemented in smart grids to optimize demand response, as demonstrated in research [111]. Ant Colony Optimization (ACO) is a prominent evolutionary computation approach that draws inspiration from the foraging behavior of ants, employing swarm intelligence. ACO has been utilized in machine learning to efficiently find subsets of features, hence improving the interpretability of models [112]. Evolutionary computing techniques are crucial in optimizing feature subsets, leading to improved model performance and interpretability in diverse applications such as smart grids and machine learning [113]. Their use demonstrates their efficacy in addressing feature selection issues in intricate datasets [114].
Furthermore, Feature extraction is an essential first step in machine learning [115], with the aim of converting raw data into a more manageable and useful format. This procedure entails the careful selection and modification of pertinent data with the aim of lowering complexity, improving computing effectiveness, and minimizing the likelihood of overfitting [116]. These include linear methods like principal component analysis (PCA) and non-linear methods like t-distributed stochastic neighbor embedding (t-SNE), which is an unsupervised non-linear dimensionality reduction technique for exploring and visualizing high-dimensional data, and autoencoders [117]. These are all types of artificial neural networks (ANNs) that are used to learn how to code unlabeled data efficiently through unsupervised learning. An autoencoder learns two functions: an encoding function that transforms the input data, and a decoding function that recreates the input data from the encoded representation. Feature extraction is utilized in several fields, including computer vision, natural language processing, and signal processing, to enhance model performance and interpretability. Nevertheless, there are obstacles to overcome, such as the risk of information loss during the extraction process and the requirement for meticulous algorithm selection. The PCA can be used to slice data into smaller linear pieces [56], t-SNE can be used to see relationships that don’t follow a straight line [118], and autoencoders can be used to get features [119].
Several research possibilities exist to develop antennas with better radiation qualities and innovative ways for producing circular polarization radiation with a broad ARBW that is small in size and covers all necessary bands, as covered in [120]. In [41], the author highlighted a significant advancement approaching the potential implementation of smart grids., operating as a composite system based on cyber-physical concepts. The suggested modeling technique proposes an active paradigm for the management construction of complicated energy systems, aiming to help the environment, technical performance, and economic value. The model was validated by running it through a virtual test bench and studying its reaction throughout an operational range, providing a thorough demonstration of the suggested technique.
The system may run and switch between modes to provide maximum dependability in the face of variable dynamics and load demand. The model uses historical and log data to identify attacks, and the unsupervised machine learning technique is advantageous for identifying zero-day attacks. However, it is prone to false positives, and supervised learning can significantly improve detection confidence. To enhance the feature construction process, the authors analyzed the raw data in the electrical network and generated 16 new features by combining attributes. The authors of [12] proposed a unique strategy for developing a deep neural network that can categorize cyberattacks in smart grids by generating attack behaviors and anticipating the type of assault based on the received message.
In [84], an unsupervised feature learning approach was developed to detect threats in transmission SCADA systems, which improves the accuracy of detection while relying less on system modeling and human knowledge. The approach proposed in [121] identifies new data characteristics that were previously unavailable for 1D power system measurements, leading to further performance improvements. Unlike previous works, which focused primarily on binary classification solutions, the system in [121] addresses the issue of detecting FDI attacks as a problem of multi-class classification, with Convolutional Neural Network (CCN) serving as a multi-label predictor. In [122], a machine learning strategy was presented to detect and protect smart grids against False Data Injection Attacks (FDIA), which merged feature selection and machine learning. The authors used supervised machine learning models to implement hybrid approaches and compared the suggested model in terms of accuracy, precision, recall, and F1 score.
A. Smart Grid Vulnerabilities
The Smart Grid is vulnerable to various types of attacks, including cyber-attacks, physical attacks, and human errors. These vulnerabilities can be classified into two categories: system vulnerabilities and cyber-attacks. System vulnerabilities refer to weaknesses in the Smart Grid’s physical infrastructure and operational procedures. These vulnerabilities can be caused by outdated or poorly maintained hardware, inadequate security measures, or inadequate training of personnel. For example, outdated software or hardware components may contain security vulnerabilities that can be exploited by attackers to gain unauthorized access to the Smart Grid. Similarly, inadequate security measures, such as weak passwords or lack of encryption, can make the Smart Grid vulnerable to attacks.
Cyber-attacks are a major threat to the Smart Grid. They can be launched remotely and are designed to exploit vulnerabilities in the Smart Grid’s communication and control systems. Cyber-attacks can take various forms, such as denial-of-service attacks, phishing attacks, malware attacks, and advanced persistent threats. These attacks can result in data theft, service disruption, equipment damage, and even physical harm to the operators and the public. The vulnerabilities of the Smart Grid extend to all its elements, including software, hardware, and data transfer systems. The Smart Grid relies on various software components, such as operating systems, control systems, and database management systems. These components can contain security vulnerabilities that can be exploited by attackers. Similarly, hardware components, such as routers, switches, and sensors, can also be targeted by attackers.
Moreover, the data transfer systems used by the Smart Grid, such as wired and wireless networks, can be vulnerable to attacks. These systems can be targeted by attackers who want to intercept, manipulate, or destroy the data transferred over them. Finally, the Smart Grid’s operational procedures and applications, such as energy management systems and billing systems, can also be targeted by attackers who want to disrupt the grid’s operations or steal confidential information. The Smart Grid is vulnerable to various system vulnerabilities and cyber-attacks.
These vulnerabilities can have serious implications for national security, economic stability, and public safety. Therefore, it is essential to develop effective detection methodologies and cybersecurity solutions to ensure the Smart Grid’s security and reliability.
B. Cyber-Attack Detection Techniques
To detect cyber-attacks on the Smart Grid, various detection methodologies have been introduced in previous studies. These methodologies can be classified into three categories: signature-based, anomaly-based, and hybrid-based detection. Signature-based detection relies on predefined signatures or patterns of known cyber-attacks to identify and block malicious traffic. This approach is effective against known attacks, but it is less effective against new and unknown attacks that do not match the predefined signatures. Anomaly-based detection, on the other hand, relies on statistical analysis and machine learning algorithms to detect abnormal behavior or deviations from normal patterns in the Smart Grid’s network traffic. This approach can detect unknown and zero-day attacks, but it can also generate false alarms and miss some attacks that are similar to normal behavior. Hybrid-based detection combines the strengths of signature-based and anomaly-based detection. This approach uses predefined signatures to detect known attacks and machine learning algorithms to detect unknown and abnormal behavior in the Smart Grid’s network traffic. This approach can provide a higher level of accuracy and reduce false alarms.
In addition to these detection methodologies, various techniques have been proposed to enhance the detection of cyber-attacks on the Smart Grid. These techniques include deep learning, feature selection, and ensemble learning. Deep learning techniques, such as convolutional neural networks (CNNs), can automatically learn and extract features from the Smart Grid’s network traffic and use them to detect cyber-attacks. These techniques can provide high accuracy and reduce false alarms. Feature selection techniques can reduce the dimensionality of the Smart Grid’s network traffic and improve the performance of the detection algorithms.
These techniques can select the most relevant features that are important for detecting cyber-attacks and remove irrelevant and redundant features. Ensemble learning techniques can combine multiple detection algorithms to improve the accuracy and robustness of the detection system. These techniques can reduce the risk of false alarms and provide a higher level of confidence in the detection results. Various detection methodologies and techniques have been proposed to detect cyber-attacks on the Smart Grid. These methodologies and techniques can provide a higher level of accuracy and reduce false alarms, and they can enhance the security and reliability of the Smart Grid. The detecting cyber-attacks in the Smart Grid would consist of several components such as:
Smart Grid devices and components: This includes all the devices and components of the Smart Grid such as smart meters, sensors, controllers, and communication networks.
Data pre-processing and feature selection: This component is responsible for pre-processing the data generated by the Smart Grid devices and selecting the most relevant features for detecting cyber-attacks.
Machine learning algorithms: This component includes various machine learning algorithms such as decision trees, random forests, and support vector machines that can learn patterns from the Smart Grid data and detect cyber-attacks.
Anomaly detection and signature-based detection: This component includes anomaly detection techniques and signature-based detection techniques that can detect abnormal behavior and known cyber-attacks in the Smart Grid data.
Ensemble learning: This component combines multiple detection algorithms to improve the accuracy and robustness of the detection system and reduce the risk of false alarms.
Intrusion detection system (IDS): This component monitors and analyzes the Smart Grid data for signs of suspicious activity and raises an alert if an attack is detected.
Security information and event management (SIEM) system: This component collects and analyzes data from different components of the Smart Grid and uses correlation and pattern recognition techniques to detect cyber-attacks.
![FIGURE 5. - Frameworks of IoT [5].](https://ieeexplore.ieee.org/mediastore/IEEE/content/media/6287639/10380310/10452322/aljum5-3370911-large.gif)
C. Datasets for Cyber-Attack Detection
The use of relevant data sets is essential in training and assessing machine learning models specifically developed to detect and mitigate cyber-attacks. The availability of these datasets is crucial for academics and practitioners to create efficient algorithms and systems for the detection of cyber-attacks. The dimensionality of these datasets varies based on the number of characteristics or variables employed to depict network traffic. Commonly, the datasets employed for cyber-attack detection might encompass hundreds to tens of thousands of characteristics that portray distinct facets of network behavior and communication. The process of framing the issue of cyber-attack detection as a big data problem requires the management and analysis of vast quantities of data produced by network operations. This encompasses the difficulties associated with scaling, optimizing storage, and processing data with a large number of dimensions. Apache Hadoop and Apache Spark, which are big data technologies, can be employed to solve the difficulties associated with managing and analyzing massive amounts of information with the aim of detecting cyber-attacks. Following are many prominent datasets frequently utilized in the field:
The NSL-KDD dataset is an enhanced iteration of the extensively utilized KDD Cup 1999 dataset. It rectifies several deficiencies of the first dataset and offers a more authentic portrayal of network activity.
The UNSW-NB15 dataset is a collection of network traffic data specifically designed for evaluating network-based intrusion detection systems (NIDS). It encompasses a broad spectrum of both malicious assaults and regular operations within a network.
The CICIDS2017 dataset is a recent collection of data from the Canadian Institute for Cybersecurity that contains both harmless and harmful network traffic. Its purpose is to assess the efficacy of intrusion detection systems.
The dataset is called AWID (Aarhus WiFi IDS). The AWID dataset is specifically designed to analyze and address security issues related to wireless networks. It contains data collected from a WiFi intrusion detection system. It detects several forms of assault in a wireless setting.
The dataset used is ISCX-IDS-2012. The origin of this dataset may be traced back to the 2012 International Cyber Security Challenge (ICSC). The controlled environment encompasses a diverse range of threats aimed at assessing the effectiveness of intrusion detection systems.
The KDD Cup 1999 dataset, although dated, is a widely recognized benchmark dataset that has been extensively utilized in early research on intrusion detection. It consists of a wide range of characteristics derived from network traffic.
D. Deep Learning Approaches for Cyber-Attack Detection
Deep learning methods have demonstrated potential for enhancing the precision of cyberattack detection by autonomously acquiring hierarchical characteristics from unprocessed data. Here are a few pertinent methodologies:
Convolutional Neural Networks (CNNs): CNNs have effectively been utilized for detecting intrusions in network traffic by acquiring knowledge of spatial patterns within the data. These algorithms have the ability to perform functions such as infection detection or the recognition of unusual patterns in network traffic [123].
Recurrent neural networks (RNNs) are advantageous for evaluating sequential data, such as time-series logs or network packet sequences. LSTM networks, which are a form of recurrent neural network (RNN), are adept at identifying long-range associations in time-varying data [124].
Autoencoders: Anomaly detection may be achieved through the utilization of unsupervised learning using autoencoders. By effectively modeling standard patterns, these models may detect differences that suggest possible cyber risks [125].
Generative adversarial networks (GANs) may be utilized to produce artificial data for the purpose of enhancing training sets or simulating cyber-attacks. This contributes to the model’s acquisition of a wide range of attack patterns [126].
E. Physics-Informed Machine Learning (PIML)
Physics-Informed Machine Learning (PIML) techniques are a specific category of machine learning (ML) approaches used to identify and detect cyber-attacks [127]. The current plans and methods use the basic physical features of the power grid along with different types of machine learning, such as supervised or semi-supervised learning, unsupervised learning, and reinforcement learning (RL) [128]. The literature on PIML techniques for applications such as anomaly detection, classification, and localization. The advancement in digital automation for smart grids recently led to the use of measuring devices such as phasor measurement units (PMUs), micro-PMUs (
Challenges
The ever-evolving nature of cyber threats poses a significant challenge to the smart grid’s security. The attackers are continually developing new techniques to breach the system, making it difficult to predict and mitigate potential risks. The complexity and interconnectivity of smart grid components also make it challenging to implement security measures that cover all system elements. Additionally, the lack of standardization across the smart grid industry is a challenge in developing comprehensive security protocols that are universally adopted. Furthermore, the cost associated with implementing robust security measures in a smart grid system can be substantial, and this may hinder some stakeholders from investing in adequate security solutions. Finally, the shortage of cybersecurity professionals with the necessary expertise in smart grid security is another challenge. The increasing demand for these professionals, coupled with the limited supply, may result in a skills gap that could leave smart grid systems vulnerable to cyber threats.
A. Smart Grid Cyber-Physical Security (Vulnerabilities)
Vulnerability can be defined as a flaw in the computational logic (such as coding) identified in hardware and software components that, when abused, causes a negative effect on secrecy, integrity, OR availability [136]. In this respect, vulnerability mitigation often entails code improvements, but it may also entail specification changes or even design vocation [136]. Recent smart grids have grown into a sophisticated technological system that combines physical networks, IT, and OT, as well as interoperates and engages with several other essential assets. All vulnerabilities [137] incorporated in the grid system, including those of external entities associated with it, have a significant effect on grid cybersecurity. Vulnerability is a big concern to smart grids and can possibly result in a variety of effects such as power failures, power dissipation, financial harm, and so on.
B. Physical Components Security
A smart grid is made up of many different elements, including equipment, software, and control systems. All of these elements are vulnerable in some way, including:
Weak physical access control systems, such as insufficient video surveillance and autonomous site inspection.
Insufficient physical protection for DERs at remote areas.
Internal layoff limits inside the substation.
Insufficient long-line surveillance.
Outdated parts and lengthy maintenance delays for faulty equipment.
Inadequate electromagnetic pulse filtering near the smart grid system.
Poor grid operating physical-world. These possible concerns are typical issues that arise from natural or not natural physical harm [138], and there are several established techniques and approaches of prevention available.
C. Vulnerabilities in IT/OT
Information technology (IT) or Operational technology (OT) advancements have enabled linked substations to function together with little or no human contact. With more new technologies being incorporated into smart grids, maintaining grid security is becoming increasingly difficult. This integration of OT and IT is altering the mindset and method to smart grid cyber-security. At the same time, all of IT/weaknesses OTs constitute a danger element to the whole grid system [138].
Smart grids are made up of a diverse set of smart software and hardware, particularly networked computers. Any weakness in this software and hardware might result in cyberattacks [139]. The Common Vulnerability Scoring System (CVSS) and Common Vulnerabilities and Exposures (CVE) metrics demonstrate a long-term pattern of rising weaknesses in grids components and associated programs [140], [141]. “The weakness of those devices with networking capabilities and smart operation is increasing so fast, not only due to more vulnerabilities in smart technologies, but also due to developing the systems of the smart grids, relatively new smart grid environmental elements, and inflating services and applications” [141]. “Data communication vulnerabilities also enable network-based attacks and other communication [142], [143].
The OT communication lacks adequate security design to secure data transmission inside OT parts and with IT parts. This is largely a smart grid vulnerability that is difficult to address in the short future. It might take a long time to replace technology and equipment and improve OT. The weakness in IT communications is not novel, but it serves as a conduit between the external attacker and the internal OT.
D. Data Management Security
Current data management of smart grids has issues with clustering integrity, confidentiality, compliance control, shared scope, and management method efficiency. A vast volume of data is produced and moved between many entities. Data packet streams that are accurate and consistent, including as power grid, weather predictions, and business-related information, enable operators to regulate and oversee the system of the smart grids. This sort of information is critical for avoiding unexpected and sudden power outages and maintaining the quality of grid operations and businesses. Furthermore, such huge data may be utilized for grid operations, alerts, demand forecasting, generation estimations, pricing changes, and so on. Because numerous smart grid sectors are engaged in the process, the data gathered is rather big. In addition, there is a statutory need to give correct data as often as feasible, which is difficult. Yet, several weaknesses are there in the cyber environment’s long chain of information gathering, analysis, computing, security, and control [14], [144].
E. Applications and Services Security
The access to IT and OT information allows the quick physical data translation into useful information, allowing sophisticated financial advisory platforms, distribution grid technologies, and distributed energy management systems to be developed [145]. The applications have resulted in some incredible advantages for asset-rich substations. Interconnectivity speeds up data flow between devices, allowing for the automating of substation control and protection systems and giving operational advantages. Smart grids may offer a wide range of services and applications, including energy trading, electricity services, energy converging, and numerous client services.
All of these services based on digitization depend on grid operation, grid connectivity, data collecting, and the modeling of application process [145]. On the smart grid, there are various inherent weaknesses and vulnerabilities in systems of information technology programs that are significantly expanded in size and extend to all sectors of services and applications [145], [146]. All of these flaws substantially impair the routine functioning and services of smart grids. These vulnerabilities include:
Inadequate patching and frequent upgrades, resulting in unpatched software and systems.
Failures in common mode.
Inadequate resources management.
Inadequate documentation of maintenance control.
Using obsolete versions of Operating system (OS).
Inadequate grid separation from the World Wide Web.
Shortage of OT intrusion detection systems.
Inadequate OT malware identification & protection [146].
F. Running Environment Security
The operational environment of smart grids covers various layers, ranging from technologies to community, individuals, morality, economics, national policy, and the regulatory environment [146], [147]. As a result, the classic grid operating environment vulnerabilities are including a lot of non-IT aspects, such as: Staff ineptness, such as absence of specialized skills, unreliable and dishonest behavior, and so on; Noncompliance with national and global rules; Political, war, or proxy wars. The majority of the aforementioned risks should be addressed by a combination of technological and nontechnical solutions, such as increased cyber-security awareness, adequate advanced training, and regular controlling of the smart grid’s complete working environment. Since the smart grids are traditional vital infrastructures, they may be particularly vulnerable to assault in difficult settings. As a result, the political and geopolitical context should not be overlooked.
G. Evolving and Complex Smart Grids Security
Smart grids are developing and changing, including increasingly more IEDs and elements, connecting to multiple network systems, supporting an increasing number of applications and functions, and interfacing with other essential infrastructures. As a result, smart grids are a typical SoS. Every vulnerability in just about any component of the complicated advanced systems endangers the smart grid, and the dynamism and intricacy end up making vulnerability identification and treatment much more difficult [148], [149]. Vulnerability assessment, identification, and restoration must be handled methodically and in tandem with cyberattack evaluation. The majority of cyberattacks target smart grid system vulnerabilities, particularly those in components and networked devices. The security of Smart grid is more than just creating secure networks. A more reasonable way would be to create an effective management of networking system vulnerability that can swiftly react to changing situations while causing minimal defect to smart grids. The following are the primary duties for vulnerability management:
Identify as many and full vulnerabilities at all levels of the system as feasible, as each unknown vulnerability might lead to significant security issues. The security of smart grids is decided by the most vulnerable link, not the most secured one.
As quickly as feasible, repair or eliminate system vulnerabilities. Once vulnerabilities have been identified, hidden risks should be eradicated as soon as feasible. Many cyberattacks take use of zero-day weaknesses.
Association of vulnerabilities. The system’s ultimate weakness is more than just a collection of weaknesses. It is vital to determine their logical, functional, and physical relationships as well as their aggregation criteria. This provides a comprehensive overview of smart grid system vulnerabilities.
System vulnerabilities must be discovered and analyzed automatically. The system of the smart grids has several weaknesses or vulnerabilities, and it is challenging to identify and evaluate all of them manually using thorough approaches in a timely manner. Automated techniques for vulnerability identification, analysis, and management must be created.
Analysis of vulnerabilities and attack matches. A 100% of the cyberattacks target single or multiple system weaknesses. In defending and safeguarding system security, a detailed vulnerabilities map and assaults is quite useful.
To tackle the weaknesses, a systematic approach including countermeasures is required. A single point of failure or weakest spot in a smart grid is always a difficulty.
Cyber-Physical Attacks
Lately, there has been an increase in interest in analyzing Cyber-Physical System of Systems or group (CPSG) vulnerabilities. The usual strategy is to investigate individual attacks on a certain system component. A CPSG is made up of information and OT. IT corresponds to the use of networks to handle data and the movement of digital information. OT, on the other hand, refers to technology which controls and monitors certain equipment like the SCADA system. IT and OT are converging, a process called as IT-OT convergence, and the line between them is becoming increasingly blurred.
A. Data Availability Attacks
Opponents can launch attack methods against the channel of communication since cellular communication is widely employed in a CPSG. We classify assaults that limit accessibility as IT attacks in this study [150], [151]. These attacks are initiated by exploited interior routers to disrupt trusted routing, lowering the overall performance of the network [151]. Naturally, attackers undertake Byzantine assaults with two goals in mind. The initial goal is vandalism, in which cyber-attackers claim channel emptiness while sensing data show that the channel is active. The 2nd goal is exploited, in which attackers get exclusive connection to the idle channel by transmitting channel busy data when their detecting findings show that the channel is idle. Attackers can maximize their attack usefulness by pursuing the aforementioned goals [152]. In contrast to Byzantine attacks, which impede availability of data by weakening the communication channel, DoS assaults obstruct regular data transit by filling the communication channel with garbage data. A DoS attack in a CPSG aims to interrupt communications between a control center and field sensors or actuators. DoS attackers do not need to understand the CPSG settings or be able to change measurement or control information in the communication channel. As a result of the loss of measurement data, system operators can readily detect the assault. However, the operators are unable to stop the onslaught since they are unable to send control signals to the actuators. The above-mentioned incident involving Ukrainian electric power providers is an example of a DoS attack [153], [154].
B. Control Signal Attacks
1) Aurora Attacks
The Idaho National Laboratory discovered the aurora generator vulnerability, in which a hypothetical attacker intentionally opens and closes a generator’s circuit breaker by inserting a sequence of compromised control instructions [155]. When the generator is unplugged from the electrical grid, it becomes desynchronized. When the system and generator go out of sync, the aurora attack is meant to re-close the breaker before the protective system responds to the attack [156], [157]. Because generator protection parts are purposely delayed minimizing needless tripping, attackers generally have a 15-cycle window before any protection mechanism kicks in [3] and [158].
2) Pricing Attacks
Retail markets are paying more attention to demand-response systems in order to improve grid efficiency. In its most basic form, demand-response is a control system in which control signals serve as incentives. Tan et al. [159] developed a pricing assault on price signals by scaling and delaying. Giraldo et al. [160] “enhanced the assault even further by simulating an attacker who intends to raise the imbalance between consumed and generated energy by infiltrating the communication channel and employing an attack time series to influence the pricing signal. Unlike one-shot attacks, in which the attackers inject harmful data just once” [160], authors of [161] evaluated assaults capable of inserting incorrect price data at any time and frequently over a lengthy period of time. Long-term assaults can generate a power imbalance, which can result in over-generation, economic losses, and poor quality of energy. The authors devised a sensitivity analysis approach to measure the impact of repeated assaults. They used a z-transform sensitivity functionality to represent the system’s dynamics in their investigation.
The authors of [162] enhanced the pricing assault by injecting fraudulent bidding quantities and prices from prosumers through malware. The market clearing price was altered as a result of these assaults, and each individual prosumer’s energy usage was altered, negatively affecting total demand on distribution feeders. In [162], two attack possibilities were investigated: the first intended to undermine the system’s dependability by influencing the bid price to certain extreme levels, while the second aimed at reaping profit over time by influencing the bid price within bounds to prevent detection. Prosumers are aware of these bid restrictions because of the service agreement. If the attacker distorts the impulses to the point where they exceed the restrictions, the modification will be visible [161]. In comparison to the first scenario, the assault in the second scenario has a minor influence on the total load, making detection difficult.
C. Measurement Attacks
1) AGC Attacks
In linked power grids, Automatic Generation Control (AGC) is a wide-area frequency control application. The controller error is calculated by AGC using flow of power and frequency information from distant sensors (ACE). AGC is vulnerable to measurement assaults because to the lack of a measurement verification or attack detection system. Once hacked, it has the potential to quickly generate an imbalance of power in the system. The adversary in this example is a provider that intends to produce more electricity than the assigned timetable without being noticed. Another type of attack targets power flow sensors by employing a sustained fake data injection attack across numerous AGC cycles. Chen et al. [163] investigated the 4 sorts of attacks used to accomplish the AGC attack approach, which targeted the control of load frequency explicitly.
2) FDI Attacks
FDI assaults on bad data detection and state prediction are two of the smart grid’s hottest subjects. Liu et al. [164] were the first to show it using DC system models. They believed that the attacker is familiar with the network settings and topology of the whole power system, as well as the capacity to manipulate data readings from meters. An FDI assault has the potential to defraud the power system state estimate, which serves as the basis for a lot of functions of power system like contingencies and revenue maximization [165], [166]. Falsified state estimate findings may cause the EMS’s functioning and auto-control mechanism to malfunction. Financial damage, unpredictable system states, and even system voltage failure are all possible outcomes of such attacks [167]. Authors in [168] proposed an FDI attack capable of causing physical line overflows, as shown in Figure 7. Considering the EMS sequential information computing features, their optimal attack vector caused line overload when incorrect parameters caused generation dispatch. Intricately designed cyberattacks can avoid bad data identification by adhering to physical rules such as Kirchhoff’s circuit laws.
3) Blind FDI Attacks
With no knowledge acquisition of the power grid structure, blind FDI threats can be built. The assault is built using the principal component analysis (PCA) [169] estimation approach. The topological data can be incorporated in the connections between measurements. While, data-driven tactics, particularly machine learning-based Apache’s, are an important component of cyber-physical assaults against smart grids. If an opponent is aware of the susceptibility of all transmission lines that are proceeding to that bus, they can undertake concealed FDI assaults to manipulate the state variable on that bus. Authors in [170] developed an unsupervised learning strategy to cluster the data set in circumstances when attackers are unable to identify the eavesdropped measurement related to the existing system architecture. For dimensional reduction, the suggested data categorization uses T-distributed stochastic neighbor embedding. Despite the fact that attackers can gain topology information in the scenarios mentioned above, attackers may also construct FDI assaults with little topology knowledge [171].
a: Load Redistribution
Recently, researchers have been focused on discovering the exact assault implications [172]. Che et al. [173] investigated the method by which an attacker might implicitly recognize the intended beginning uncertainty as a system weakness, then exploit such a weak spot to carry out LR assaults that result in physical harm to the system. The Security Constrained Economic Dispatch (SCED) imposes line flow limitations depending on the improper power flow status under the influence of the load attack vector. Severe transmission overloads might occur when the generators follow the dispatch directives issued by the SCED [174]. Xiang et al. [175] proposed a power system stability evaluation model to quantify the effect of LR assault on long-term power source dependability. The suggested Monte Carlo simulation-based assessment approach considers LR assaults that may result in load reduction. Fu et al. [176] introduced an attacker who coordinates LR assaults with physical attacks to target the most tripped lines throughout the cascade process rather than the most profitable lines.
b: GPS Spoofing Attacks
Spoofing attacks on PMUs in CPSGs are carried out through GPS spoofing, in which the attacker generates false GPS signals [177]. The other sort of this kind of attacks is known as the time stamp assault, also known as a time synchronization attack (TSA), and it aims to intentionally insert erroneous time stamps, causing an incorrect phase angle in the PMU measurements [178]. Authors of [179] devised an optimization issue to determine the most susceptible PMUs for use in the construction of a TSA. The state estimate error was used to quantify the vulnerability, and a greedy method was used to address the issue.
D. Attacks on Control Signal Measurement
Authors of [180] proposed two coordinated cyber-physical attacks to conceal the line outage: replaying and optimized coordinated cyber-physical attacks. The replayed coordinated cyber-physical attacks are highly expensive, and the real system state differs from the manipulation measures, making it observable by separately known-secure PMUs. The enhanced coordinated cyber-physical attacks cancel out the effect of the power loss on the BDD residue. Li et al. [181], [182] advocated two-step cyberattacks to hide line disruptions caused by physical attacks. Cyberattacks are divided into two stages, the first of which is a topology-preserving assault, followed by a load redistribution attack. An AC model is used to build the attack vector, which includes information about the local network and the capacity to change measurement inside the assaulted region [183].
Novelty
In recent years, several prospective cybersecurity approaches have been proposed for enhancing the security of smart grids against cyber-attacks. Here are some of the key approaches:
Artificial Intelligence (AI) and Machine Learning (ML): AI and ML techniques have been widely used for detecting and mitigating cyber-attacks in smart grids. AI and ML can analyze vast amounts of data generated by smart grids and detect patterns that may indicate a cyber-attack. Additionally, AI and ML can be used to develop advanced intrusion detection systems (IDSs) that can identify new and unknown cyber-attacks.
Blockchain: Blockchain technology can be used to secure smart grid transactions and data transfers. Blockchain provides a decentralized and tamper-proof ledger of transactions that can prevent unauthorized changes to data. This approach can be used to secure smart grid data transfers and ensure that only authorized users can access sensitive information.
Software-Defined Networking (SDN): SDN is a networking approach that separates the control and data planes of a network. SDN can be used to create dynamic and programmable networks that can respond to cyber-attacks in real-time. Additionally, SDN can be used to isolate infected devices or networks to prevent the spread of malware.
Hardware Security: Hardware security techniques such as physically unclonable functions (PUFs) and trusted platform modules (TPMs) can be used to enhance the security of smart grid hardware. PUFs are hardware-based security features that can generate unique keys for each device, which can be used for authentication and encryption. TPMs are specialized chips that can store sensitive data such as encryption keys and can be used to ensure the integrity of the device.
Cloud Computing: Cloud computing can be used to enhance the security of smart grids by providing secure and scalable computing resources. Cloud computing can be used to store sensitive data and provide secure communication channels between devices. Additionally, cloud computing can be used to develop advanced IDSs and to perform real-time threat analysis.
Overall, the prospective cybersecurity approaches for smart grids involve a combination of technologies and techniques, including AI and ML, blockchain, SDN, hardware security, and cloud computing. These approaches can help to enhance the security of smart grids and prevent cyber-attacks.
Technological Future Prospects for Cyber-Attack in Smart Grid
The technological future prospects for cyber-attacks in the smart grid are constantly evolving as new technologies and security measures are developed. Some of the promising future prospects for enhancing smart grid cybersecurity are discussed below:
Artificial Intelligence (AI) - AI has the potential to improve smart grid cybersecurity by automating threat detection and response. Machine learning algorithms can be trained to recognize and classify anomalous behavior in the grid’s systems, allowing for early detection of cyber-attacks.
Blockchain - Blockchain technology has the potential to enhance smart grid cyber-security by providing a secure and tamper-proof record of all transactions on the grid. This can help prevent unauthorized changes to the grid’s systems and data.
Quantum computing - Quantum computing could revolutionize smart grid cyber-security by providing exponentially faster processing speeds, making it easier to analyze vast amounts of data and detect cyber-attacks in real-time.
Edge computing - Edge computing involves processing data closer to the source of the data, reducing latency and improving response times. This can be particularly useful in smart grid cybersecurity, where fast response times are essential to prevent cyber-attacks.
Internet of Things (IoT) security - The proliferation of IoT devices on the smart grid presents a significant security risk. Future cybersecurity measures will need to focus on securing these devices and ensuring they are not vulnerable to cyber-attacks.
Cloud security - The use of cloud computing in the smart grid can improve scalability and reduce costs, but it also presents security challenges. Future cybersecurity measures will need to focus on securing cloud infrastructure and data.
Threat intelligence Cyber-attack detection can be improved by integrating threat intelligence data from multiple sources, such as public and private sector organizations. This can help identify emerging threats and prevent cyber-attacks before they occur.
Conclusion
Cyber-threats to the security of smart grids are a serious topic that faces several hurdles from a variety of assaults. The smart grid dangers described in this paper were di-vided into two categories: system inherent vulnerabilities and external cyberattacks. Thematic taxonomy of cyberattacks on smart grids is examined in full using cutting-edge technologies that describe their assault plan, effects, and detection methods. Furthermore, blockchain technology and AI approaches are being considered as potential solutions for cyberattacks on smart grids. Despite the fact that the aforementioned technologies reliably identify assaults on smart grids, a few issues remain, most notably phony topological in-formation, detection of faulty data, security flaws, incorporation of big data, blockchain, and so on. Since a result, future research directions are suggested from the standpoint of developing technologies for the vigorous cyber-security of smart grids against sophisticated cyberattacks, as new attack strategies are constantly uncovered.
This paper utilized the NSLKDD datasets as a benchmark for evaluating a classifier model’s effectiveness in identifying intruder attacks within the realm of IoMT. The datasets consisted of various types of attacks, including DoS attacks, probing attacks, u2R attacks, and remote to local assaults. The approach employed SML and RNN techniques, which proved to be suitable for IoMT scenarios that utilize peer-to-peer unique internet protocol addresses to connect smart medical devices. Furthermore, our research focused on strengthening the cybersecurity of existing power grids by introducing a two-stage learning-based solution. This solution combined spatial domain methods and im-age-based DL approaches to detect and identify FDIAs (False Data Injection Attacks). Initially, the issue of FDIA detection and localization was addressed as a multi-label classification task, later transitioning into an image recognition task. Through our efforts, we successfully developed a robust CNN-based multiclass classifier that outperforms state-of-the-art detectors.