1

Detection and Mitigation of False Data in

Cooperative DC Microgrids with Unknown
Constant Power Loads
Andreu Cecilia, Subham Sahoo, Member, IEEE, Tomislav Dragičević, Senior Member, IEEE, Ramon
Costa-Castelló, Senior Member, IEEE and Frede Blaabjerg, Fellow, IEEE

Abstract—The rapid development and implementation of dis- stable and precise DC voltage control [4]-[5]. Centralized
tributed control algorithms for DC microgrids has increased the approaches to achieve such DGU coordination have scalability
vulnerability of this type of system to false data injection attacks, issues, that renders such strategies infeasible for large scale
being one of the most prominent types of cyber attacks. This fact
has motivated the development of different false data detection microgrids. As a consequence, the general interest has drifted
and impact mitigation strategies. A common approach for the to the distributed framework, which relaxes the scalability
detection is based on implementing an observer that can achieve issues and offers additional advantages such as resiliency
a reliable estimation of the system states. However, approaches against single point of failure and high bandwidth [6]. A
available in the literature assume that the underlying microgrid popular approach to obtain such coordination is to implement
model is linear, which is generally not the case, specially when the
DC microgrid supplies non-linear constant power loads (CPLs). a hierarchical control scheme in which a primary controller
Consequently, this work proposes a distributed non-linear ob- in the converter ensures the local stability of the DGU,
server approach that can robustly detect and reconstruct the while secondary controllers, implemented in the distributed
applied false data attack in the DC microgrid’s current sensors cyber-layer, achieve equal current sharing and average voltage
and cyber-links, even in the presence of local unknown CPLs. restoration [7]. In this context, the microgrid coordination
First, the system is transformed into an observable form. Second,
a high-order sliding-mode observer is implemented to estimate requires the introduction of a communication network, that
the system states and CPL, even in the presence of false data. allows to transfer information between DGUs.
Finally, the estimation is used to reconstruct the attack signal. The integration between cyber-layer and physical-layer
The robustness of the proposed strategy is validated through through a communication network increases the control preci-
numerical simulations and in an experimental prototype under sion, efficiency and reliability of the DC microgrid. Nonethe-
measurement noise, uncertainty and communication delays.
less, it also introduces a risk of malicious or unintentional
Index Terms—Cyber-attacks, DC microgrid, non-linear ob- cyber-attacks, which can compromise the proper operation of
server, cyber-physical systems, resilient controller. microgrid parts or of the whole microgrid. For this reason, it is
of prime interest to develop techniques to detect and mitigate
I. I NTRODUCTION adversarial attacks from a control viewpoint [8].
S power grids are experiencing higher and higher penetra- Cyber-attacks can be classified in several categories: False
A tion of renewable energy sources, it is required to develop
new power system architectures and control strategies [1]. A
data
replay
injection attacks (FDIAs) [9], denial of service [10] and
attacks [11]. This work will focus on the first one,
great example is the recent proliferation of DC microgrids. as it is the most frequent cyber-attack type [12]. This type
Indeed, many distributed generation units (DGUs), such as fuel of attack is based on injecting malicious measurements in
cells [2], photovoltaic panels and batteries [3], can be directly compromised sensors/cyber-links in order to tamper the closed-
integrated in a DC microgrid through DC/DC converters, which, loop performance of the system.
usually make DC microgrids more efficient and simple than The most common approach in the detection of FDIAs
its AC counterparts [4]. in power systems is based on deploying an estimator and a
A key aspect for the DC microgrid operation is to ensure detector in each agent of the system. The estimator achieves
equal current sharing between the system agents as well as a secure estimation, i.e. the accuracy is independent of the
attack signal value, of the agent’s states based on a real-
This work has been partially funded by the Spanish State Research Agency time model of the microgrid; and, in parallel, the detector
through the María de Maeztu Seal of Excellence to IRI (MDM-2016-0656) compares the estimation with the actual readings and computes
and by the project DOVELAR (ref. RTI2018-096001-B-C32).
A. Cecilia and R. Costa-Castelló are with the Institut de Robòtica i Infor- the presence of an attack. Liu and others [13] deployed a
màtica Industrial, CSIC-UPC Llorens i Artigas 4-6, 08028 Barcelona, Spain weighted least squares algorithm as an estimator of the power
(e-mail: [email protected] and [email protected]). (Corresponding system state variables and implemented a sparse optimization
author: Andreu Cecilia)
S. Sahoo and F. Blaabjerg are with the Department of Energy Technology, as a detector, which computes the presence of an attack under
Aalborg University, Aalborg East, 9220, Denmark (e-mail: [email protected] and the assumption that only a few sensors have been compromised.
[email protected]). Chaojun and others [14] implemented a similar method, but
T. Dragičević is with the Center of Electric Power and En-
ergy,Technical University of Denmark, 2800 Kgs. Lyngby, Denmark (e-mail: using a Kullback–Leibler distance in the detector. Manandhar
[email protected]). and others [15] implemented an estimator through a Kalman
 2

filter and a Euclidean distance metric as the detector. Zhao and

others [16] used a short-term state forecasting as the estimator.
Nevertheless, the mentioned results were implemented in a
centralized framework. As a consequence, they are not scalable,
require continuous communication from the DGUs to the
centralized computer and can not easily incorporate new DGUs
without modifying the whole estimation scheme. For this
reason, the research interest in observer-based attack detection Fig. 1. Electrical scheme of the DGU and power line k. Used symbols are
described in Table I.
strategies has drifted to the distributed estimation framework.
Li and others [17] proposed a distributed detector based on the
generalized likelihood ratio. Nishino and Ishii [18] relaxed the TABLE I
centralized limitation by implementing a distributed observer S YMBOLS USED IN F IG . 1
as the estimator. Nonetheless, the design and implementation States
of the observer in each DGU requires the knowledge of the Iti DGU current
full DC microgrid, which complicates the incorporation of new Vi Load voltage
Ik Power Line current
DGUs in the system. A distributed estimation strategy was Parameters
achieved by combining a bank of unknown input observers Lti Filter inductance
with a bank of linear Luenberger observers [19]. Ci Shunt capacitor
Ri Local load impedance
Once an attack has been detected, the immediate objective is Rk Power line resistance
to mitigate its effect on the microgrid. Relative to the topic, an Lk Power line inductance
event-driven strategy has been recently employed to mitigate Inputs
FDIA and generalized FDIA [20], man-in-the-middle attacks ui Input voltage
Pi Local power load
[21] for homogeneous agents and for heterogeneous agents in
[22].
It should be remarked that, although the fault detection
problem and the cyber-attack detection problem present some CPLs.
differences [23], the FDIA detection strategy can be inspired • An attack detector is proposed that uses the secure
from the fault detection and isolation literature, in which estimation to detect and reconstruct a FDIA signal for the
distributed approaches have been recently proposed [24]–[26]. current sensor.
A major limitation of available estimator-based detection • The proposed reconstruction scheme is validated through
methods is the assumption that the underlying model is linear, numerical simulations and experimental validation, where
which, in some situations, may not be satisfied. The load side sensor noise, uncertainty and communication delays are
converter is often controlled to deliver constant power to the taken into account.
load. In such situations, the voltage dynamics behave non-
linearly [27]. In those cases, small variations of the voltage The remaining of this paper is organized as follows. Sec-
may induce large variations of the stationary operating point tion II introduces the considered DC microgrid model and
which renders linear approximations infeasible. Moreover, a formulates the estimation problem. Section III introduces the
common scenario is that the constant power load (CPL) is state and parameter estimation algorithm that is used for the
unknown, which complicates the dynamics linearization that attack reconstruction. In Section IV, the proposed approach is
is required in some non-linear observers such as the extended validated in a set of numerical simulations. In Section V, the
Kalman filter. approach is validated in a real experimental setup. In Section
The aim of this work is to fill this gap and propose a VI, some conclusions are drawn.
distributed non-linear observer that can be used to reconstruct
FDIA in microgrids with CPLs, which makes the system model
non-linear. The reconstruction of an attack signal is a more II. C OOPERATIVE DC MICROGRID MODEL AND P ROBLEM
restrictive process than just the detection and isolation of the F ORMULATION
cyber-attack, and it offers significant advantages. The isolation
of the compromised agent offers limited options in terms of The considered microgrid is formed by a set of DGUs, which
reducing the attack consequences on the system. In general, are connected through a set of resistive power lines. Each DGU
the only available option is to disconnect the attacked agent is modelled as a DC voltage source, which is connected to
from the system. Alternatively, the reconstructed attack signal a DC/DC converter. The DGU is assumed to supply a local
value can be used to clean the compromised sensor/cyber-link, DC load, which is modelled as a constant impedance plus a
which mitigates the effect of the cyber-attack on the system CPL. The local load is connected to the same point of common
and increases the resilience of the DC microgrid operating coupling that interfaces the DGU with the power lines [28]. A
with non-linear loads. general schematic of the considered DGU is depicted in Fig.
The specific contributions of this work are as follows: 1.
• A non-linear observer-based strategy that achieves a secure Under the standard assumption that the converter operates
state-estimation for DC microgrid models with unknown in continuous conduction mode, the average model of the ith
 3

DGU is given by: the input voltage, ui , ensures the tracking of a current reference
signal, Iref,i (generated by the first PI in the cascade, Gv (s)),
Lti I˙ti = −Vi + ui through a PI controller of the form [30]:
X 1 1
Ci V̇i = Iti − Ik,i − Vi − Pi (1)
  Z  
Ri Vi ui = KpI y1,i − Iref,i + KiI y1,i − Iref,i . (5)
k∈Ei

Lk I˙k = (Vi − Vj ) − Rk Ik ∀k ∈ Ei , A scheme of the primary and secondary control can be seen
where the input voltage ui depicts the average output voltage in Fig. 2.
of the converter and Ei is the set of incident power lines. Using the presented consensus algorithm, the DC microgrid
It is assumed that the generated current, Iti , and the load objectives shall converge to [6]:
voltage, Vi , are being measured, but the line current, Ik , is lim φV = Vdc,ref , lim φI = 0 ∀i = 1, ..., n. (6)
unmeasured. Thus, the measured output vector in the ith DGU x→∞ x→∞
is going to be defined as yi = [y1,i , y2,i ]| = [Iti , Vi ]| . The functions φV and φI are defined as:
The whole DC microgrid is modelled through an undirected Z tX
communication graph G = {V , E }, which is assumed to be φV = Vi + (v̂dc,k − v̂dc,i ) (7)
connected and without self-loops. The set of nodes, V , depicts 0 k∈E
i

the DGUs and the edges (or cyber-links), E , represents the

X
φI = (Itk − Iti ) (8)
resistive lines that connect the DGUs [28]. The topology of k∈Ei
the graph is depicted by the corresponding node-edge incident
matrix B ∈ Rn×m , where n is the number of DGUs and m where v̂dc,i depicts the average voltage estimate in the ith
the number of resistive power lines. The entries of the matrix DGU, which is estimated through a secondary voltage observer
B are specified as: [5] and Iti is the measured DGU output current.
 This paper focuses on the detection, isolation and recon-
+1, if i is the positive end of the line j
 struction of a false data injection attack that can affect the
Bij = −1, if j is the negative end of the line j (2) generated current sensor, the cyber-link that transmits the


0, otherwise. generated current between vertices, or both. Specifically, an
attack on the ith agent can be modelled as:
Finally, it is assumed that the whole microgrid is controlled
following the droop control philosophy and a secondary con- Sensor attack : yi = [Iti + xai , Vi ]| (9)
a |
troller to compensate the error introduced by droop controller. Cyber link attack : ψ i = [v̂dc,i , Iti + xi ] (10)
Droop control is a common strategy used to obtain equal a
where xi depicts the FDIA signal.
current sharing and voltage control in DC microgrids without
This work assumes that a sensor FDIA and a cyber link in
communication, thereby adding a voltage offset and degrading
the ith DGU can be conducted separately by compromising
the system performance. The idea is to equilibrate the current
the controller or the local communication server, respectively.
by imposing a voltage offset that is compensated by secondary
It is assumed that the signal xai is a deception attack [30],
controllers [29]. Each DGU control strategy is supplemented
i.e. the immediate objectives of the microgrid’s (6) are satisfied,
by the information from other DGUs to establish distributed
but may have a long term effect on the system. The design
secondary control. Each vertex sends and receives the signals
of this type of attack in cooperative DC microgrids has been
ψ i = [ψ1,i , ψ2,i ]| = [v̂dc,i , Iti ]| . The factor v̂dc,i depicts
addressed in previous works [30], [31]. In case of an attack that
the average voltage estimate in the ith DGU [30], which is
is not deceptive, the DC microgrid will be driven to an average
estimated through a secondary voltage observer [5]. Specifically,
voltage different from the established global reference value.
two voltage off-set terms for the ith DGU are computed using
X As each DGU knows the reference value, a simple comparison
∆V1i = H1 (s)(Vdc,ref − (v̂dc,k − v̂dc,i )) can be used to detect if the microgrid is being attacked by an
k∈Ei external agent [30].
X This work assumes that the voltage sensor is free of FDIAs.
∆V2i = H2 (s)(Idc,ref − (Itk − Iti )) (3)
In the considered system, a stealth attack is not possible
k∈Ei
by manipulating voltage sensors due to the presence of a
where Vdc,ref and Idc,ref are global voltage and current distributed observer [31]. The attack needs to be conducted
reference quantities for all the microgrid’s DGU, respectively, on the average voltage estimate, which is not a measurable
and H1 (s) and H2 (s) are proportional integral (PI) controllers. quantity.
The correction terms (3) are used as an off-set in the local The main objective is to design an algorithm that can
voltage reference that has to be tracked by the ith DGU. reconstruct the attack signal xai , i.e., the algorithm has to
Specifically, generate an estimation x̂ai such that kxai − x̂ai k → 0 in finite
Vdc,ref,i = Vdc,ref + ∆V1i + ∆V2i . (4) time. It is also worth noting that this objective is more restrictive
than achieving an isolation of the attack, which only requires
In this work, it is assumed that each DGU has two PI to find the compromised sensor or cyber-link, but does not
controllers, Gv (s) and Gi (s), connected in cascade that ensure necessarily acquire any information of the attack signal. The
the tracking of the local voltage reference, Vdc,ref,i . Therefore, main advantage of reconstructing the attack signal is that the
 4

effect of the attack over the considered system can be mitigated. Proof. Expression (14) is obtained by isolating Iti from the
Specifically, assume that a sensor attack is reconstructed, i.e. second equation in (1).
xai = x̂ai . Then, the attacked sensor (or cyber-link) can be
Therefore, the generated current estimation can be achieved
cleaned using: ˙
through the estimations V̂i and Iˆk,i . Assuming that one
ycleaned = [y1,i − x̂ai , y2,i ]| = [Iti , Vi ]| , ˙ ˙
i (11) generates an estimation, V̂i and Iˆk,i such that kV̂i − V̇i k → 0
and kIˆk,i − Ik,i k → 0. Then, kIˆti − Iti k → 0, where Iˆti is
which completely eliminates the effect of the attack in the DC ˙
microgrid. computed through (14) using the estimations V̂i and Iˆk,i .
As it will be shown in the next section, it is possible to
The idea is to design an observer that, irrespective of the ˙
presence of an attack, can estimate the actual value of the design an observer algorithm that achieves kV̂i − V̇i k → 0 and
generated current, Iti , such that kIˆti − Iti k → 0 in finite time, kIˆk,i − Ik,i k → 0, even in the presence of model uncertainty.
where Iˆti depicts the current estimation. If it is achieved, the Nevertheless, there is another concern to be addressed. A
attack can be reconstructed in finite time by comparing the common issue in DC microgrids is that the CPL, Pi , may be
estimation with the measured value of the current. Specifically, unknown [27], which prevents the computation of (14). In order
a sensor attack signal can be reconstructed by computing the to overcome this limitation, the proposed observer algorithm
following: will also estimate the unknown CPL.
Notice that the reconstruction of the attack signal (12) (13)
x̂ai = y1,i − Iˆti = Iti + xai − Iˆti (12) can also be employed to detect the presence of an attack, which
may be later used to activate secondary security protocols.
and a cyber-link attack can be reconstructed as: Specifically, define the following residual for the detection of
a sensor attack in the ith DGU:
x̂ai = ψ2,i − Iˆti = Iti + xai − Iˆti . (13)
rs,i = y1,i − Iˆti ; (15)
By direct inspection of (12) (13), it can be seen that kIˆti −
and a residual for a cyber link attack:
Iti k → 0 implies kxai − x̂ai k → 0. Therefore, the problem of
reconstructing the attack signal has been transformed to an rcl,i = ψ2,i − Iˆti . (16)
observer design problem. The presence of an attack can be detected by evaluating the
Notice that this approach is invariant to the reliability of the following inequalities:
current sensor. Therefore, the presence of an attack can always
be reconstructed by means of (12) and (13). Sensor attack : rs,i > r̄i (17)
In order to ease the scalability of the algorithm, it is of Cyber link attack : rcl,i > r̄i (18)
prime interest to design a distributed observer algorithm. This where r̄ is a positive constant parameter designed appropriately
i
means that the observer of the ith DGU has to generate an to avoid false alarms induced by the voltage sensor noise. The
estimation of Iti based only on the signals measured in the design of r̄ is related to the accuracy of the estimation scheme
i
ith DGU, yi , and the signals transmitted through the incident under measurement noise, which will be discussed in Section
cyber-links, ψ i . III.
The presence of CPLs introduces a non-linear term in the
DGU model (1). As pointed out in the introduction, linear III. P ROPOSED N ON -L INEAR O BSERVER
approximations of the model are not adequate for the considered Following the reasoning in the previous section, the objective
problem. For this reason, it is of prime importance to work here is to design an observer algorithm that can estimate, V̇ ,
with the non-linear dynamics and design a non-linear observer. Ik,i for k ∈ Ei and Pi , of the ith DGU.
In relation to the non-linear observer design, it is crucial to The first step in the observer design is to define a coordinate
select the adequate measured signal that is going to be used change that transforms the system into a form that accepts an
for state estimation. An intuitive choice is to use the measured observer. It is convenient to have the coordinate transformation
voltage, Vi . Furthermore, it is important to select the adequate independent of the input, ui . As the DC-DC converter is
observer technique. In the current state of the art, there is no controlled using the measured generated current (5), the
generic methodology for observer design in non-linear systems. signal ui is sensitive to the sensor FDIA. Therefore, an
In general, each observer strategy assumes certain structures input-dependant coordinate transformation will be sensitive
in the system equations. Thus, before selecting any observer to the attack signal, which introduces an inherent bias in the
technique, it is important to study which signals are required estimation.
for the estimation of Iti . Consider the following:
Lemma III.1. Define mi as the number of incident edges in
Lemma II.1. The DGU output current, Iti , can be recon- the ith vertex. Then, the following input-independent map
structed asymptotically using the CPL, Pi , the voltage, Vi , its 
ξ1,i
 
Vi

derivative, V̇i , and the line currents, Ik,i , through the following  ξ2,i   V̇i 
expression:   
 η1,i   I1,i 

 =  (19)
1 1  ..   . 
ˆ ˙ X
ˆ . .. 
Iti = Ci V̂i + Ik,i + V̂i + P̂i . (14)   
Ri V̂i ηm,i Imi ,i
k∈Ei
 5

Attack reconstruction monitors

Primary control

Vi Voltage Current Boost converter i

controller Iti controller
Reconstruction FDIA in DGU 1
Vi Algorithm
Vref Gv(s) G c(s) PWM
Iref,i
Vj
Secondary control
Sublayer I x ai
Vref
Voltage
H1(s) vref
Observer Attacked Neighbouring
vref measurements
Sublayer II Itj
Current Cleaned signals
H2(s)
Regulator
Iref,i Iti Attacked Current
Sensor Cyber topology

Fig. 2. General scheme of the primary control, secondary control and the proposed FDIA mitigation strategy. Sublayer I of secondary control depicts the
computation of the off-set ∆V1i in (3). Sublayer II of secondary control depicts the computation of the off-set ∆V2i in (3). Primary control depicts the two PI
in cascade that tracks the local voltage reference, Vdc,ref,i . The reconstruction algorithm block depicts the attack estimation strategy presented in this work.

defines a diffeomorphism that transforms the system (1) into Lemma III.2. Assume that there is an estimation of ξ1,i and
the following triangular form ξ1,j depicted as ξˆ1,i and ξˆ1,j , such that kξ1,i − ξˆ1,i k = kξ1,j −
ξ˙1,i = ξ2,i ξˆ1,j k = 0. Then, the state ηj,i can be estimated by integrating
the following expression:
ξ˙2,i = φi (ξ i , ui , Pi , η i ) (20)
1 Rk 1 ˆ Rk
η̇j,i = (ξ1,i − ξ1,j ) − ηj,i f or j = 1, ..., mi η̂˙ j,i = (ξ1,i − ξˆ1,j ) − η̂j,i (22)
Lk Lk Lk Lk
where ξ i = [ξ1,i , ξ2,i ]| , η i = [I1,i , . . . Imi ,i ]| and for any initial condition η̂1,i (0).

1 1
1
φi (ξ i , ui , Pi , η i ) = − ξ1,i + ui − ξ2,i Proof. Consider the estimation error eη , ηj,i − η̂j,i . The error
Ci Lti Ri
 dynamics are depicted by:
P 1 Rk
ξ2,i
− k∈Ei (ξ1,i − ξ1,j ) − ηk,i + Pi 2 . (21)
Lk Lk ξ1,i 1 Rk 1 ˆ Rk
ėη = (ξ1,i − ξ1,j ) − ηj,i − (ξ1,i − ξˆ1,j ) + η̂j,i
The triangular structure (20) is a well-known form that Lk Lk Lk Lk
has been deeply studied in the literature. Moreover, there are Rk
= − eη (23)
multiple observer strategies that can be implemented in such Lk
non-linear structure, e.g. [32]. Nevertheless, such techniques
which converges to zero, independently of the initial value
can only achieve an estimation of ξ1,i and ξ2,i , while the mi
e (0).
states, η i , remain in the unobservable space of the system. η
For this reason, this work proposes dividing the observer into
two parts. The first one will estimate the unobservable states Remark III.1. Notice that the computation of (22) requires
ˆ
η in open-loop. The second one will estimate the states ξ1,i the communication of ξ1,j between observers. This transfer of
and ξ2,i and the unknown parameter Pi through a high-order information may be the entrance of other attacks. Thus, further
differentiator. work related to detecting attacks in ξˆ1,j is required.
Remark III.2. As ηj,i is estimated in open-loop, the accuracy
A. Estimation of η of the estimation is sensitive to uncertainty in the parameters
The dynamics of η (last equation of (20)) represent the zero Rk and Lk . Moreover, the convergence rate of the estimation
dynamics of system (20),i.e. the states, η, are not observable is not tunable. Nonetheless, for autonomous or islanded DC
from the output, y = ξ1,i [33]. As a consequence, it is not microgrids, it is reasonable to expect that the voltages between
directly possible to estimate its value through a tunable observer. DGUs converge to the same value. Thus, it is expected that
However, as the DC microgrid is assumed to have an average kξ1,i − ξ1,j k → 0, which leads to an accurate estimation
voltage control, the η dynamics are stable (i.e. the η dynamics of the power lines even in the presence of uncertainty. The
are not observable but detectable). Therefore, it is possible to convergence rate of the power-lines estimator depends on the
estimate its value through open-loop integration. converter’s parameters, which are usually designed to be fast.
 6

B. Estimation of ξ1,i , ξ2,i and Pi 0. Moreover, assume that there is no generated current sensor
attack, i.e. y1,i = Iti and consider the estimation function:
The first two equations of (20) form a well-known tri-
angular structure which accepts multiple observer strategies. ˆ
ξ2,i KpI 1
−1 
1 ˆ
Nevertheless, the implemented strategy has to also reconstruct P̂i = + Ci σ̂ + ξ1,i
ˆ 2
ξ1,i ˆ
Lti ξ1,i Lti
the unknown CPL, Pi . In order to achieve the unknown
parameter estimation, the idea is to design an observer that X 1 Rk 1 ˆ
(ξˆ1,i − ξˆ1,j ) +


+ η̂k,i − ξ2,i
can robustly estimate the states ξ1,i , ξ2,i and the function Lk Lk Ri
k∈Ei
φ(ξ i , ui , Pi , η i ) of (21). Then, the constant parameter Pi can be  
KpI X 1 ˆ
solved through equation (21). Such estimation can be achieved − Ci ξˆ2,i + η̂k,i + ξ1,i − Iref,i
by implementing an extended observer [34], i.e. the first two Lti Ri
k∈Ei
equations of (20) are going to be extended through a virtual
Z  
KiI
state σ as follows: − y1,i − Iref,i . (28)
Lti

ξ˙1,i = ξ2,i Then, if kξ1,i − ξˆ1,i k → 0, kξ2,i − ξˆ2,i k → 0 and

ξ˙2,i = σ (24) kφ(η, ui , Pi , η) − σ̂k → 0, the norm kPi − P̂i k also converges
∂φi (ξ i , ui , Pi , η i ) ˙ ∂φi (ξ i , ui , Pi , η i ) to zero.
σ̇ = ξi + η̇ i
∂ξ i ∂η i Proof. Define the estimation errors e1,i = ξ1,i − ξˆ1,i , e2,i =
∂φi (ξ i , ui , Pi , η i ) ξ2,i − ξˆ2,i and e3,i = σ − σ̂. Then, the error dynamics satisfy
+ u̇i .
∂u the following:

In particular, the function φ(ξ i , ui , Pi , η i ) is taken as an ė1 = e2 − λ0 |e1 |(2/3) sign(e1 )

extra state that has to be estimated through the observer. Notice
ė2 = e3 − λ1 |e1 |(1/2) sign(e1 ) (29)
that system (24) is still a triangular structure, thus, it still
accepts multiple non-linear observer strategies. This work will ė3 = σ̇ − λ2 sign(e1 ).
implement a high-order sliding-mode observer [32], mainly
due to is insensitivity to uncertainty in the last equation of By assumption, the function σ̇ is Lipschitz and bounded as
(24) and its finite time convergence, which allows to mitigate |σ̇| ≤ M . Previous works [35] have already proven that
a false data attack in a finite time. Specifically, the observer for an adequate choice of λ0 , λ1 and λ2 , the dynamics (29)
takes the following structure: converge in finite-time to the origin. Furthermore, if the design
parameters are tuned following the Lyapunov methodology
˙ introduced in [35], it is possible to find an explicit upper-
ξˆ1,i = ξˆ2,i − λ0 |ξˆ1,i − y2,i |(2/3) sign(ξˆ1,i − y2,i ) bound of the convergence time. Specifically, for a third-order
˙ ˙ ˙
ξˆ2,i = σ̂ − λ1 |ξˆ2,i − ξˆ1,i |(1/2) sign(ξˆ2,i − ξˆ1,i ) (25) estimator, said methodology leads to the design parameters
˙ depicted in (27).
σ̂˙ = −λ2 sign(σ̂ − ξˆ2,i )
Define the scaled errors,

where λ0 , λ1 and λ2 are parameters to be tuned and sign(·) e1 e2 e3

z1 = , z2 = , z3 = , (30)
is the sign function which is computed as: M 3.4478M 5.6477M
 x then, the convergence time, T , of the estimation error is
 if x 6= 0 upper-bounded by a factor that depend on the initial conditions
sign(x) = kxk (26)
0 if x = 0 of the estimation error [35]:

T (z0 ) ≤ 13.5135 · V (z0 )0.2 , (31)

Theorem III.1. Consider the extended system (24), the high-
order sliding-mode observer (25), the generated current esti-
mation (14) and the open-loop estimator (22). Furthermore, where z0 are the initial conditions of the scaled errors (30) and
tune the observer design parameters as [35]: V is the following function:

3 2 2 5
λ0 = 3.4478M 1/3 , λ1 = 5.6477M 2/3 , λ2 = 1.1M (27) V (z) = |z1 |5/3 − z1 |z2 | 4 sign(z2 ) + |z2 | 4
5 5
2 5 3 5
+ |z2 | 2 − z2 |z3 |sign(z3 ) + |z3 | 3 + 0.2|x3 |5 . (32)
where M is the upper bound of the voltage third derivative σ̇, 5 5
such that kσ̇k ≤ M .
Then, the observer estimation converges in finite-time, i.e. Thus, for all t > T (z0 ), kξ1,i − ξˆ1,i k = 0, kξ2,i − ξˆ2,i k = 0
there is a positive finite time T such that, for all time t > T , and kφ(ξ i , ui , Pi , η i ) − σ̂k = 0, independently of the value of
kξ1,i −ξˆ1,i k = 0, kξ2,i −ξˆ2,i k = 0 and kφ(ξ i , ui , Pi , η i )−σ̂k = the voltage third derivative, σ̇.
 7

Therefore, after a finite time, the following holds: Finding the positive constant M for similar sliding-mode
1

1
techniques usually involve extensive simulations. Nevertheless,
σ̂ = φi (ξ i , ui , Pi , η i ) = − ξ1,i + ui under the proper assumptions, this expensive computations can
Ci Lti
X 1  be avoided in the concerned microgrid.
Rk
1 ξ2,i
− (ξ1,i − ξ1,j ) − ηk,i − ξ2,i + Pi 2 The microgrid’s cooperative secondary controller ensures the
Lk Lk Ri ξ1,i objectives depicted in (6). Moreover, due to the convergence
k∈Ei
1

1
  properties of the local controllers and microgrid security
= − ξ1,i + KpI y1,i − Iref,i concerns, it is reasonable to assume that the load voltage
Ci Lti
Z  

is bounded as Vmin,i < Vi < Vmax,i , the DGU load current is
+ KiI y1,i − Iref,i lower bounded as Iti > Imin,i and the inputs are also bounded
 as ui < umax,i .
X 1 Rk 1 ξ2,i
− (ξ1,i − ξ1,j ) −


ηk,i − ξ2,i + Pi 2 . Moreover, since the capacity of the system is planned based
Lk Lk Ri ξ1,i on the converter’s capacity, using the generation-load matching
k∈Ei
(33) criteria it is possible to show that the CPL value is bounded as
Pi < Pmax,i . Taking into account these details, it is possible to
By substituting (33) in (28) and taking into account that
find an analytical expression of M . Specifically, the expression
kξ1,i − ξˆ1,i k → 0, kξ2,i − ξˆ2,i k → 0, kηj,i − η̂j,i k → 0 and
is:
Vi 6= 0, the following holds:
2
ˆ −1  −ξ2,i,min Pmax,i ξ2,i,min σmax
M= −2 −

ξ2,i KpI 1 ξ2,i KpI 1 3
P̂i = + 2 + L Pi = Pi . (34) Ci Lti Ci Vmax C i Ri
ξˆ1,i
2 Lti ξˆ1,i ξ1,i ti ξ1,i Pmax,i σmax
+ 2 , (36)
Ci Vmin
Remark III.3. An improper parameter tuning may lead to where
p
an unstable observer, i.e. the estimation error will diverge to Pmax,i Ri Pmax,i
infinity. There are alternative parameter tuning methodologies, ξ2,i,min = Imin,i − −p (37)
Ri Pmax,i Ri
however, in general, it is difficult to compute an explicit time   
of convergence in such alternative parameter tuning. 1 1 1
σmax = − ξ2,i,max + umax,i
Ci Lti Ri
Remark III.4. During a sensor attack, the CPL estimation Pmax ξ2,i,max

reduces to: + 2 . (38)
ˆ −1   Ci Vmin,i
ξ2,i KpI 1 KpI a
P̂i = Pi + + x Pi . (35) In relation to the design of the threshold values in the
ˆ2
ξ1,i L ˆ
ti ξ1,i Lti i
detection algorithm (17) and (18). Assume that the voltage
Therefore, the presence of a sensor attack introduces a bias sensor in the ith DGU is corrupted by an additive noise signal,
in the constant load estimation. Nonetheless, this bias has no ni , upper-bounded by a positive constant εi as |ni | < ε. Then,
significant effect in the mitigation strategy. This fact will be the higher-order sliding-mode observer ensures an unbiased
seen in the experimental validation of Section V, where sensor observation error accuracy of the order of 1.1M 2/3 εi [35].
FDIAs are introduced in the system and the algorithm still Therefore, the threshold functions (17) (18) will avoid false
recovers pre-attack performances. alarms induced by the noise, if r̄i > κ1.1M 2/3 εi , where κ > 1.
Nevertheless, as the observer algorithm converges in finite
time, it is reasonable to assume that the CPL estimation, P̂i C. Stabilization properties of the observer
has already converged to the true value before a sensor attack
The introduction of current FDIAs may destabilize the DC
is introduced in the system. Thus, during a sensor attack, the
microgrid. It is well known that CPLs have a destabilizing
parameter estimation can be frozen to avoid the bias introduced
effect on DC microgrids and local DGU controllers have to
by the sensor attack. This approach has been validated in the
be designed to ensure the stability of the system around the
first case study of the numerical simulation of Section IV.
considered operating point [27]. As the DGUs of the concerned
The expression (28) is computable, if the inequality 0 ≤ microgrid are controlled through linear PI controllers, the
ξˆ1,i ≤ ∞ is satisfied. Most DGUs in DC microgrids operates stability can only be ensured in a region of attraction around the
with bounded voltages and a properly tuned and initialized equilibrium point where the PI has been tuned [38]. Specifically,
observer will not reach such values. Thus, this condition is for a DGU modelled as in (1) and a cascaded PI as the
generically satisfied. It should be remarked that, alternatively DGU’s primary control, there is a region Di ⊂ R2 such that
to the approach in this work, the joint state and parameter if Iti , Vi ∈ Di , then, the DGU’s voltage and output current
estimation problem is commonly solved through an adaptive converge to the desired references. Otherwise, the system
observer [36]. Nevertheless, classic adaptive observer schemes becomes unstable [38]. The region of attraction of cooperative
can only ensure the convergence of the parameter estimation DC microgrids with linear controllers can be computed through
to the actual value under a restrictive persistence of excitation a series of sum of square optimizations [38].
condition [37], which may not be satisfied in some DC Suppose that at time t0 the ith DGU’s states are inside the
microgrid operating conditions. region of attraction and the system is subjected to a cyber
 8

attack. During the attack, the system response involves large Control Unit I
Control Unit IV
variations of the state variables which may lead to an escape Buck converter I

Agent IV
Buck converter IV
of the region of attraction and, consequently, may lead to an It1 V1 I2 R14
It4 DC
DC V4
unstable system. This fact confirms that the interaction between

Agent I
DC
FDIAs and CPLs can destabilize the plant. I1 Cyber I4 DC
R12 attack
In such cases, it is important to study if the proposed Buck converter II
mitigation strategy can avoid the destabilization of the ith DC It2 V2 Cyber
graph R43
Control Unit III

Agent III
DGU during a FDIA. Suppose that the DGU is subjected to a Buck converter III

Agent II
DC
V3 It3 DC
destabilizing FDIA at time t0 that would make the DGU escape Sensor
R23
attack DC
its region of attraction at time t1 > t0 . After a time T (z0 ) I3
Control Unit II
computed through (31), the proposed strategy mitigates the
attack and the system switches-back to the pre-FDIA operation.
Fig. 3. Topology of the considered DC microgrid with 4 DGUs. Blue arrows
Then, if T (z0 ) < t1 , the FDIA is mitigated and the DGU’s represent the cyber-layer and black lines depict the physical circuit.
states are still inside the region of attraction, thus, stability is
preserved. Otherwise, if T (z0 ) ≥ t1 , the FDIA is eliminated
but the the DGU’s states are outside the region of attraction,
consequently, the system remains unstable.
Therefore, the effectiveness of the proposed method under
destabilizing FDIAs is limited by the time of convergence of t=4s t = 4.5 s
the observer (31) and the capacity of the attacker of reducing I IV
the time of escaping the region of attraction, t1 .

IV. N UMERICAL S IMULATIONS

II III
The proposed observer strategy has been validated in a pair t=5s t=5s
of numerical simulations. The simulations have been designed
to test the performance of the reconstruction scheme in non-
trivial situations. The first simulation considers a case in which
all the agents of the system are being compromised by a FDIA.
The second case considers a situation with a significant amount
of communication and sensor high-frequency noise and model
uncertainty.
Fig. 4. Current and voltage evolution under FDIAs. At t = 4s there is a
FDIA in the DGU 1 cyber-links. At t = 4.5s there is a FDIA in the DGU 4
cyber-links. At t = 5s there is a FDIA in the DGU 2 cyber-links and a FDIA
A. Simulation 1: Simultaneous attack on all agents in the generated current sensor of DGU 3.
The first simulation considers a DC microgrid composed by
4 DGUs with unknown CPL interconnected as depicted in Fig.
3. The value of the model parameters are summarized in Table
Finally, at time t = 5s there is a simultaneous attack in the
II.
cyber-link of the DGU 2 and the current sensor of the DGU 3.
TABLE II
In both cases, a constant value of 3A is injected. Notice that for
M ODEL PARAMETER VALUES USED IN S IMULATION 1 t > 5s there are 4 FDIA attacks that compromises all the agents
of the system. As it can be seen in Fig. 4, during the attacks,
Symbol Value Symbol Value
Lti 1 [H] R14 1.3 [Ω] the system behaviour is significantly affected. However, the
Ci 0.05 [F ] R23 2.3 [Ω] microgrid is not destabilized and the average voltage converges
Ri 96 [Ω] R34 2.1 [Ω] to the reference value of 315V .
R12 1.8 [Ω] Lk 50 [µH]
Each attack can be detected and reconstructed by implement-
ing the proposed sliding-mode observer in each DGU. After
The whole microgrid is controlled using the distributed that, the reconstructed attack can be used to "clean" the attacked
control strategy presented in [30], which ensures equal current sensors and cyber-links as depicted in (11). Specifically, all
sharing and average voltage control. Specifically, the control the observers have been implemented considering a factor
has been designed to ensure the convergence of the average M = 100, which results in the following design parameters
voltage to 315V . During the simulation there is a set of FDIA λ0 = 16, λ1 = 121.7 and λ2 = 110 and ensures a convergence
attacks that compromise all the agents of the microgrid and time of less than 1.5 s.
changes the behaviour of the system. At time t = 4s, there is a In Fig. 5 we can see the unknown power load estimation
FDIA that injects a constant value of 8A in the cyber-link that in the different observers. It can be observed that all the
connects the DGU 1 with its neighbours. At time t = 4.5s, estimations converges asymptotically to the true value with a
there is a second FDIA that injects a constant value of 6A in settling time (98%) of around 1.2 second. Thus, even in the
the cyber-link that connects the DGU 4 with its neighbours. case of having no prior information of the CPL (i.e. P̂i has
 9

FDIA FDIA
Initiated Mitigated

Fig. 5. Evolution of the local power load estimation and true local power
load (green). All the DGUs present the same local power load, equal to Pi .

Cyber-attacks FDIA FDIA

Initiated Mitigated

FDIA 1 FDIA 3,4

FDIA 2 Fig. 7. Current and voltage evolution under FDIAs and observer reconstruction
and mitigation. At t = 4s there is a FDIA in the DGU 1 cyber-links. At
t = 4.5s there is a FDIA in the DGU 4 cyber-links. At t = 5s there is a
FDIA in the DGU 2 cyber-links and a FDIA in the generated current sensor
of DGU 3.
Fig. 6. Evolution of the attack estimation error in all DC microgrid DGUs.
At t = 4s there is a FDIA in the DGU 1 cyber-links (FDIA 1). At t = 4.5s
there is a FDIA in the DGU 4 cyber-links (FDIA 2). At t = 5s there is a
mitigation strategy. Moreover, it exemplifies the scalability of
FDIA in the DGU 2 cyber-links and a FDIA in the generated current sensor
of DGU 3 (FDIA 3 and 4). the scheme. The observer parameter tuning and estimation
accuracy in the ith DGU is independent to the topology
of the DC microgrid and the presence of attacks in other
been initialized at 0), the proposed scheme can estimate its DGUs. Moreover, the observer implementation only requires
true value. Notice that the parameter estimation is invariant to communicating the observer with the neighbour DGUs in order
the presence of cyber-link attacks. to communicate ξˆ1,j f or j = 1, ..., mi between observers.
In Fig. 6, it is depicted the reconstruction error of the cyber- As a consequence, new DGUs can be incorporated in the
link attack in DGU 1, DGU 2 and DGU 4 and the sensor attack microgrid and the proposed reconstruction scheme can still be
in DGU 3. In all the cases, it can be observed that all the implemented with minor changes.
estimation errors converge to zero in a time of approximately 1
second, indicating that the system is free of attacks. Moreover,
the estimation error remains at zero as the attacks are being B. Simulation 2: Attack reconstruction in presence of sensor
introduced in the system. Therefore, the proposed strategy noise and model uncertainty
is capable of accurately reconstructing the attack signal in In practice, the model of the microgrid will be imperfect and
all the DGUs, even in the presence of a simultaneous attack. the system sensors will present a certain amount of noise. The
Moreover, this result exemplifies the invariance of the attack presence of these elements prevent the exact attack detection
reconstruction in the ith DGU to the presence of attacks in and reconstruction presented in the past simulation. For this
the rest of the microgrid. reason, it is important to test the performance of the proposed
Finally, the reconstructed attacks have been used to mitigate strategy in a more realistic scenario. In this second simulation
the effect of the attack in the system (as presented in (11)). In it is considered the cooperative DC microgrid studied in the
Fig. 7, it is depicted the evolution of the generated currents past subsection with the topology presented in Fig. 3. However,
and load voltages, after the attack mitigation. It can be noticed it is considered a unique attack in the cyber-links that connect
that, the reconstruction and mitigation of the FDIAs have the DGU 1 with its neighbours. The attack consists of a step
immediately eliminated the effect of the attacks on the system, signal of value 8A at time t = 4s. As it can be seen in Fig.
which behaves very similar before and after the presence of 8, this type of attack significantly affects the evolution of the
attacks. microgrid’s DGU currents and voltages, but does not prevent
This simulation validates the proposed reconstruction and the convergence of the average voltage.
 10

t=4s
I IV

II III

Fig. 8. Current and voltage evolution under FDIA. At t = 4s there is a FDIA

in the DGU 1 cyber-links.

The objective is to implement the proposed observer ap-

proach in order reconstruct and clean the attacked signal. Fig. 9. Evolution of the measured voltage and measured current in the DGU
1. The voltage signal is affected by high-frequency white noise of variance
However, in this case, it is considered that the DGU 1 model 0.109. The current signal is affected by high-frequency white noise of variance
is not perfectly known. Specifically, it is assumed that there is 0.0114.
uncertainty in the model parameters. In Table III it is depicted
the true value of the DGU 1 parameters and the model values
that have been used in the observer. The other DGUs parameters
are the ones depicted in Table II
FDIA
Initiated
TABLE III
T RUE DGU 1 PARAMETERS AND MODEL PARAMETER VALUES USED IN THE
OBSERVER

Symbol True Value Model value

Lti 1 [H] 0.8 [H]
Ci 0.05 [F ] 0.055 [F ]
Ri 96 [Ω] 90 [Ω]
Rk1 1.8 [Ω] 1.2 [Ω]
Rk2 1.3 [Ω] 1.7 [Ω]
Lk1 50 · 10−6 [H] 43 · 10−6 [H] Fig. 10. Evolution of the attack reconstruction (blue) and the true attack
Lk2 50 · 10−6 [H] 53 · 10−6 [H] signal (orange) in the DGU 1.
Pi 500 [W ] − [W ]

Moreover, the sensors of the DGU 1 are corrupted with As it can be seen in Fig. 10, the presence of measurement
a significant amount of high-frequency noise. The voltage noise does not prevent the stability of the attack signal
sensor, V1 , and the voltage signals transmitted from the DGU estimation, but, naturally, the estimation converges to a bounded
2 and DGU3 are affected by random high-frequency noise with error around the true attack signal value. This error can be
variance 0.109. The current sensor, It1 , is corrupted with high- decreased by increasing the time constant of the implemented
frequency noise with variance 0.0114. In Fig. 9 it is depicted low-pass filters. However, the presence of a low-pass filter (and
the measured voltage and current, respectively, corrupted with increasing its time constant) reduces the convergence rate of
the presented noise. the observer which deteriorates the transient performance of the
The design parameters of the sliding-mode observer have attack signal estimation. This fact can be seen by comparing
been tuned as λ0 = 16, λ1 = 121.7 and λ2 = 110, which the signal estimation at time t = 4s in Fig. 6, where the attack
ensures the convergence of the state estimation. Nonetheless, estimation converges immediately to the true value, and Fig.
the estimation accuracy of the proposed high-order sliding- 10, where the attack estimation requires some time to converge.
mode observer is sensitive to measurement noise. For this Finally, the estimated attack signal, x̂a1 , has been used to
reason, the CPL estimation, P̂i , and the attack signal estimation, clean the attacked cyber-link signal. As it can be observed in
x̂a1 , have been filtered through a low-pass filter. Most spectral Fig. 11, even in the presence of significant model uncertainty
components of the concerned high-frequency noise are around and sensor noise, the reconstruction and mitigation of the
the 1 kHz frequency, the signals have been filtered through a attacked signal is capable of recovering the performance of the
IIR filter with cut-off frequency at 1 kHz. attack-free case. In this case, as stated before, the mitigation is
 11

Buck converter I Buck converter II

Lse1 I dc1 R R2 I dc2 Lse2
1

FDIA FDIA
Initiated Mitigated Cdc1 Vdc1 Vdc2 Cdc2
CPL

Distributed False Data

Control Detection
MicroLabBox
DS1202

Fig. 13. Single line diagram of the experimental setup shown in Fig. 12.

sharing in DC microgrids. The experimental testbed parameters

are provided in Table IV.

TABLE IV i ref
E XPERIMENTAL TESTBED PARAMETERSDC Modified
fd
voltage Inner current
FDIA controller controller
FDIA Symbol True Value
i
Initiated Mitigated Plant vid* viq*
Lsei 3 [mH]  dq
Cdci 100 [µF ] V ref 
dc
R1 0.8 [Ω] vi*
R2 1.4 [Ω] Pulse
Controller generator
Vdcref 48 Boost
[V ] converter
H1
Fig. 11. Current and load voltage evolution under a FDIA in DGU 1 and KP i pv
1.92 [−] Lse
observer reconstruction and mitigation. At t = 4s there is a FDIA in the DGU KIH1 15 [−]
1 cyber-links. KPH2 Rf
H2 v pv4.5 [−] Cdc vdc
PV array
K I 0.08 C[−]
pv
g 0.64 [−]
Buck VSI
DC Programmable Converters LEM MicroLabBox
Load Sensor DS1202
Box DC The proposed reconstruction approach has been validated
Power
in three different scenarios.
Supply
MPPT In the first
Pulsecase study in Fig.
controller
14(a), a simultaneous cyber-attack isgenerator
conducted on current
Level measurements from both converters with the false data, given
Shifter
Tie-line
PC by xa1 = 1.5 A and xa2 = 1 A. The proposed non-linear observer
Oscilloscope Resistances
has been implemented in each agent to reconstruct and mitigate
the effect of the cyber-attacks. As it can be observed, after
Fig. 12. Experimental setup of a cooperative DC microgrid comprising of 2 the simultaneous cyber-attack, the system restores back to
agents controlled by dSPACE MicroLabBox DS1202 supplying power to the
programmable CPL. the pre-attack set points. This validates the scalability of the
proposed observer strategy in providing resiliency against false
data injection attacks in the presence of realistic sensor noise
not immediate, due to the presence of low-pass filters, which and model uncertainty.
induces some delay in the attack estimation. The proposed approach assumed that the unknown local
power load is constant. This is a reasonable assumption,
V. E XPERIMENTAL VALIDATION however, in practice, the load may vary from one constant
The proposed detection and reconstruction strategy has been set-point to another in order to accommodate the microgrid to
validated in an experimental prototype of DC microgrid operat- demand shifts. Some adaptive observer schemes, may present
ing at a voltage reference Vdcref of 48 V with 2 buck converters problems under set-point changes, specially, when the restrictive
rated equally for 600 W, as shown in Fig. 12. Both converters persistence of excitation [37] condition is not satisfied. For this
are tied radially to a programmable CPL via tie-line resistances. reason, it is of interest to test the adaptability of the proposed
Each converter is controlled by dSPACE MicroLabBox DS1202 reconstruction scheme under local power load shifts. In the
(target), with control commands from the dSPACE ControlDesk first case study in Fig. 14(a), after the introduction of the
from the PC (host). The controller gains are consistent for each cyber-attack, the CPL of both agents has been increased. As it
converter. The details of the controller are presented in [30]. can be observed, this fact modifies the current set-point of both
Using the local and neighbouring measurements, the proposed agents, but, it does not prevent the current consensus (equal
observer is modelled for every converter (as shown in Fig. 13) current sharing) that would induce the FDIA introduced to
to mitigate false data injection attacks and meet the desired the system. This result shows that the proposed reconstruction
control objectives of average voltage stability and equal current scheme does not cause any additional problems under dynamic
 12

load change, which is coherent with the results presented in

this work. Under a local load change the constant power load Simultaneous cyber attack
(a) Vdc1 (25 V/div)
assumption does not hold, i.e. Ṗi 6= 0. This fact induces a
∂φi (ξ i , ui , Pi , η i ) Vdc2 (25 V/div)
factor Ṗi in the last equation of (24). This
∂Pi Load increase
factor is not modelled, but is upper bounded. Therefore, the Cyber attack
Idc1 (5 A/div)
factor σ̇ is also upper bounded and Theorem III.1 still holds Idc2 (5 A/div)
true. Therefore, the proposed observer scheme presents robust I II I II

stability to dynamic load changes. It should be remarked that Attack mitigated

when Ṗi 6= 0, expression (34) reduces to

Ṗi (b) Communication delay of 250 millisec

Vdc1 (25 V/div)
P̂i = Pi + . (39)
ξ1,i Vdc2 (25 V/div)

Thus, it introduces a bias in the load estimation. Nonetheless, Load increase

Cyber attack

this bias disappears when the local power load converges to Idc1 (5 A/div)

the desired set-point, and an unbiased attack reconstruction is Idc2 (5 A/div)

achieved. I II I II

In the second case study in Fig. 14(b), a cyber-attack is Attack mitigated

conducted on agent I with a false data injection, given by xa1 =
1.8 A. The aim of this second experiment is to test the resilience
Simultaneous time-varying cyber attack
of the observer scheme under varying communication delay. (c)
Specifically, it has been tested the applicability of the strategy Vdc1 (25 V/div)
under a maximum communication delay of 250 ms. Even Vdc2 (25 V/div)
Attack mitigated
though the consensusability between agents is limited to large Sinusoidal attack Idc1 (5 A/div)
Ramp attack
communication delay, it can be seen that when a cyber-attack Load change Idc2 (5 A/div)
I II
is conducted under conditions which may lead to diverging
control inputs, the proposed observer strategy still recovers I II
I II
I II

pre-attack performance and is resilient against cyber-attacks in Attack mitigated

the presence of other cyber disturbances and load changes.
In the third case study in Fig. 14(c), two time-varying cyber-
attacks are conducted on DGU II. The first is modelled as a Fig. 14. Experimental validation of the proposed controller under: (a)
sinusoidal function I2a = 1.4(sin(0.4πt)) A; and the second Simultaneous cyber-attack on both agents and unknown CPL increase.The
one as a ramp function I2a = 1.2t A. Amid attacks, a decrease attack has been mitigated in 400 ms. (b) cyber-attack on one agent under a
communication delay of 250 ms and unknown CPL increase. The attack has
of the unknown CPL has been introduced. It can be observed in been mitigated in 2 s. (c) Ramp and sinusoidal attack element on agent II
Fig. 14 (c) that the mitigation strategy is capable of recovering and unknown CPL decrease. First attack has been mitigated in 640 ms and
pre-attack performances in both events, which validates the second attack mitigated in 560 ms.
capabilities of the algorithm to mitigate attacks of time-varying
nature.
R EFERENCES
[1] A. Ipakchi and F. Albuyeh, “Grid of the future,” IEEE Power and Energy
VI. C ONCLUSIONS Magazine, vol. 7, no. 2, pp. 52–62, Mar. 2009.
[2] A. Cecilia and R. Costa-Castelló, “High gain observer with dynamic
This work has presented a non-linear observer-based detec- deadzone to estimate liquid water saturation in pem fuel cells,” Rev.
tion and mitigation strategy for a false data attack in cooperative Iberoam. Autom. In., vol. 17, no. 2, Apr. 2020.
[3] A. Cecilia, J. Carroquino, V. Roda, R. Costa-Castelló, and F. Barreras,
DC microgrids with unknown CPLs. The proposed approach “Optimal energy management in a standalone microgrid, with photovoltaic
is completely distributed, which eases its scalability to large generation, short-term storage, and hydrogen production,” Energies,
scale microgrids, and operates adequately under an arbitrary vol. 13, no. 6, p. 1454, Mar. 2020.
[4] T. Dragičević, X. Lu, J. C. Vasquez, and J. M. Guerrero, “Dc micro-
number of compromised agents. Finally, through numerical and grids—part I: A review of control strategies and stabilization techniques,”
experimental testing, the observer approach has been shown to IEEE Trans. Power Electron., vol. 31, no. 7, pp. 4876–4891, Jul. 2016.
be robust to model uncertainty and/or communication delay; [5] V. Nasirian, S. Moayedi, A. Davoudi, and F. L. Lewis, “Distributed
cooperative control of dc microgrids,” IEEE Trans. Power Electron.,
and present adequate performance under significant sensor and vol. 30, no. 4, pp. 2288–2303, Apr. 2015.
communication noise. [6] S. Sahoo and S. Mishra, “A distributed finite-time secondary average
Nonetheless, the proposed strategy presents some limitations voltage regulation and current sharing controller for dc microgrids,” IEEE
Trans. Smart Grid, vol. 10, no. 1, pp. 282–292, Jan. 2019.
that should be addressed in future works. The estimation of [7] M. Yazdanian and A. Mehrizi-Sani, “Distributed control techniques in
the power line currents relies on an open-loop integration that microgrids,” IEEE Trans. Smart Grid, vol. 5, no. 6, pp. 2901–2909, Nov.
is not tunable. Although the estimation is in general fast, this 2014.
[8] H. Sandberg, S. Amin, and K. H. Johansson, “Cyberphysical security in
fact limits the convergence rate of the current estimation (14) networked control systems: An introduction to the issue,” IEEE Control
and, as a consequence, of the attack estimation. Syst. Mag., vol. 35, no. 1, pp. 20–23, Feb. 2015.
 13

[9] R. Deng, P. Zhuang, and H. Liang, “False data injection attacks against [31] S. Sahoo, S. Mishra, J. C. Peng, and T. Dragičević, “A stealth cyber-
state estimation in power distribution systems,” IEEE Trans. Smart Grid, attack detection strategy for dc microgrids,” IEEE Trans. Power Electron.,
vol. 10, no. 3, pp. 2871–2881, Jun. 2019. vol. 34, no. 8, pp. 8162–8174, 2019.
[10] P. Danzi, M. Angjelichinoski, . Stefanović, T. Dragičević, and P. Popovski, [32] A. Levant, “Higher-order sliding modes, differentiation and output-
“Software-defined microgrid control for resilience against denial-of- feedback control,” Int. J. Control, vol. 76, no. 9-10, pp. 924–941, Nov.
service attacks,” IEEE Trans. Smart Grid, vol. 10, no. 5, pp. 5258–5268, 2003.
Sep. 2019. [33] A. Isidori, “The zero dynamics of a nonlinear system: From the origin to
[11] F. Pasqualetti, F. Dörfler, and F. Bullo, “Attack detection and identification the latest progresses of a long successful story,” Eur. J. Control, vol. 19,
in cyber-physical systems,” IEEE Trans. Autom. Control, vol. 58, no. 11, no. 5, pp. 369 – 378, Sep. 2013.
pp. 2715–2729, Nov. 2013. [34] L. B. Freidovich and H. K. Khalil, “Performance recovery of feedback-
[12] G. Liang, J. Zhao, F. Luo, S. R. Weller, and Z. Y. Dong, “A review of linearization-based designs,” IEEE Trans. Autom. Control, vol. 53, no. 10,
false data injection attacks against modern power systems,” IEEE Trans. pp. 2324–2334, Nov. 2008.
Smart Grid, vol. 8, no. 4, pp. 1630–1638, Mar. 2017. [35] E. Cruz-Zavala and J. A. Moreno, “Levant’s arbitrary-order exact
[13] L. Liu, M. Esmalifalak, Q. Ding, V. A. Emesih, and Z. Han, “Detecting differentiator: A lyapunov approach,” IEEE Trans. Autom. Control,
false data injection attacks on power grid by sparse optimization,” IEEE vol. 64, no. 7, pp. 3034–3039, Oct. 2018.
Trans. Smart Grid, vol. 5, no. 2, pp. 612–621, Mar. 2014. [36] O. Stamnes, O. M. Aamo, and G. Kaasa, “Adaptive redesign of nonlinear
observers,” IEEE Trans. Autom. Control, vol. 56, no. 5, pp. 1152–1157,
[14] G. Chaojun, P. Jirutitijaroen, and M. Motani, “Detecting false data
May 2011.
injection attacks in ac state estimation,” IEEE Trans. Smart Grid, vol. 6,
[37] A. Padoan, G. Scarciotti, and A. Astolfi, “A geometric characterization
no. 5, pp. 2476–2483, Sept. 2015.
of the persistence of excitation condition for the solutions of autonomous
[15] K. Manandhar, X. Cao, F. Hu, and Y. Liu, “Detection of faults and systems,” IEEE Trans. Autom. Control, vol. 62, no. 11, pp. 5666–5677,
attacks including false data injection attack in smart grid using kalman Apr. 2017.
filter,” IEEE Trans. Control Netw. Syst., vol. 1, no. 4, pp. 370–379, Dec. [38] B. Severino and K. Strunz, “Enhancing transient stability of dc microgrid
2014. by enlarging the region of attraction through nonlinear polynomial droop
[16] J. Zhao, G. Zhang, M. La Scala, Z. Y. Dong, C. Chen, and J. Wang, control,” IEEE Trans. Circuits Syst. I, Reg. Papers, vol. 66, no. 11, pp.
“Short-term state forecasting-aided method for detection of smart grid 4388–4401, Nov. 2019.
general false data injection attacks,” IEEE Trans. Smart Grid, vol. 8,
no. 4, pp. 1580–1590, Jul. 2017.
[17] S. Li, Y. Yılmaz, and X. Wang, “Quickest detection of false data injection
attack in wide-area smart grids,” IEEE Trans. Smart Grid, vol. 6, no. 6,
pp. 2725–2735, Nov. 2015.
[18] H. Nishino and H. Ishii, “Distributed detection of cyber attacks and
faults for power systems,” IFAC Proc. Vol., vol. 47, no. 3, pp. 11 932 –
11 937, Aug. 2014.
[19] A. J. Gallo, M. S. Turan, F. Boem, T. Parisini, and G. Ferrari-Trecate,
“A distributed cyber-attack detection scheme with application to dc
microgrids,” IEEE Trans. Autom. Control, vol. 65, no. 9, pp. 3800–3815,
Apr. 2020.
[20] S. Sahoo, T. Dragičević, and F. Blaabjerg, “An event-driven resilient
control strategy for dc microgrids,” IEEE Trans. Power Electron., vol. 35,
no. 12, pp. 13 714–13 724, May 2020.
[21] ——, “Multilayer resilience paradigm against cyber attacks in dc
microgrids,” IEEE Trans. Power Electron., vol. 36, no. 3, pp. 2522–
2532, Mar. 2021.
[22] ——, “Resilient operation of heterogeneous sources in cooperative dc
microgrids,” IEEE Trans. Power Electron., vol. 35, no. 12, pp. 12 601–
12 605, Apr. 2020.
[23] F. Pasqualetti, A. Bicchi, and F. Bullo, “Consensus computation in
unreliable networks: A system theoretic approach,” IEEE Trans. Autom.
Control, vol. 57, no. 1, pp. 90–104, Jan. 2012.
[24] A. Teixeira, I. Shames, H. Sandberg, and K. H. Johansson, “Distributed
fault detection and isolation resilient to network model uncertainties,”
IEEE Trans. Cybern., vol. 44, no. 11, pp. 2024–2037, Nov. 2014.
[25] S. Riverso, F. Boem, G. Ferrari-Trecate, and T. Parisini, “Plug-and-play
fault detection and control-reconfiguration for a class of nonlinear large-
scale constrained systems,” IEEE Trans. Autom. Control, vol. 61, no. 12,
pp. 3963–3978, Dec. 2016.
[26] F. Boem, R. M. G. Ferrari, C. Keliris, T. Parisini, and M. M. Polycarpou,
“A distributed networked approach for fault detection of large-scale
systems,” IEEE Trans. Autom. Control, vol. 62, no. 1, pp. 18–33, Jan.
2017.
[27] C. A. Soriano-Rangel, W. He, F. Mancilla-David, and R. Ortega, “Voltage
regulation in buck-boost converters feeding an unknown constant power
load: An adaptive passivity-based control,” IEEE Trans. Control. Syst.
Technol., pp. 1–8, Jan. 2020.
[28] S. Trip, M. Cucuzzella, X. Cheng, and J. Scherpen, “Distributed averaging
control for voltage regulation and current sharing in dc microgrids,” IEEE
Contr. Syst. Lett., vol. 3, no. 1, pp. 174–179, Jan. 2018.
[29] N. L. Diaz, T. Dragičević, J. C. Vasquez, and J. M. Guerrero, “Intelligent
distributed generation and storage units for dc microgrids—a new concept
on cooperative control without communications beyond droop control,”
IEEE Trans. Smart Grid, vol. 5, no. 5, pp. 2476–2485, Sept. 2014.
[30] S. Sahoo, J. C. Peng, A. Devakumar, S. Mishra, and T. Dragičević, “On
detection of false data in cooperative dc microgrids—a discordant element
approach,” IEEE Trans. Ind. Electron., vol. 67, no. 8, pp. 6562–6571,
Aug. 2020.