Computers and Electrical Engineering 67 (2018) 469–482

Contents lists available at ScienceDirect

Computers and Electrical Engineering

journal homepage: www.elsevier.com/locate/compeleceng

Cyber-security in smart grid: Survey and challengesR

Zakaria El Mrabet a,b,∗, Naima Kaabouch a, Hassan El Ghazi b, Hamid El Ghazi b
a
Department of Electrical Engineering, Upson Hall II, University of North Dakota, 243 Centennial Drive, Grand Forks, ND 58202, USA
b
STRS Lab, National Institute of Posts and Telecommunication, Rabat, Morocco

a r t i c l e i n f o a b s t r a c t

Article history: Smart grid uses the power of information technology to intelligently deliver energy by
Received 12 May 2017 using a two-way communication and wisely meet the environmental requirements by fa-
Revised 12 January 2018
cilitating the integration of green technologies. The inherent weakness of communication
Accepted 12 January 2018
technology has exposed the system to numerous security threats. Several survey papers
Available online 7 May 2018
have discussed these problems and their countermeasures. However, most of these papers
Keywords: classified attacks based on confidentiality, integrity, and availability, but they excluded the
Smart grid accountability. In addition, the existing countermeasures focus on countering some specific
Cyber-attacks attacks or protecting some specific components, but there is no global approach to secure
Vulnerabilities the entire system. In this paper, we review the security requirements, provide descriptions
Confidentiality of several severe cyber-attacks, and propose a cyber-security strategy to detect and counter
Availability these attacks. Lastly, we provide some future research directions.
Integrity © 2018 Elsevier Ltd. All rights reserved.
Accountability
Intrusion detection system
Cryptography
Network security

1. Introduction

Traditional electrical distribution systems are used to transport electrical energy generated at a central power plant by
increasing voltage levels and then delivering it to the end users by reducing voltage levels gradually. However, this elec-
tricity grid has major shortcomings, including the inability to include diverse generation sources such as green energy, high
cost and expensive assets, time-consuming demand response, high carbon emission, and blackouts. For example, a study
conducted by researchers at the Berkeley National Laboratory in 2004 showed that power interruptions cost the American
economy approximately $80 billion per year; other estimates indicate a higher cost of $150 billion per year [1]. It is evident
that these critical problems cannot be addressed with existing electricity grid. Smart grid promises to provide flexibility
and reliability by facilitating the integration of new power resources (such as renewable energy, wind, and solar energy),
enabling corrective capabilities when failures occur, reducing carbon footprint, and reducing energy losses within the grid.
The smart grid is a system based on communication and information technology in the generation, delivery, and con-
sumption of energy power. It uses the two-way flow of information to create an automated and widely distributed system
that has new functionalities such as, real-time control, operational efficiency, grid resilience, and better integration of renew-

R
Reviews processed and recommended for publication to the Editor-in-Chief by Guest Editor Dr. R. C. Poonia.
∗
Corresponding author: Department of Electrical Engineering, Upson Hall II, University of North Dakota, 243 Centennial Drive, Grand Forks, ND 58202,
USA.
E-mail addresses: [email protected] (Z.E. Mrabet), [email protected] (N. Kaabouch), [email protected] (H.E. Ghazi),
[email protected] (H.E. Ghazi).

https://doi.org/10.1016/j.compeleceng.2018.01.015
0045-7906/© 2018 Elsevier Ltd. All rights reserved.
470 Z.E. Mrabet et al. / Computers and Electrical Engineering 67 (2018) 469–482

able technology which will decrease carbon footprint [2]. However, risks can still exist in the smart grid. Any interruptions
in power generation could disturb smart grid stability and could potentially have large socio-economic impacts. In addition,
as valuable data are exchanged among smart grid systems, theft or alteration of this data could violate consumer privacy.
Because of these weaknesses, smart grid has become the primary target of attackers [1], which attracted the attention of
government, industry, and academia.
Several research papers have been published that provide an overview of the prevailing problems related to cyber secu-
rity in smart grid infrastructure [3–7]. In [3], the authors presented a study of the challenges present in smart grid security.
They classified attacks based upon the type of the network, namely, home area network (HAN), neighborhood area network
(NAN), and wide area network (WAN). In addition, they presented the impact of each attack on the information security:
confidentiality, integrity, and availability (CIA). In [4], the authors discussed security challenges in the smart grid system,
especially those related to connectivity, trust, customer privacy, and software vulnerabilities. The authors provided also an
overview of the existing security solutions, particularly network security, data security, key management, network security
protocols, and compliance checks. Another study focused on public networks has been conducted in [5]. This paper de-
scribed a protection framework of smart grid based on a public network. This framework was composed of three layers,
main station, communication network, and terminals. In [6], the authors discussed the security requirements and possible
threats on the smart grid. These threats were classified into three categories: people and policy, platform, and network
threats. In [7], the authors classified attacks based on the CIA requirements, and they described several countermeasures,
including network security, cryptographic, secure protocols, and secure architecture.
While these survey papers provide various classifications of attacks on smart grid, most of them are based on confiden-
tiality, integrity, or availability. However, they excluded the accountability requirement which is another important criterion
that ensures the tractability of every action performed by any entity in the system. In addition, blended and sophisticated
attacks such as Stuxnet, Duqu, and Flame [1] can compromise all of the security parameters at the same time. Therefore,
such attacks are usually excluded from these classification systems. Furthermore, countermeasures and security solutions
were presented individually for each smart grid’s component, and there is no global approach to combine all security mech-
anisms to secure the entire system.
This paper provides an overview of the current status and future directions of the smart grid cyber-security. The remain-
der of this paper is organized as follows. First, we present an overview of the smart grid’s features, its conceptual model,
key components, and network protocols. Next, we review cyber-security objectives in the smart grid and we describe a new
classification of cyber-attacks based on a method used by hackers or penetration testers. This method allows one to better
understand the process used by hackers to compromise the smart grid system security. Then, we propose a global cyber-
security approach which includes a number of detection techniques and countermeasures to protect the entire system. Some
challenges and future directions are discussed in the last section.

2. Smart grid overview

2.1. Smart grid’s features

The main benefits expected from the smart grid are increasing grid resilience and improving environmental performance.
Resilience indicates the capability of a given entity to resist unexpected events and recover quickly thereafter [1]. Today,
grid resilience as a feature has become non-negotiable, especially when power interruptions can potentially impact the
economy. Smart grid promises to provide flexibility and reliability by enabling additional dispersed power supply, facilitating
the integration of new resources into the grid, and enabling corrective capabilities when failures occur. Moreover, smart
grid systems are expected to enable electric vehicles as replacements for conventional vehicles, reducing energy used by
customers and reducing energy losses within the grid.

2.2. Smart grid’s conceptual model

According to the National Institute of Standard and Technology (NIST) [2], a smart grid is composed of seven logical
domains: bulk generation, transmission, distribution, customer, markets, service provider, and operations, each of which
includes both actors and applications. Actors are programs, devices, and systems whereas applications are tasks performed
by one actor or more in each domain. Fig. 1 shows the conceptual model of smart grid and the interaction of actors from
different domains via a secure channel.
Within the customer domain, the main actor is the end user. Generally, there are three types of customers: home, com-
mercial/building, and industrial. In addition to consuming electricity, these actors may also generate, store, and manage the
use of energy. This domain is electrically connected to the distribution domain and communicates with the distribution,
operation, service provider, and market domains [2].
In the market domain, actors are the operators and participants in the electricity markets. This domain maintains the
balance between electrical supply and the demand. In order to match the production with demand, the market domain
communicates with energy supply domains which include the bulk generation domain and distributed energy resources
(DER) [2]. The service provider domain includes the organizations that provide services to both electrical customers and
utilities. These organizations manage services such as billing, customer account, and use of energy. The service provider
 Z.E. Mrabet et al. / Computers and Electrical Engineering 67 (2018) 469–482 471

Fig. 1. Smart grid’s conceptual model based on NIST [2].

interacts with the operation domain for situational awareness, system control and also communicates with customer and
market domain to develop smart services such as enabling customer interaction with market and energy generation at home
[2]. The operations domain’s actors are the managers of the movement of electricity. This domain maintains efficient and
optimal operations in transmission and distribution. In transmission, it uses energy management systems (EMS), whereas in
distribution it uses distribution management systems (DMS) [2]. Actors in the bulk generation domain include generators
of electricity in bulk quantities. Energy generation is the first step in the process of delivering electricity to the end user.
Energy is generated using resources like oil, flowing water, coal, nuclear fission, and solar radiation. The bulk generation do-
main is electrically connected to the transmission domain and communicates through an interface with the market domain,
transmission domain, and operations domain [2].
In the transmission domain, generated electrical power is carried over long distances from generation domain to distribu-
tion domain through multiple substations. This domain may also store and generate electricity. The transmission network is
monitored and controlled via a supervisory control and data acquisition (SCADA) system, which is composed of a communi-
cation network, control devices, and monitoring devices [2]. The distribution domain includes the distributors of electricity
to and from the end user. The electrical distribution systems have different structures such as radial, looped, or meshed.
In addition to distribution, this domain may also support energy generation and storage. This domain is connected to the
transmission domain, customer domain, and the metering points for consumption [2].

2.3. Smart grid’s systems

Smart grid is composed of several distributed and heterogeneous applications, including advanced metering infrastructure
(AMI), automation substation, demand response, supervisory control and data acquisition (SCADA), electrical vehicle (EV),
and home energy management (HEM). In this section we will discuss three critical and vulnerable applications in the smart
grid: AMI, SCADA, and automation substation. The other applications were discussed in detail in [8].
Advanced metering infrastructure (AMI) belongs to the customer and the distribution domains and it is responsible for
collecting, measuring and analyzing energy, water, and gas usage. It allows two-way communication from the user to the
utility. It is composed of three components: smart meter, AMI headend, and the communication network [9]. Smart meters
are digital meters, consisting of microprocessors and a local memory, and they are responsible first for monitoring and
collecting power usage of home appliances, and also for transmitting data in real time to the AMI headend in the utility
side. An AMI headend is an AMI server consists of a meter data management system (MDMS). The communication between
the smart meters, the home appliances, and the AMI headend is defined through several communication protocols such as
Z-wave and Zigbee [9].
Supervisory control and data acquisition (SCADA) is a system that belongs to the operation domain and it is used to
measure, monitor, and control an electrical power grid. It is typically used in large-scale environments. It consists of three
elements: the remote terminal unit (RTU), master terminal unit (MTU), and human-machine interface (HMI). RTU is a device
composed of three components: first one used for data acquisition, second one responsible for executing instructions coming
for the MTU, and a third one designed for the communication. MTU is a device responsible for controlling the RTU. The HMI
is a graphic interface for the SCADA system operator. The communication within SCADA system is based on many industrial
protocols including distributed network protocol v3.0 (DNP3) and IEC 61850 [1].
472 Z.E. Mrabet et al. / Computers and Electrical Engineering 67 (2018) 469–482

Fig. 2. Illustration of the smart grid architecture [9].

The substation is a key element in the power grid network. It belongs to the generation, transmission, and distribution
domains. It performs several functions including receiving power from generating facility, regulating distribution, and limit-
ing power surge [8]. It contains devices that regulate and distributes electrical energy such as a remote terminal unit (RTU),
global positioning system (GPS), human-machine interface (HMI), and intelligent electronic devices (IEDs). The substation
sends operation data to the SCADA for controlling the power system. Many operations are automated within the substation
in order to increase the reliability of the power grid [1]. The communication between the automation substation and other
devices in transmission and distribution is defined by the standard IEC 61850.

2.4. Smart grid’s network protocols

Distributed and heterogeneous applications in smart grid require different communication protocols. Fig. 2 illustrates
the smart grid network architecture and the protocols used within each network. In the home area network (HAN), home
appliances use ZigBee and Z-wave protocols [9]. In the neighborhood area network (NAN), devices are usually connected via
IEEE 802.11, IEEE 802.15.4, or IEEE 802.16 standards [9]. In the wide area network (WAN) and in supervisory control and data
acquisition (SCADA) applications, several industrial protocols are used especially distributed networking protocol 3.0 (DNP3)
and Modicon communication bus (ModBus) [1]. Some authors have proposed the use of cognitive radio based on the IEEE
802.22 to address the problem of scarcity of wireless resources and improve the smart gird’s communication in the wide
area network [10].
Within the substation automation, the protocol IEC 61850 is used [7]. In this section, we will discuss two widely used
yet vulnerable protocols in smart grid: Modbus and DNP3 [11,12]. Bluetooth, Z-Wave, Zigbee, WiMAX, IEC 61850 protocol,
and power line communication are discussed in depth in [8]. Vulnerabilities and attacks related to the MAC and network
layers of the cognitive radio including primary user emulation (PUE), spectrum sensing data falsification (SSDF) attack, and
small backoff window attacks are discussed in detail in [13–17].
Modicon communication bus (Modbus) is a 7 layer protocol of the model OSI; it was designed in 1979 to enable the
process controller to communicate in real-time with computers. There are three types of Modbus: Modbus ASCII, Modbus
RTU, and Modbus/TCP. In the first one, messages are coded in hexadecimal. Though it is slow, it is ideal for radio links and
telephone communications. In the second one, the messages are coded in binary and it is used over RS232. In the third
one, the masters and slaves use IP addresses for communication [11]. In a SCADA system, ModBus is a master-slave protocol
responsible for exchanging instruction between one master, remote terminal unit (RTU) or master terminal unit (MTU), and
several slave devices, such as sensors, drivers, and programmable logic controllers (PLCs) [11]. On one hand, Modbus is
widely used in industrial architecture, because of its relative ease of use by communicating raw data without restriction of
authentication, encryption, or any excessive overhead [1]. On the other hand, these features make it vulnerable and easily
exploitable [11].
Distributed network protocol v3.0 (DNP3) is another widely used communication protocol for critical infrastructure, more
specifically in the electricity industry [12]. It was initiated in 1990 as a serial protocol to manage communication between
“Master stations” and slave stations called “outstations’ [1]. In electrical stations, DNP3 was used for connecting master sta-
tions, such as remote terminal units (RTUs), with outstations, such as intelligent electrical devices (IEDs). In 1998, DNP3
was extended to work over IP networks through the encapsulation of the transmission control protocol (TCP) or user data-
gram protocol (UDP) packets. DNP3 uses several standardized data formats and support time-stamped (time-synchronized)
 Z.E. Mrabet et al. / Computers and Electrical Engineering 67 (2018) 469–482 473

data, making the data transmission reliable and efficient. At first, DNP3 did not provide any security mechanism such as
encryption or authentication, but this problem was fixed with a secure version of DNP3 called DNP3 secure [1,7,12].

3. Security requirements of smart grid

The National Institute of Standards and Technology (NIST) has defined three criteria required to maintain the security of
information in the smart grid and keep it protected, specifically confidentiality, integrity, and availability [18]. According to
[19], accountability is another important security criterion. The description of each criterion is given below.

3.1. Confidentiality

In general, confidentiality preserves authorized restrictions on information access and disclosure. In other words, the con-
fidentiality criterion requires protecting both personal privacy and proprietary information from being accessed or disclosed
by unauthorized entities, individuals, or processes. Once an unauthorized disclosure of information occurs, confidentiality
is lost [18]. For instance, information such as control of a meter, metering usage, and billing information that is sent be-
tween a customer and various entities must be confidential and protected; otherwise, the customer’s information could be
manipulated, modified, or used for other malicious purposes.

3.2. Availability

Availability is defined as ensuring timely and reliable access to and use of information. It is considered the most impor-
tant security criterion in the smart grid because the loss of availability means disruption of access to information in a smart
grid [18]. For example, loss of availability can disturb the operation of the control system by blocking the information’s flow
through the network, and therefore denying the network’s availability to control the system’s operators.

3.3. Integrity

Integrity in smart grid means protecting against improper modification or destruction of the information. A loss of in-
tegrity is an unauthorized alteration, modification, or destruction of data in an undetected manner [18]. For example, power
injection is a malicious attack launched by an adversary who intelligently modifies the measurements and relays them from
the power injection meters and power flow to the state estimator. Both nonrepudiation and authenticity of information are
required to maintain the integrity. Nonrepudiation means that individuals, entity or organization, are unable to perform a
particular action and then deny it later; authenticity is the fact that data is originated from a legitimate source.

3.4. Accountability

Accountability means ensuring tractability of the system and that every action performed by a person, device, or even
a public authority is recordable so that no one can deny his/her action. This recordable information can be presented as
an evidence in a court of law in order to determine the attacker. An example of an accountability problem would be the
monthly electricity bills of customers. Generally, smart meters could determine the cost of electricity in real-time or day-
to-day. However, if these meters are under attack this information is no longer reliable because they have been altered. As
a result, the customer will have two different electric bills, one from the smart meter and the other from the utility [19].

4. Security problems and countermeasures in smart grid

4.1. Smart grid attacks

In general, and as shown in Fig. 3, there are four steps used by malicious hackers to attack and get control over a system,
namely reconnaissance, scanning, exploitation, and maintain access [20]. During the first step, reconnaissance, the attacker
gathers and collects information about its target. In the second step, scanning, the attacker tries to identify the system’s
vulnerabilities. These activities aim to identify the opened ports and to discover the service running on each port along
with its weaknesses. During the exploitation step, he/she tries to compromise and get a full control of the target. Once the
attacker has an administrative access to the target, he/she proceeds to the final step which is, maintaining the access. This
step is achieved by installing a stealthy and undetectable program; thus he/she can get back easily to the target system later.
In smart grid, the same steps are followed by attackers to compromise the security’s criteria [1]. During each step, they
use different techniques to compromise a particular system in the grid. Thus, attacks can be classified based on these steps.
Fig. 4 illustrates the types of attacks during each step. As one can see, numerous types of attacks can happen during the
exploitation step. The malicious activities and attacks during each step described below.
474 Z.E. Mrabet et al. / Computers and Electrical Engineering 67 (2018) 469–482

Fig. 3. Attacking cycle followed by hackers to get control over a system [20].

Fig. 4. Cyber-attacks classification in smart grid based on the attacking cycle.

4.1.1. Reconnaissance
The first phase, reconnaissance, includes the attacks: social engineering and traffic analysis. Social engineering (SE), relies
on social skills and human interaction rather than technical skills. An attacker uses communication and persuasion to win
the trust of a legitimate user and gets a credential and confidential information such as passwords or personal identifi-
cation number (PIN) number to log on into a particular system. For examples, phishing and password pilfering attack are
famous techniques used in SE. The traffic analysis attack is used to listen to the traffic and analyze it in order to determine
the devices and the hosts connected to the network along with their IP addresses. Social engineering and traffic analysis
compromise mainly the confidentiality of the information.

4.1.2. Scanning
Scanning attack is the next step used to discover all the devices and the hosts alive on the network. There are four
types of scans: IPs, ports, services, and vulnerabilities [20]. Generally, an attacker starts with an IPs scan to identify all
the hosts connected in the network along with their IP addresses. Next, he or she goes deeper by scanning the ports in
order to determine which port is open. This scan is executed on each discovered host on the network. The attacker then
moves on to the service scan in order to find out the service or system running behind each opened port. For instance, if
 Z.E. Mrabet et al. / Computers and Electrical Engineering 67 (2018) 469–482 475

the port 102 is detected open on a particular system, the hacker could infer that this system is a substation automation
control or messaging. If the port 4713 is open, the target system is a phasor measurement unit (PMU) [1]. The final step,
vulnerabilities scan, aims to identify the weaknesses and vulnerabilities related to each service on the target machine to
exploit it afterward.
Modbus and DNP3 are two industrial protocols vulnerable to scanning attacks. Given that Modbus/TCP was designed for
communication rather than security purpose, it can be compromised by an attack called Modbus network scanning. This
attack consists of sending a benign message to all devices connected to the network to gather information about these
devices. Modscan is a SCADA Modbus network scanner designed to detect open Modbus/TCP and identify device slave IDs
along with their IP addresses [11]. In [12], the authors have proposed an algorithm to scan the DNP3 protocol and discover
hosts, specifically, the slaves, their DNP3 addresses, and their corresponding master.

4.1.3. Exploitation
The third step, exploitation, includes malicious activities that attempt to exploit the smart grid component’s vulner-
abilities and get the control over it. These activities include viruses, worms, Trojan horses, denial of service (DoS) attacks,
man-in-the-middle (MITM) attacks, replay attacks, jamming channels, popping the human-machine interface (HMI), integrity
violations, and privacy violations.
A virus is a program used to infect a specific device or a system in smart grid. A worm is a self-replicating program. It
uses the network to spread, to copy itself, and to infect other devices and systems. A Trojan horse is a program that appears
to perform a legitimate task on the target system. However, it runs a malicious code in the background. An attacker uses
this type of malware to upload a virus or worm on the target system [1]. In June 2010, Roel Schouwenberg, a senior research
at Kaspersky Lab, detected Stuxnet, the first worm targeting supervisory control and data acquisition (SCADA) systems [1].
This is regarded as the first cyber-attack against a physical industrial control system.
Stuxnet, a worm of 500 Kilobytes, exploited many zero-days, which are software vulnerabilities that have not yet dis-
closed by the software owner. It infected at least 14 industrial sites based in Iran, including a uranium-enrichment plant.
More than one year later, two more worms that targeted industrial control systems were discovered, Duqu and Flame. Un-
like Stuxnet, Duqu was designed to gather and steal information about industrial control systems. Flame, on the other hand,
was created to be used in cyber espionage in industrial networks. It has been found in Iran and other Middle East countries
[1]. Viruses and worms can compromise availability, as Stuxnet did, confidentiality, as Duqu did, or a combination of the
security’s parameters.
In denial of service (DoS) attacks, several methods are used, particularly SYN attacks, buffer overflow, teardrop attacks,
and smurf attacks [1], puppet attack [21], and time synchronization attack (TSA) [22]. A SYN attack exploits the three-way
handshake (SYN, SYN-ACK, ACK) used to establish a Transmission Control Protocol (TCP) session. The attacker floods a target
system with connection requests without responding to the replays, forcing the system to crash. The Modbus/TCP protocol
is vulnerable to these attacks since it operates over TCP.
In buffer overflow, the attacker sends a huge amount of data to a specific system, thereby exhausting its resources [1].
For example, the ping-of-death is considered as a buffer overflow attack as it exploits the internet control message protocol
(ICMP) by sending more than 65 K octets of data. It then makes the system crash.
In a teardrop attack, an attacker alters and modifies the length and the fragmentation offset fields in sequential IP packets
[1]. Once the target system receives these packets, it crashes because the instructions on how the fragments are offset within
these packets are contradictory.
In a smurf attack, the attacker targets not only a specific system, but it can saturate and congest the traffic of an entire
network. It consists of three elements: the source site, the bounce site, and the target site. For source site, the adversary
sends a spoofed packet to the broadcast address of the bounce site. These packets contain the IP address of the target
system. Once the bounce site receives the forged packets, it broadcasts them to all hosts connected to the network and then
causes these hosts to replay, saturating then the target system [1].
In puppet attack [21] targets the advanced metering infrastructure (AMI) network by exploiting a vulnerability in dynamic
source routing (DSR) protocol and then exhausting the communication network bandwidth. Due to this attack, the packet
delivery drops between 10% and 20%.
The time synchronization (TSA) attack [22] targets mainly the timing information in the smart grid. Because power grid
operations such as fault detection and event location estimation depend highly on precise time information, and also most
of the measurement devices in smart grid are equipped with a global positioning system (GPS), attack such as TSA, which
spoof the GPS information, could have a high impact on the system. DoS represents a significant threat to the smart grid
system because communication and control messages in such a system are time critical, and a delay of few seconds could
compromise the system availability.
The man-in-the-middle (MITM) attack is performed when an attacker inserts itself between two legitimate devices and
listens, performs an injection, or intercepts the traffic between them. The attacker is connected to both devices and relays
the traffic between them. These legitimate devices appear to communicate directly when in fact they are communicating
via a third-device [7]. For example, an attacker could conduct a MITM, by placing himself on an Ethernet network to alter or
misrepresent I/O values to the human-machine interface (HMI) and programmable logic controllers (PLC). The MITM could
also be used to intercept TCP/IP communication between the substation gateway and the transmission SCADA server.
476 Z.E. Mrabet et al. / Computers and Electrical Engineering 67 (2018) 469–482

Intercept/alter attack is another type MITM attack. It attempts to intercept, alter, and modify data either transmitted
across the network or stored in a particular device [7]. For example, in order to intercept a private communication in ad-
vanced metering infrastructure (AMI), an attacker uses electromagnetic/radio-frequency interception attack. Active eaves-
dropping attack is another MITM attack’s type, where the attacker intercepts private communications between two legiti-
mate devices. All these MITM attacks attempt to compromise the confidentiality, the integrity, and the accountability.
In a replay attack, as the industrial control traffic is transmitted in plain text, an attacker could maliciously capture
packets, inject a specific packet, and replay them to the legitimate destinations, compromising then the communication’s
integrity. Intelligent electronic device (IED), which is a device designed for controlling and communicating with the SCADA
system [7], could be targeted by replay attacks so that false measurements are injected in a specific register. Replay attack
could also be used to alter the behavior of the programmable logic controllers (PLC) [1]. In AMI, where an authentication
scheme is used between smart meters, a replay attack involves a malicious host to intercept authentication packets sent
from smart meter and re-sending them at a later point in time, expecting to authenticate and gain unauthorized entry into
the network.
In the jamming channel attack, an adversary exploits the shared nature of the wireless network and sends a random or
continuous flow of packets in order to keep the channel busy and then prevents legitimate devices from communicating
and exchanging data [23]. Due to its time-critical nature, smart grid requires a highly available network to meet the quality
of service requirements and such an attack can severely degrade its performance. In [24], the authors have proposed a
jamming attack named maximum attacking strategy using spoofing and jamming (MAS-SJ) that targets mainly the cognitive
radio network (CRN) in the wireless smart grid network (WSGN). Because WSGN is important for monitoring power grid in
the smart grid with the PMU that plays a key component by providing time-synchronized data of power system operating
states, attacks like MAS-SJ can disturb the operation of the system or even make it unavailable.
Popping the HMI is an attack that exploits a known device’s vulnerability, especially device’s software or operating sys-
tem vulnerabilities, and then installs a remote shell, allowing the attacker to connect remotely to the server from his com-
puter to get unauthorized access in order to monitor and control the compromised system [1]. SCADA systems, substations,
or any system running an operating system with a console interface is considered as a potential target of this attack. Even
given the potential impact of such an attack, it does not require advanced networking skills or significant experience in
security and industrial control system to perform. Since the devices’ vulnerabilities documentation are publicly available, a
hacker or the so-called script-kiddies may simply use open source tools such as Metasploit and meterpreter to launch such
an attack and gain full control of the target system. The availability, integrity, confidentiality, and accountability may be
compromised based on the attacker’s objective and motivation.
In the masquerade attack, a malicious person may pretend to be a legitimate user in order to gain access to a system or
gain greater privileges to perform unauthorized actions. This attack could tamper with the programmable communicating
thermostat (PCT) which is used to reduce electric power at a residential site. It compromises the availability, integrity,
confidentiality, and accountability of the system [1].
Integrity violation attacks aim to violate the integrity and/or the accountability of the smart grid by altering intentionally
or unintentionally the data stored in a given device in the network. For instance, a customer could perform this attack to
alter the smart meter data in order to reduce his electricity bill. This attack could also be used to target remote terminal unit
(RTU), so wrong data will be reported to the control center, resulting in an increased outage time. False data injection (FDI)
attack is a type of integrity violation. It aims to introduce arbitrary errors and corrupt some device’s measurements, affecting
the accuracy of the state estimate (SE). Since the SE is important for system monitoring to ensure reliable operation in the
power system, and for the energy management system (EMS) to process a real-time data collected by the SCADA system,
FDI attack could compromise the SE’s integrity leading to the instability of the smart grid system. A detailed study on the
impact of the FDI attack on the power system stability was conducted in [25].
Privacy violation attack aims to violate privacy by collecting private information about customers [4]. For example, as
smart meters collect electricity usage many times per hour, information about the user electricity’s consumption could be
obtained. Thus, if a meter does not show electricity usage for a period of time, that commonly indicates that the house is
empty. This information could then be used to conduct a physical attack like burglary.

4.1.4. Maintaining access

In the final step, maintaining access, the attacker uses a special type of attack to gain permanent access to the target,
especially backdoors, viruses, and Trojan horses. A backdoor is an undetectable program, stealthy installed on the target
to get back later easily and quickly [1]. If the attacker succeeds in embedding a backdoor into the servers of the control
center of the SCADA, he or she can launch several attacks against the system which can cause a severe impact on the power
system.
In IT network, security’s parameters are classified based on their importance in the following order: confidentiality, in-
tegrity, accountability, and availability. Whereas in smart grid, they are classified: availability, integrity, accountability, and
confidentiality [19]. Thus, we can say that attacks which compromise the availability of the smart grid systems have a high
severity, while those targeting confidentiality have a low severity. In addition to the level of severity, each attack has a level
of likelihood to be performed. For instance, attacks such as Stuxnet and Duqu [1], has a high severity because they are
able to vandalize the industrial control system and bypass all the security boundaries; but, they are complex and sophisti-
cated. So, these viruses have high severity, but their likelihood to be performed is low. Another example is the HMI popping
 Z.E. Mrabet et al. / Computers and Electrical Engineering 67 (2018) 469–482 477

Table 1
Likelihood of the attack to be performed and its associated severity.

Severity of the attack

Low Medium High

Likelihood of the attack to be performed High • Traffic analysis [1] • Virus, worms, Trojan horse [1]
• Privacy violation [4] • DoS [21,22]
• Backdoor [1]
Medium • Social engineering [1] • MITM [1,7] • Jamming channel [23,24]
• Scanning [11,12] • Masquerade attack [1]
• Integrity violation [1,25]
• Replay attack [1]
Low • Popping the HMI [1]

Pre-aack

Post-aack Under aack

Fig. 5. Cyber-security strategy for the smart grid.

attack. It has a high severity and it does not require advanced networking skills or significant experience in security and
industrial control system to perform it. Since the devices’ vulnerabilities documentation are publicly available, a hacker or
the so-called script-kiddies may simply use open source tools such as Metasploit and meterpreter to launch such an attack
[1]. Therefore, this attack has high severity and it is very likely to be performed. Table 1 shows the likelihood of each attack
to be performed and its associated level of severity.

4.2. Detection techniques and countermeasures

A number of attack detection and countermeasure techniques are proposed in the literature to counter cyber-attacks. For
instance, the authors of [23,24] proposed a technique to detect jamming channel attacks. In [25], the authors proposed a
technique to detect False detection injection (FDI) attacks. Though these security solutions contribute to the smart grid’s
security, they are insufficient to face sophisticated and blended attacks [1]. Moreover, Stuxnet [1] showed that strategy like
“Defense-in-depth” or “security by obscurity” [1] are no longer considered as valid solutions. We believe that security cannot
be achieved through one specific solution, but by deploying several techniques incorporated into a global strategy. In this
section, and as Fig. 5 shows, we propose a cyber-security strategy composed of three phases: pre-attack, under attack, and
post-attack. As follows, and for each phase, relevant published solutions in terms of security protocols, security technology,
cryptography, and other cyber-attack countermeasures are described.

4.2.1. Pre-attack
During this first phase, pre-attack, various published solutions are recommended to enhance the smart grid’s security
and to be prepared for any potential attack. Security countermeasures commonly fall into three categories, namely network
security, cryptography, and device security. In this paper, we discuss technologies and security protocols such as the in-
trusion detection system (IDS), security information and event management systems (SIEM), network data loss prevention
(DLP), and secure DNP3 [1,9] for the network security. Encryption, authentication, and key management [4,7] for the data
security. Finally, Host IDS, compliance checks, and diversity technique for the device security.

4.2.1.1. Network security. The network is the backbone of a smart grid. So, network security plays a significant role in se-
curing the entire system. Using firewalls supplemented with other monitoring and inspection technologies is recommended
[1] to secure the smart grid network. A firewall is intended to allow or deny network connections based on specific rules and
policies. But an unknown or an advanced attack technique can easily bypass many firewall techniques. Therefore, firewalls
should be associated with other security technologies such as intrusion detection system (IDS), security information and
event management systems (SIEM), and network data loss prevention (DLP) [1,9]. IDS is a system developed for detecting
malicious activity either on a network or on a specific host [9].
SIEMs are information management systems that collect and gather information such as operating system logs, applica-
tion logs, and network flow from all devices in the network. Then the collected information will be analyzed and processed
478 Z.E. Mrabet et al. / Computers and Electrical Engineering 67 (2018) 469–482

by a centralized server in order to detect any potential threat or a malicious activity in the network [1]. Network DLP is a
system responsible for preventing the loss or the theft of the data across the network [1].
In addition to these security systems, secure network protocols such as IPsec, transport layer security (TLS), secure sock-
ets layer (SSL), secure DNP3 can also be used to enhance security in the network. DNP3 is an industrial protocol widely used
in smart grid [12]. Initially, DNP3 protocol came without any security mechanisms. In other words, messages are exchanged
in plain text across the network and can be easily intercepted. In recent years, the increased number of cyber-attacks tar-
geting industrial and power system has attracted the attention of a number of researchers in both industry and academia.
Consequently, a secured variation of DNP3 protocols has been released named secure DNP3.
This secured version added a secure layer for encryption and authentication between the TCP/IP and application layer.
Using such a protocol, several attacks can be avoided, for example, authentication mechanism can protect against MITM
attack, whereas encryption decreases eavesdropping and replay attacks. Secure DNP3 is discussed further in [7].

4.2.1.2. Cryptography for data security. Encryption mechanisms aim to ensure data’s confidentiality, integrity, and non-
repudiation. There are two types of key encryptions: symmetric and asymmetric. In symmetric key encryption or single-key
encryption, one key is used to encrypt and to decrypt data. The most used algorithms employing symmetric encryption are
advanced encryption standard (AES) and data encryption standard (DES). Asymmetric key encryption, on the other hand,
uses two keys to encrypt and decrypt data: a private key and public key. RSA (Rivest, Shamir, and Adleman) is a widely
used asymmetric algorithm. In smart grid, various components with different computational capabilities co-exist. Therefore,
both symmetric and asymmetric key encryption can be used, and the selection depends on several factors, including data
criticality, time constraints, and computational resources [4].
Authentication is defined as the act of verifying that an object’s identity is valid, such as the use of a password [3]. An
object could be a user, a smart device, or any component connected to the smart grid network. Multicast authentication
is a particular type of authentication and its applications are widely used in smart grid. In [4], the authors proposed three
methods to achieve authentication for multicast applications: secret-info asymmetry, time asymmetry, and hybrid asymme-
try.
Key management is a crucial approach for encryption and authentication. Public key management (PKI), or shared se-
cret key management, can be used to ensure authenticity for communication across networks. In PKI infrastructure, the
identities of two parties are verified by a certificate delivered by a third party called the certificate authority (CA). This
mechanism is done before establishing any connection between the two parties. In shared secret key management, four
steps are used to maintain communication security: key generation, key distribution, key storage, and key update [4]. Due
to the distributed nature of the smart grid, some specific requirements should be considered to design a cryptography key
management, authors in [7] present several basic yet relevant requirements of the key management scheme, particularly
efficiency, evolve-ability, scalability, and secure management. In addition, several key management frameworks have been
proposed specifically for the power system: single-key, key establishment scheme for SCADA systems (SKE), key management
architecture for SCADA systems (SKMA), advanced key management architecture for SCADA systems (ASKMA), ASKMA+, and
scalable method of cryptographic key management (SMOCK) to name a few. The choice of a framework relies on different
criteria, including scalability, computational resource capability, and support for multicast. The authors conducted a compar-
ison between the key management schemes listed above. The comparison was based on scalability, support for multicast,
robust to key compromise, and power system application. ASKMA+ and SMOCK show interesting results. ASKMA+ is an
efficient key management scheme and it supports multicast, but it still suffers from scalability. SMOCK, on the other hand,
shows good scalability; however, it has some weaknesses such as no support for multicast and low computational efficiency.

4.2.1.3. Device security. Device protection is the third crucial element in the supply chain of smart grid security. Many re-
search papers and recommendation reports have been published contributing to security assurance for endpoints. In [1],
several security technologies have been recommended, particularly, host IDS, anti-virus, and host data loss prevention (DLP).
Additionally, authors in [4] recommended using an automated security compliance check. Such a tool performs a check
against all smart grid components to verify that each device’s configuration is up to date, especially the device’s firmware
and the current configuration file. As the smart grid components are highly connected and a weakness in one component
can expose the entire system to risk, a compliance check is a crucial tool.

4.2.2. Under attack

This step is divided into two tasks: attack detection and attack mitigation. Several approaches and technologies can be
used during each task, to detect the malicious activity, and then deploy the appropriate countermeasures.
During the attack detection, all the deployed security technologies are recommended, including SIEMS, DLP, and IDS
[1,9]. But, some of these solutions have a number of limitations and need improvements, particularly IDS. IDS is a widely
used security system in IT network, and it is also used in smart grid network; but, it has many performance limitations
especially reporting a high rate of false positive. Thus, many research papers were published to improve the IDS performance
in the smart context. In [9], the authors have proposed an IDS based on data stream mining algorithms. They have provided
a comparison between seven existing state-of-the-art data stream mining algorithms: accuracy updated ensemble, active
classifier, leveraging bagging, limited attribute classifier, bagging using ADWIN, bagging using adaptive-size hoeffding tree,
and single classifier drift. This comparison was based on several metrics including execution time, detection accuracy, and
 Z.E. Mrabet et al. / Computers and Electrical Engineering 67 (2018) 469–482 479

memory consumption. For the assessment, they used the KDD Cup 1999 database. The results showed that some algorithms
do not require advanced computational resources, so they are suitable for IDS in some devices such as smart meters. Other
algorithms have a high accuracy, but they require more computational resources; these algorithms can be used for data
concentrators or in an AMI headends.
Once the attack is detected, mitigation can be executed using the following methods. In [4], the authors have surveyed
and summarized several methods used to mitigate the DoS attack, especially pushback and reconfiguration methods. In
pushback, the router is configured to block all the traffic coming from the attacker’s IP address. In the reconfiguration
method, the network topology is changed to isolate the attacker. For jamming attacks, authors in [23] discussed anti-
jamming schemes using fuzzy logic. Other mitigation techniques for buffer overflow, man-in-the-middle, CPU exhausting,
and replay attack, distributed denial of service (DDoS), and false data injection (FDI) were discussed in detail in [3,25].

4.2.3. Post-attack
When an attack is not detected, such as in the case of Stuxnet, the post-attack period is an important step. First, it
is critical to identify the entity involved in the attack. Then, the IDS signature, anti-virus database, and security policies
must be kept up to date by learning from attacks and to protect the smart grid against future similar attacks. Forensic
analysis is the primary technique used during the post-attack. Smart grid forensic studies collect, analyze, and intercept
digital data in order to identify the entity involved in the event. They are also useful to determine and address cyber and
physical vulnerabilities of the smart grid in order to anticipate potential attacks. In addition, the forensic analysis in smart
grid plays an important role in the investigation of cyber-crimes such as hacking, viruses, digital espionage, cyber terrorism,
manipulating the operation of the smart grid, violating the consumer’s privacy, and stealing valuable information including
intellectual property and state secrets [1].
Table 2 shows a summary of the cyber-attacks in smart grid based upon the four steps: reconnaissance, scanning, ex-
ploitation, and maintaining access. Each step includes attacks’ categories, attacks’ examples, the compromised component
in the smart grid by each attack, the impact of each attack, and the appropriate countermeasures. As we can see, the most
attacks can be avoided by using secure network protocols such as secure DNP3, and also by enabling encryption and au-
thentication mechanisms.

5. Challenges and future directions

In heterogeneous systems such as smart grid, different devices coexist and communicate through various network pro-
tocols. This heterogeneity represents a great challenge and a potential threat to the smart grid security. The communication
between devices requires aggregation of data and translation between protocols. However, this aggregation can enable acci-
dental breaches and vulnerabilities simply because a feature in one protocol could not be translated properly into another
[4].
Furthermore, the majority of industrial network protocols used in the smart grid such as DNP3, ICCP, Modbus, and
Profibus, were designed for connectivity but not for security purposes. Thus, these protocols not only cannot ensure a secure
communication, but they may also be used as an attack surface. Though there are some secure versions of many industrial
protocols, such as secure DNP3. However, the problem with this new version is its incompatibility with legacy installations
[1].
In addition to the network protocols issues, operating systems and physical equipment in the smart grid may expose the
system to a wide variety of attacks. Since operating systems are designed for control in automation control components,
they lack security features. Moreover, most of the physical devices are obsolete whereas others have insufficient memory
space and limited computational capacity, so they cannot support advanced security mechanisms. For instance, smart me-
ters have limited memory and computational resources because they are designed for lower power consumption, so they
cannot support some important security mechanisms such as proper random number generators and cryptographic acceler-
ators. Although these components have less impact on the smart grid operation, if they are compromised, they represent a
potential vector to compromise the whole system.
Security solutions such as IDS, firewalls, and encryption methods play a significant role in securing the conventional net-
works. However, these mechanisms have many limitations and they are inappropriate for a distributed environment with
different application requirements such as latency and bandwidth [8]. In addition, these solutions are unable to counter
emerging cyber-attacks. Since cyber-attacks are becoming more blended, sophisticated, and complex, they are able to target
at the same time multiple layers of a communication system. For example, as previously mentioned, Stuxnet [1] was able
to vandalize an industrial control system by bypassing all the security boundaries, demonstrating that the security solu-
tions deployed in those scenarios are unable to detect such an effective virus. Furthermore, because there are several logical
domains in smart grid (generation, transmission, distribution, markets, customer, and service provider), security require-
ments differ from one domain to another. For instance, in the generation domain, denial of service (DoS) attacks need a fast
detection, which is not the case for the market domain, customer domain, or service provider domain. In addition, the trans-
mission domain requires delay-efficient key management, whereas the market domain requires large-scale key management
[7].
Therefore, rather than applying a simple security approach or deploying a specific security technology, we believe that
smart grid cyber-attacks may be mitigated more effectively by combining several security mechanisms through a cyber-
 480
Table 2
Cyber-attacks in smart grid, their impacts, and countermeasure.

Attacking cycle steps Attack categories Attack examples Compromised Compromised security’s Possible countermeasures
application/protocol parameters
in the smart grid.

Reconnaissance Traffic analysis, social [1] Modbus protocol, DNP3 Confidentiality Secure DNP3, PKI, TLS, SSL, Encryption,
engineering protocol Authentication[1, 7]

Z.E. Mrabet et al. / Computers and Electrical Engineering 67 (2018) 469–482

Scanning Scanning IP, Port, Modbus network scanning [11] Modbus Protocol Confidentiality IDS [9], SIEM, Automated [1] security
Service, compliance checks [4]
Vulnerabilities
DNP3 network scanning [12] DNP3 Protocol
Exploitation Virus, worms, Trojan Stuxnet, Duqu [1] SCADA PMU, Control Confidentiality Integrity DLP, SIEM, Anti-virus [1], IDS [9]
horse device Availability Accountability
Denial of service (DoS) Puppet attack [21] AMI Availability SIEM [1], flow entropy, signal strength,
sensing time measurement,
transmission failure count, pushback,
reconfiguration methods [4], IDS [9]
TSA [22] PMU, smart grid
equipment’s GPS
Man-in-the-middle Intercept/alter, active HMI, PLC, SCADA, AMI, Confidentiality Integrity Secure DNP3, PKI [7], TLS, SSL,
(MITM) eavesdropping attack [1,7] DNP3 encryption, authentication [1]
Replay attack [1] IED, SCADA, PLC, Integrity Secure DNP3, PKI [7], TLS, SSL,
authentication encryption, authentication [1]
scheme in AMI
Jamming channel [23] PMU Availability Anti-jamming [23]
MAS-SJ [24] CRN in WSGN
Popping the HMI [1] SCADA, EMS, Confidentiality Integrity DLP, SIEM, Anti-virus [1], automated
substations. Availability Accountability security compliance checks [4], IDS
[9]
Masquerade attack [1] PLC Confidentiality Integrity DLP, Secure DNP3, PKI [7], SIEM, TLS,
Availability Accountability SSL, encryption, authentication [1],
IDS [9]
Integrity violation [1] Smart meter, RTU Integrity Availability DLP, Secure DNP3, PKI [7,25], SIEM,
TLS, SSL, encryption, authentication
[1], IDS [9]
FDI [25] EMS, SCADA, AMI
Privacy violation [4] Smart meters Confidentiality Secure DNP3, PKI [7], TLS, SSL,
encryption, authentication [1]
Maintaining access Backdoor [1] SCADA Confidentiality Integrity IDS [9], SIEM, Anti-virus [1]
Availability Accountability
 Z.E. Mrabet et al. / Computers and Electrical Engineering 67 (2018) 469–482 481

security strategy. Such a strategy has several benefits, including, addressing the system’s vulnerabilities, detecting a number
of cyber-attacks, deploying the appropriate countermeasures, and identifying the involved entity.

6. Conclusion

Smart grid is a system composed of distributed and heterogeneous components to intelligently deliver the electricity and
meet the environmental requirements by integrating renewable technologies. However, this system suffers from a number of
security weaknesses. We have provided a comprehensive overview of cyber-security in smart grid and investigated in depth
the main cyber-attacks threating its infrastructure, network protocols, and applications. We have classified cyber-attacks
based on four steps namely reconnaissance, scanning, exploitation, and maintaining access. These steps are followed by
the attackers to compromise any system. In the first step, we presented the techniques used to gather enough information
about the target such as traffic analysis and social engineering. In the second step, we described the techniques used to
scan the victim’s machine. In the third step, we presented the techniques used to exploit and compromise the target. These
techniques include Virus, DoS, and replay attacks. In the last step, we described the attacks used by the adversary to have
a permanent access to the target such as backdoors. In addition, we provided the likelihood of each attack to be performed
along with its impact on the information security, especially the confidentiality, integrity, availability, and accountability.
Moreover, we proposed a cyber-security strategy composed of three steps: pre-attack, under attack, and post-attack. For
each step, we recommended a number of detection and countermeasures techniques. For instance, during the first step,
we described several techniques for network security, data security and device security. In the second step, we presented
techniques used for attack detection and mitigation. In the last step, the forensic technique was presented to identify the
entity involved in an attack. Such a strategy can address potential components’ vulnerabilities, enhance communication
security in the network, and protect customer privacy.

References

[1] Knapp ED, Samani R. Applied cyber security and the smart grid: implementing security controls into the modern power infrastructure. Amsterdam:
Elsevier, Syngress; 2013.
[2] Framework N. Roadmap for smart grid interoperability standards, release 2.0, vol. 1108. NIST Special Publication; 2012.
[3] Rawat DB, Bajracharya C. Cyber security for smart grid systems: status, challenges and perspectives. In: Proceedings of the SoutheastCon; 2015. p. 1–6.
[4] Shapsough S, Qatan F, Aburukba R, Aloul F, Al Ali A. Smart grid cyber security: challenges and solutions. In: Proceedings of the international conference
on smart grid and clean energy technologies; 2015. p. 170–5.
[5] Liang X, Gao K, Zheng X, Zhao T. A study on cyber security of smart grid on public networks. In: Proceedings of the IEEE green technologies conference;
2013. p. 301–8.
[6] Essaaidi M, Dari Y. An overview of smart grid cyber-security state of the art study. In: Proceedings of the 3rd international renewable and sustainable
energy conference; 2015. p. 1–7.
[7] Wang W, Lu Z. Cyber security in the smart grid: survey and challenges. Comput Netw 2013;57(5):1344–71.
[8] Gungor VC, Sahin D, Kocak T, Ergut S, Buccella C, Cecati C, Hancke GP. A survey on smart grid potential applications and communication requirements.
IEEE Trans Ind Inf 2013;9(1):28–42.
[9] Faisal MA, Aung Z, Williams JR, Sanchez A. Data-stream-based intrusion detection system for advanced metering infrastructure in smart grid: a feasi-
bility study. IEEE Syst J 2015;9(1):31–44.
[10] Kaabouch N, Hu WC. Software-defined and cognitive radio technologies for dynamic spectrum management, vols. 1 and 2. IGI Global; 2014.
[11] Al-Dalky R, Abduljaleel O, Salah K, Otrok H, Al-Qutayri M. A Modbus traffic generator for evaluating the security of SCADA systems. In: Proceedings of
the international symposium on communication systems, networks digital sign; 2014. p. 809–14.
[12] Rodofile NR, Radke K, Foo E. DNP3 network scanning and reconnaissance for critical infrastructure. In: Proceedings of the Australasian Computer
science week multiconference; 2016 pp. 39:1–39:10.
[13] Manesh MR, Kaabouch N. Security threats and countermeasures of MAC layer in cognitive radio networks. J Ad Hoc Netw 2017.
[14] Bouabdellah M, Kaabouch N, El Bouanani F, Ben-Azza H. Network layer attacks and countermeasures in cognitive radio networks: a survey. J Inf Secur
Appl 2018;38:40–9.
[15] Fihri WF, El Ghazi H, Kaabouch N, Abou El Majd B. Bayesian decision model with trilateration for primary user emulation attack localization in
cognitive radio networks. In: Proceedings of the IEEE international symposium on networks, computers, and communications, May; 2017. p. 1–6.
[16] Manesh MR, Mullins M, Forerster K, Kaabouch N. A preliminary work toward investigating the impacts of injection attacks on air traffic. In: IEEE
aerospace conference; 2018. p. 1–6.
[17] Fihri WF, El Ghazi H, Kaabouch N. A particle swarm optimization based algorithm for primary user emulation attack detection. In: IEEE consumer
communications and networking conference; 2018. p. 1–6.
[18] Elmrabet Z, Elghazi H, Sadiki T, Elghazi H. A new secure network architecture to increase security among virtual machines in cloud computing. In:
Proceedings of the advances in ubiquitous networking; 2016. p. 105–16.
[19] Liu J, Xiao Y, Gao J. Achieving accountability in smart grid. IEEE Syst J 2014;8(2):493–508.
[20] Engebretson P. The basics of hacking and penetration testing: ethical hacking and penetration testing made easy. Elsevier; 2013.
[21] Yi P, Zhu T, Zhang Q, Wu Y, Li J. A denial of service attack in advanced metering infrastructure network. In: Proceedings of the IEEE international
conference on communications; 2014. p. 1029–34.
[22] Zhang Z, Gong S, Dimitrovski AD, Li H. Time synchronization attack in smart grid: impact and analysis. IEEE Trans Smart Grid 2013;4(March(1)):87–98.
[23] Reyes H, Kaabouch N. Jamming and lost link detection in wireless networks with fuzzy logic. Int J Sci Eng Res 2013;4(February(2)):1–7.
[24] Gai K, Qiu M, Ming Z, Zhao H, Qiu L. Spoofing-jamming attack strategy using optimal power distributions in wireless smart grid networks. IEEE Trans
Smart Grid 2017 pp. 1–1.
[25] Rawat DB, Bajracharya C. Detection of false data injection attacks in smart grid communication systems. IEEE Signal Process Lett 2015;22(Octo-
ber(10)):1652–6.
482 Z.E. Mrabet et al. / Computers and Electrical Engineering 67 (2018) 469–482

Zakaria El Mrabet is a Ph.D. student in the Communications Systems Department at the National Institute of Posts and Telecommunications (INPT), Mo-
rocco. He is currently a Research Visiting Scholar in the Electrical Engineering Department at the University of North Dakota, USA. His research interests
include cybersecurity, networking, smart grid, and cognitive radio networks.

Naima Kaabouch is currently a full professor in the Electrical Engineering Department at the University of North Dakota, USA. She received her B.S., M.S.,
and Ph.D. degrees in Electrical Engineering from the University of Paris 11 and the University of Paris 6, France, respectively. Her research interests include
wireless communications and networking, cybersecurity, signal/image processing, and smart and autonomous systems.

Hassan El Ghazi is currently an Associate Professor in Communications Systems Department at the INPT, Morocco. He received his M.S. degree in Wireless
Communications and his Ph.D. degree in Electrical Engineering from the University of Valenciennes, France, in 2004 and 2008, respectively. His main
research interests are related to physical security, smart grid, and cognitive radio networks.

Hamid El Ghazi received his Ph.D. in Computer Science from the Paris1 University. His research interests include Information Systems Security, Big Data,
and SOA. Hamid has worked as a Senior Consultant for international companies such as ALSTOM and THALES. Now, he is an Assistant Professor at the INPT
Institute. He is a PC member of the ICEIT and ICTMOD conferences.