A Review of AI-Based Cyber-Attack Detection and Mitigation in Microgrids

Abstract

In this paper, the application and future vision of Artificial Intelligence (AI)-based techniques in microgrids are presented from a cyber-security perspective of physical devices and communication networks. The vulnerabilities of microgrids are investigated under a variety of cyber-attacks targeting sensor measurements, control signals, and information sharing. With the inclusion of communication networks and smart metering devices, the attack surface has increased in microgrids, making them vulnerable to various cyber-attacks. The negative impact of such attacks may render the microgrids out-of-service, and the attacks may propagate throughout the network due to the absence of efficient mitigation approaches. AI-based techniques are being employed to tackle such data-driven cyber-attacks due to their exceptional pattern recognition and learning capabilities. AI-based methods for cyber-attack detection and mitigation that address the cyber-attacks in microgrids are summarized. A case study is presented showing the performance of AI-based cyber-attack mitigation in a distributed cooperative control-based AC microgrid. Finally, future potential research directions are provided that include the application of transfer learning and explainable AI techniques to increase the trust of AI-based models in the microgrid domain.

1. Introduction

A microgrid is a group of interconnected loads and distributed energy resources (DERs) that supply power to local customers and can operate in either islanded or grid-connected mode. Microgrids are being leveraged to achieve economic operation, sustainable energy, and resilient power provision objectives [1,2,3,4]. The microgrid’s controller orchestrates multiple DERs and controllable loads to provide clean and reliable energy at economical prices. As shown in Figure 1, a typical hierarchical control architecture consists of three layers that operate at varying time scales to achieve the control objectives [5]. The secondary control layer is vital to maintain voltage and frequency at nominal values in islanded operating mode and, in contrast to centralized control, the distributed secondary control offers flexible, reliable, and seamless integration of DERs [6,7,8].

Modern microgrids have transformed into cyber-physical systems where physical assets such as DERs, loads, and power electronics devices make the physical layer and the cyber layer constitutes a communication network and software-based controllers [9]. As a result of their reliance on the Internet of Things (IoT) and newly developed wide-area sensor networks, microgrids are particularly vulnerable to cyber-attacks and network outages. Examples of real-world network failures include North America (2003), which experienced a problem with the status estimator and alarm system, Austria (2013), which experienced network congestion as a result of a software defect, and Switzerland (2005), which experienced information overload. Due to a cyber-attack brought on by malware known as BlackEnergy in control center computers, Ukraine’s power infrastructure failed in December 2015, knocking out thousands of homes and facilities. A significant percentage of consumers would lose power due to such malfunctions and cyber-attacks, and very sensitive and mission-critical equipment may suffer serious harm [10,11,12,13,14,15].

Table 1. A summary of major cyber-attacks against the energy industry is provided.

Location	Target	Type	Impact
North America (2003)	Network failures in control room operating system	Denial of service	Blackout across multiple regions
Korea Hydro and Nuclear Power (2014)	Unauthorized access to critical information	Potential loss of confidential information and designs	Compromised security and safety of plant and personnel
Ukraine (2015)	BackEnergy malware in control room computers	Denial of service, False data injection	Blackout across multiple substations
Kyiv (2016)	Industroyer malware targeting industrial control systems	Denial of service, Issuing false control commands	Power outage to at least one-fifth of Kyiv
Middle East petrochemical plant (2017)	Safety system of the plant	Potential denial of services and life loss	Plant shut down

summarizes the actual reported cyber-attacks on the energy industry [16,17,18]. After examining reported cyber-attacks on the energy sector, a typical cyber-attack chain is found to be initiated by gaining initial access through spear phishing. After gaining an initial foothold, adversaries perform a reconnaissance of the network data to spread out and exfiltrate critical information. Once suspicious logins are established, the attackers manipulate the control and safety systems by dispatching malicious commands and locking out the operators from their machines [19]. The extensive communication network-based cyber layer has resulted in an increased attack surface in microgrids, making them vulnerable to cyber-attacks [20]. As shown in Figure 2, such cyber-attacks may target information sharing among the microgrid’s controller and various intelligent electronic devices (IEDs) by either manipulating the measurements or causing communication delays [21,22]. Attackers with malicious intent can disrupt the transfer of information, resulting in power outages, financial loss, and system instability. With the development of smart grids and the growing interconnection of communication networks, significant cyber-security risks are affecting power grids [23,24]. With the inclusion of cutting-edge communication and computing tools, the current electricity networks are evolving into smarter systems with increased efficiency. However, because there are so many intelligent devices connected via communication networks, it has led to significant concerns about cyber security. A modern power system’s ability to operate reliably and securely is directly impacted by cyber-attacks on such devices. Man-in-the-middle, distributed denial of service, jamming, and false data injection are some of the main types of cyber-attacks that target smart grids [25,26,27].

IoT networks and devices are rapidly evolving, producing massive volumes of data that require rigorous authentication and security. One of the most promising approaches for addressing cybersecurity risks and providing security is artificial intelligence (AI). AI technology appears to be a potential way to improve control, security, and performance in smart grid networks [28,29]. AI-based algorithms are being used in microgrids for a range of applications including intelligent control designs, forecasting, and cyber-attack identification and mitigation [30,31,32,33]. Data-driven methods are being used to predict the availability of renewable resources. The seasonal dependency of solar and wind along with load demand is forecast using various ensemble learning methods. This information helps in power system planning and unit commitment decisions [34,35]. Power system operations can experience interruptions due to power system faults and cyber-attacks. Under such scenarios, the restoration time depends upon the nature and location of a cyber-attack. Modern distributed power systems are equipped with communication layers that accelerate the propagation of such attacks. The AI-based learning algorithms can localize and identify the type of such attack. This helps to reduce the restoration time of compromised systems [36,37,38,39,40,41]. The power grid resilience can be estimated by the frequency and duration of power outage events. The availability of active and reactive power from each generating unit can be adversely affected if control and communication infrastructure are compromised. AI-based resilient control architectures can improve the reliability of the power network. The learning capabilities of artificial neural networks can mitigate the effects of cyber-attacks [42,43,44,45,46].

Microgrids need to be robust and dependable to deliver a continuous and uninterrupted power supply. Communication networks are necessary for microgrids to coordinate and manage DERs. Microgrids can be efficiently managed by distributed cooperative control strategies, which rely upon real-time monitoring, communication protocols, and interoperability to enable the smooth integration of various microgrid components. Cyberattacks have the potential to compromise security and interrupt regular operations of microgrid control systems. Adversaries might use communication network vulnerabilities to their advantage to intercept or modify the transfer of data. Comprehensive safety precautions need to be taken to stop hostile interference, unauthorized access, and manipulation of control signals. In an ever-evolving environment of cybersecurity threats, regular upgrades, monitoring, and adherence to cybersecurity, best practices are crucial to the optimal operation of microgrids [47,48,49,50].

The learning capability of AI-based techniques enables them to estimate the parameters of complex systems, making them suitable for microgrid applications. Various types of artificial neural networks (ANNs), such as the adaptive linear neuron, multi-layer perceptron, feed-forward neural network, Elman neural network, radial basis function network, general regression neural network, and deep neural networks, are in use to design resilient control for microgrids to withstand cyber-attacks [51]. This work specifically focuses on AI-based techniques for cyber-attack detection and mitigation in microgrids. Some of the main contributions of this work are as follows:

• We conducted a systematic search across several scholarly databases, including Google Scholar, IEEE, MDPI, Elsevier, and Springer, using a combination of keywords and focused search terms associated with our area of study. We focused on peer-reviewed books, journals, conference proceedings, and industry white papers to cover a broad spectrum of perspectives and findings, as shown in Figure 3.
• The existing techniques are divided into two main categories, i.e., cyber attack detection and mitigation. The system under study, attack type, data acquisition, and training method of AI-based techniques are summarized in tables for each category.
• A case study is presented on the use case of AI-based technique in the microgrid.

The rest of the paper is organized into 8 sections. The attack surface in modern power systems is expanding with the inclusion of communication networks and intelligent control design. Adversaries can take advantage of various vulnerabilities in microgrids to initiate malicious cyber-attacks. Therefore, Section 2 covers various types of cyber-attacks targeting microgrids. There are several advantages of using intelligent cyber-attack defense strategies, such as early detection of cyber-attacks before they can cause significant damage or disruption to the system, less manual intervention, and enhanced understanding of the system to identify areas for improvement. Hence, cyber-attack detection using AI-based techniques in microgrids is described in Section 3, and Section 4 contains cyber-attack mitigation using AI-based techniques. Learning-based AI techniques are discussed in Section 5. In Section 6, a case study of a test microgrid is presented. The proposed control technique utilizes an advanced AI-based tool tailored to mitigate the data-driven cyber anomalies targeting the communication network of the microgrid. Also, it is scalable and depicts improved performance under complex real-time test scenarios. In Section 7, some challenges and future directions are discussed and, finally, Section 8, concludes this work.

2. Types of Cyber-Attacks in Microgrids

The integrated architecture and related communication networks of microgrids are particularly susceptible to cyber-attacks. The incorporation of intelligent electronic and information-sharing devices and the lack of thorough security standards might leave them vulnerable to malicious cyber-attacks to take advantage of flaws in the system. The potential for smart grid technologies with scalable solutions directly affects the volume of data flow in terms of increased communication and computational needs.

Microgids’ interoperability requires the use of numerous information exchange protocols and communication architectures, which could leave the system prone to cyber-attacks due to insufficient information [52]. Figure 4 depicts several cyber-attacks targeting the cyber and physical layer in a microgrid, and an overview of these types of cyber-attacks targeting microgrids is covered below.

If this issue is not effectively resolved, the system may become more susceptible to cyber-attacks [53].

2.1. False Data Injection Cyber-Attack

False data injection (FDI) is a data-driven attack, in which the attacker may tamper with sensors and phasor measurement units, and compromise the critical information by either injecting false information into the communication network or completely replacing the actual values. This could result in compromised state loss of synchronism and compromised state estimation, which would adversely impact economic dispatch and power supply to critical loads [54,55]. The integrity of the state estimator can be jeopardized by an attacker compromising a subset of meters and sending revised measurements without entirely altering the result. FDI attacks can be carried out even when the attacker is unfamiliar with the power system configuration by obtaining online data, market data, and power flow measurements [56]. Under FDI attack, the feedback signal of a distributed smart grid controller can be described as:

$$U\left(x_n\left(t\right)\right)=x_n\left(t\right)+{\varphi }_n\left(t\right),$$

(1)

where $U\left(x_n\left(t\right)\right)$ is the feedback signal after false data ${\varphi }_n\left(t\right)$ is injected into the nth normal feedback signal of the controller $x_n\left(t\right)$. Various types of FDI cyber-attacks, such as periodic, non-periodic, and simultaneous cyber-attacks, can be modeled by updating ${\varphi }_n\left(t\right)$ [57]. These FDI attacks also have the potential to undermine or even destroy the distributed control systems that govern modern microgrids. FDI attacks typically change the output of AC microgrids, causing equipment damage, by spoofing communications routes and altering signal levels through a distributed communication network. To prevent the FDI attack from being noticed, the malicious data injection range is chosen inside the range of the nominal working condition of the system. By introducing a variety of false information into the communication network, various FDI attacks can be executed against distributed controller feedback signals [58].

2.2. Denial-of-Service Cyber-Attack

The Denial-of-service (DoS) is a type of cyber-attack that aims to restrict access of an authorized user to a network. Microgrids are becoming a prime target of such DoS cyber-attacks due to their dependency on information sharing to meet control objectives [59]. Such attacks are accomplished by jamming communication lines with inaccurate data and disrupting normal data access between control centers and peripheral devices like sensors and actuators. To carry out these kinds of attacks, one is not required to be familiar with the microgrids’ settings or have the necessary skills to alter control messages and measurements. During the DoS cyber-attack on the Ukrainian power grid, operators were unable to communicate control signals to the actuators [10]. Wide area networks can be vulnerable to DoS cyber-attacks if malware is placed in substation routers, giving attackers access to phasor measurement unit (PMU) communications. The reliability of the microgrid is compromised if an attack is successful, since all communication channels must be available for the timely dispatch of control signals. Advanced metering infrastructures may face a cyber threat if an attacker contacts a compromised device after malware has been deployed. By managing a large number of agents, it is possible to deceive the system user into receiving an excessive amount of communication packets. Some of the permitted packets will be lost by the authorized user due to the volume of traffic [53]. In a distributed control-based microgrid with n DERs, the DoS cyber-attack can be modeled as:

$${\left[{\chi }_i\right]}_{n\times 1}={\alpha }_i\left(\tau \right){\left[{\gamma }_i\right]}_{n\times 1}+{\alpha }_j\left(\tau \right){\left[{\gamma }_j\right]}_{n\times 1},$$

(2)

where ${\chi }_i$ represents one of the compromised target nodes and ${\gamma }_{ij}$ are the neighboring nodes of the compromised node. ${\alpha }_{ij}\left(\tau \right)$ are gain factors, $(t_1<\tau <t_2)$ is the time interval for the occurrence of a malicious cyber-attack, and $ij\in \mathbb{R}$ represents one of the DERs in the microgrid. A gain factor of value (1) means the communication link is compromised and not available, and a gain factor of value (0) means the communication channel is not compromised [57]. The use of data filtering techniques, intrusion detection and prevention systems, and cryptographic authentications can significantly reduce DoS in smart grids by detecting it promptly [60].

2.3. Man-in-the-Middle Cyber-Attack

Man-in-the-Middle (MiTM) cyber-attacks may target the information that devices in the microgrid need to share with one another, including control signals, sensor data, and dispatch commands. Such attacks may also target vital power system components in an effort to intercept and gather information on the communications of control center staff, which may be used to launch more attacks [61]. The attacker can assume the identity of a genuine user, intercept and modify message packets sent between two communication nodes, and insert new message packets, all while remaining undetected. The attacker may establish an illegitimate communication channel between two active nodes and start sending malicious data to modify the communication between the sending and receiving end [62]. To ensure the resilience of the microgrids with an increased attack surface, intelligent technologies must be developed. A great number of bidirectional power electronic converters are essential to the two-way power flow controllability and transactive energy capabilities of modern microgrids. These converters must be adaptable, quick, and durable to support the grid under both normal and compromised operating conditions. The risk of cyber-attacks can be considerably decreased by implementing improved cyber-attack detection and mitigation techniques for microgrids [63].

3. AI-Based Cyber-Attack Detection

The presence of communication networks and smart metering devices in microgrids is generating a large data set. These data sets are enabling increased situational awareness of the microgrids and making them vulnerable to cyber-attacks. Therefore, AI-based techniques are being utilized to detect such data-driven attacks due to their exceptional learning and generalization capabilities [64]. A linear regression-based cyber-attack detection for a distributed control-based islanded DC microgrid is used to detect FDI against voltage and current measurements to maintain a stable control operation [36]. Through their sensors and communication interactions, DC microgrids are vulnerable to cyber-attacks. False data injection into the cyber layer can interfere with control goals, resulting in voltage instability and unbalanced load-sharing patterns. Detection of such attacks is integral to the stable operation of DC microgrids. Therefore, in [37,38,39], a deep learning-based detection technique is proposed that takes into account the input features, such as the DC bus voltage and the reference voltage, to forecast the duty cycle of the converter. Apart from FDI, Man-in-the-Middle (MiTM), and denial of service (DoS) type cyber-attacks may also target the communication networks due to the interconnected architecture of smart grids. Therefore, deep learning, Naive Bayes, and Random Forest-based detection techniques are proposed in [40,41]. These techniques are trained using supervised learning with real-world operational and network traffic data sets, and showed a higher accuracy rate of above 95% to prevent loss of communication and secure the network and metering data obtained from intelligent electronic devices.

By combining predictions from different models, the machine learning technique known as ensemble learning increases prediction accuracy and robustness. The use of the collective intelligence of the ensemble aims to remove any biases or errors that may occur in individual models [65,66,67]. Therefore, an ensemble learning-based approach using Decision Trees to detect cyber-attacks on bulk electric power transmission networks targeting bid price and quantity signals is proposed in [68]. This method showed an improved accuracy of 99% to secure the system from attackers to manipulate the system’s reliability and make illegitimate profits by compromising electricity pricing contracts. The manipulation of measurements obtained from substations may lead to incorrect power system state estimations in large connected power networks. An ensemble learning-based technique is developed to detect such attacks that give higher accuracy compared to multiple state-of-the-art machine learning-based algorithms in [69]. The data obtained from phasor measurement units in wide area power networks is also a target for data spoofing attacks that may lead to incorrect power system state estimation by compromising the measurement source authentication. Therefore, an ensemble empirical mode decomposition using a back propagation neural network is proposed in [70]. This proposed method is trained using supervised learning with real data from universal grid analyzers from multiple locations and showed improved performance compared to the long short-term memory (LSTM)-based model. Various types of artificial neural networks are being extensively employed for intelligent cyber-attack detection in microgrids. An auto-encoder neural network and a deep learning auto-encoder neural network are used for FDI against load frequency control and voltage sensor measurements in an islanded AC and DC microgrid, respectively [71,72]. Since the auto-encoder neural network can manage undesired input, such as communication channel disruptions, it is often advantageous for microgrid applications. Also, unsupervised learning is utilized in these auto-encoder-based cyber-attack detection techniques to secure communication networks [73]. Recurrent neural networks (RNN) such as LSTM, convolutional neural networks (CNN), and nonlinear auto-regressive exogenous model (NARX) neural networks have shown promising results for cyber-attack detection in microgrids [74,75,76,77,78,79]. RNNs are a subclass of neural networks that are particularly adept at forecasting time-related data sequences. RNNs permit cyclical connections that can map to each output from prior inputs, in contrast to feed-forward neural networks. The case studies demonstrate that deep RNNs outperform traditional and shallow RNNs and gain from the depth of hidden layers in islanded and grid-connected AC microgrids for FDI and DoS type cyber-attack detection on the communication network and phasor measurements [74,75]. A gated recurrent unit-based neural network and a NARX neural network-based detection techniques against cyber-attacks on current and voltage measurements in an islanded SC microgrid are proposed in [76,80], respectively.

Apart from Deep and recurrent ANNs, classical machine learning methods are widely being used for classification and cyber-attack detection in microgrids such as Logistic regression (LR), k-nearest neighbors (kNN), Gradient boosting (GBT), Random Forest(RF), multi-layer perceptron (MLP), Naive Bayes (NB), and Support vector machines (SVM) [57,81,82,83,84,85,86].

Table 2. Summary of AI-based techniques for cyber-attack detection in microgrids is provided.

System	Attack	Algorithm	Data	Performance Metric
Islanded AC	FDI (control signals, communication networks)	Wavelet transform with deep learning using deep auto-encoder	MATLAB simulations, Unsupervised	Accuracy, >97% [73]
	FDI into load frequency control	Auto-encoder neural network	Using datasets on TensorFlow and Keras software framework, Unsupervised	Not given, [71]
	DoS and FDI into control and measurement signals	Feed-forward ANN, NB, SVM	MATLAB/real-time simulation, Supervised	MAPE 1 0.6% (FDI), 0.1% (DoS), [57]
	DoS, FDI, and time delay on communication and measurements	LSTM, CNN	Simulation-based data, Supervised	Accuracy nearly 100%, [74]
Islanded DC	FDI into voltage and current measurements	Linear regression	Simulation-based, Supervised	Not given, [36]
	FDI into output voltage sensor of DC converter	Deep learning	Simulation-based, Supervised using back propagation	Not given, [37]
	FDI into DC bus voltage sensor	Deep learning	Matlab simulation, Supervised	Not given, [38]
	FDI into voltage sensor	Deep learning auto-encoder with grey wolf optimization	Simulation-based, Unsupervised	Precision 95%, [72]
	RL 3-based intelligent FDI into measurements and control signals	Pattern recognition network, type of feed-forward ANN	Simulation-based, Supervised	Accuracy 98.5%, [81]
	FDI into measurements and communications	NARX ANN	MATLAB/real-time simulations, Supervised	MAPE 1 0.064% (voltages), 0.36% (currents), [76]
	FDI into sensor, communication network, and measurements	Gated recurrent unit neural network	MATLAB simulation, Supervised	RMSE 2 0.028036, [80]
Networked	FDI,MiTM, and DoS on network communication	Deep learning	Real data (from smart grid, substation, power plant), Supervised	Accuracy 96.50%, [39]
	FDI into measurements	NB, RF, Regression	Simulation-based, Supervised	F-score (0.08,095,0.81) for (NB, RF, Regression, respectively), [40]
	FDI on substation measurements and sensors	Ensemble learning technique, minimum voting for critical class	Simulation-based, Supervised	Accuracy 98.8%, [69]
	FDI into wide area communication networks and measurements	Deep recurrent ANN	Simulation-based, Supervised	MSE 4 2.15 × 10${}^{-3}$, [75]
	FDI and DoS sensor measurements and PV control operation modes	LR, kNN, GBT, RF, MLP	(Real smart home electricity consumption data, real solar power, and MATPOWER simulations), Supervised-based data.	Accuracy 95%, [82]
	FDI and time delay on PV control center	Auto-regressive (AR), data driven approach	Simulation-based, Supervised	Not given, [83]
	FDI into substation measurements, sensors, and control commands	domain-adversarial training based on neural networks (DANN)	Datasets obtained from experimental hardware testbed, Transfer learning	Accuracy 80%, [87]

¹ Mean Absolute Percentage Error, ² Root Mean Square Error, ³ Reinforcement Learning, ⁴ Mean Square Error.

and

Table 3. Continuation of Table 1 (AI-based cyber-attack detection).

System	Attack	Algorithm	Data	Performance Metric
Islanded DC	FDI into currents and voltage measurements	Feed-forward ANN	Real-time Typhoon simulation, supervised	Accuracy >90%, [88]
	FDI into communication network	RNN	MATLAB real-time simulation, Supervised	Not given, [89]
Islanded AC	FDI into communication layer and replay attacks	NARX ANN	MATLAB real-time simulation, Supervised	Not given, [90]
	FDI into output voltage and power measurements	Deep learning using rectified linear unit	MATLAB simulation, Supervised	Accuracy 91%, [91]
	FDI into measurements	LSTM	MATLAB simulation, Supervised	Not given, [92]
Networked	FDI into substation measurements and sensors	Cross wavelet transform with SVM classifier	Simulation-based, Supervised	Accuracy 95.53%, [84]
	Network traffic attacks (FDI, malware behavior (Dos), Disabling reassembly)	Bidirectional RNN	Normal dataset from operating IEEE 1815.1-based Korean substation and simulations based attacked dataset, Supervised	Accuracy 98%, [77]
	FDI (measurement source data spoofing)	Ensemble empirical mode decomposition using back propagation neural network	Real data from universal grid analyzers in US locations, Supervised	Accuracy 96%, [70]
	FDI (spoofing synchrophasor measurements)	Dynamic dual kernel SVM	distributed Synchrophasor data from FNET/GridEye, (Supervised, particle swarm optimization)	Accuracy 94.26%, [85]
	FDI (spoofing synchrophasor measurements)	Multi-view convolutional neural networks (CNN)	Distributed synchrophasor data from 11 locations in the frequency measurements network FNET/GridEye, Supervised	Accuracy 91.46%, [78]
	FDI into sensor and measurements	Isolation forest based technique	MATPOWER based simulations, Unsupervised	Accuracy 94%, [86]
	FDI, DoS, Distributed DoS on communication networks and sensors	Deep Learning(LSTM,RNN)	MATLAB-based simulation, Supervised	Accuracy 95%, [79]
	FDI into PV related measurements	ANFIS	MATLAB simulation, Supervised	RMSE 0.11, [93]
	DOS, communication layer	Decision Tree classifier	MATLAB simulation, supervised	Accuracy 98%, [94]

summarize the various AI-based cyber-attack detection techniques including the information about data acquisition, training, and performance benchmarking of the proposed methods.

4. AI-Based Cyber-Attack Mitigation

With the inclusion of DERs and communication networks, distributed control is becoming popular for integrating renewable resources into the microgrids. The collaborative nature of such distributed cooperative control-based microgrids can easily spread out a simple cyber-attack on a single DER or a communication link to the entire system, resulting in control failure or even making the overall power system unstable [95,96,97,98]. One solution to mitigate such cyber-attacks and maintain the stable operation of microgrids is to develop a resilient controller [8,27,95,99,100,101,102,103,104]. AI-based techniques are being utilized to design resilient control schemes in microgrids to mitigate the malicious effects of such attacks [42,43,44,45,46,105]. Because of its low computing overhead, effectiveness, and simplicity in design and implementation in a distributed control system, adaptive neuro-fuzzy inference systems (ANFISs) are used for cyber-attack mitigation in an islanded DC microgrid in [42,43]. The proposed framework is based on a residual analysis of the error signal that results from comparing estimated and real detected signals to detect and mitigate the cyber-attack.

NARX ANN is a special class of recurrent neural networks best suited for time series data prediction, input–output modeling of nonlinear dynamical systems, and cyber attack detection in microgrids. Therefore, NARX ANN-based resilient controller is designed to mitigate the cyber-attacks in distributed cooperative control-based AC and DC microgrids in [44,106], respectively.

The proposed controller is trained using the data obtained by simulating the test microgrid system under varying operating conditions. After optimal selection of NARX ANN parameters during offline training, it is deployed as an estimator to generate the reference for the proportional-integral-based controller in [106] whereas, it acts as a secondary level controller to replace the conventional PI-based controller in [44]. Feed-forward ANNs are used to make the existing control resilient in both AC and DC microgrids and showed the improved performance to mitigate the cyber-attacks [46,57,105,107,108,109]. The proposed technique is based on the reference tracking application for the output DC current of each converter to mitigate the false data. This approach works as a PI-based controller reference tracking application in which the reference is prepared by a Feed-forward ANN that acts as a local estimator for each DER to estimate the output current of the converter. The estimated output from the ANN sets the reference for a PI-based controller whose output is added to the output current of the converter [46,107,108]. This way, the feed-forward ANN maintains the desired reference value in the secondary control layer when false data are injected into the measurements and communication network of the microgrid to mitigate the impact of cyber-attacks. A similar approach utilizing the feed-forward ANN is proposed for a distributed cooperative control-based AC microgrid and a model predictive control-based DC microgrid in [57,109], respectively.

Microgrids are becoming more complex with the increased adoption of electric vehicles, and load frequency control has been effectively utilized to maintain frequency under fluctuating load and generation conditions. For such complex microgrids, a Hyper-basis function neural network is employed to mitigate FDI-type attacks on communication networks and measurements. These attacks may lead the microgrid operation to an unstable state due to incorrect state estimation caused by compromised measurements [45]. In the proposed controller, an intelligent hyper-basis function neural network observer is designed to accurately estimate the state of the microgrids and reconstruct the possible attack signal. Subsequently, a novel hyper-basis ANN-based $H_{\infty }$ controller is designed to mitigate the negative impact of FDI attacks to maintain the normal operation of the microgrid. In [110], a multi-agent deep reinforcement learning (RL)-based algorithm is proposed for exposing weaknesses in the current cyber-attack detection techniques and laying the groundwork for more dependable cyber-secure solutions, with a focus on DC microgrids. This technique identifies the weak points in the traditional index-based cyber-attack detection schemes and generates coordinated stealthy destabilizing FDI attacks on cyber-secured islanded DC microgrids. A deep deterministic policy gradient is integrated to give trained RL agents a continuous action space and improve the algorithm’s accuracy and convergence rate. This method identifies a state-of-the-art detection scheme’s sensitivity to a number of coordinated FDI attacks considering the distributed communication delays and load changes.

Table 4. Summary of AI-based techniques for cyber-attack mitigation in microgrids is provided.

System	Control	Attack	Algorithm	Data	Performance Metric
Islanded DC	Distributed secondary control	FDI into cyber layer	ANFIS	MATLAB simulation, Supervised	Accuracy 99.40%, [42]
	Adaptive model predictive control (APMC)	FDI into voltage and current sensors	ANFIS	MATLAB simulation, Unsupervised	RMSE 0.000846, MAE 0.001543, [43]
	Decentralized cooperative control	FDI into cyber layer (current measurements)	Feed-forward ANN	MATLAB real-time simulation, Supervised	Not given, [46]
	Supervisory control	FDI into secondary control voltage and current measurements	Feed-forward ANN	MATLAB simulation, Supervised	Not given, [105]
	Distributed cooperative secondary control	FDI into cyber layer measurements	Feed-forward ANN	MATLAB real-time simulation, Supervised	Not given, [107]
	Droop control	FDI into output voltage measurements	Deep learning Gated recurrent unit	MATLAB Simulation, Supervised	RMSE <0.05, [80]
	Distributed cooperative secondary control	FDI into cyber layer voltage and current measurements	Feed-forward ANN	MATLAB simulation, Supervised	MSE 5 × 10${}^{-10}$, [108]
	Distributed cooperative secondary control	FDI into cyber layer current and voltage measurements	NARX ANN	MATLAB simulation, Supervised	Not given, [106]
	Model predictive control	FDI into cyber layer currents and voltages	Feed-forward ANN	MATLAB simulation, Supervised	MSE 2.9 × 10${}^{-10}$, [109]
	Distributed cooperative secondary control	FDI into cyber layer currents and voltages	Multiagent deep reinforcement learning	MATLAB and dSpace MicroLabBox, Supervised	Not given, [110]
	Synchronous buck converter primary control	FDI into output voltage sensor	Back-propagation ANN	MATLAB simulation, Supervised	RMSE 0.000283, [37]
Islanded AC	Distributed cooperative secondary control	FDI into measurements and communication network	NARX ANN	MATLAB real-time simulation, Supervised	MAPE 0.01%, [44]
	Load frequency control with electric vehicles	FDI into measurements and communication network	Hyper basis function neural network	MATLAB simulation, Supervised	RMSE 0.0015, [45]
	Distributed cooperative secondary control	FDI into measurements and communication network	Feed-forward ANN	MATLAB real-time simulation, Supervised	Not given, [57]
	IEEE distribution networks and islanded microgrid with supervisory control	FDI (Low-frequency source oscillations)	Ensemble learner	Digisilent, Supervised	True positive rate (TPR) >90% False positive rate (FPR) < 3%, [111]
Islanded AC	Central supervisory control	FDI into smart metering devices and central controller unit	Modified prediction interval-based LSTM	Residential microgrid data, Supervised	Accuracy 97%, [112]
	Secondary control for frequency regulation	DoS and FDI into measurements	Adaptive reinforcement learning	MATLAB real-time simulation, Supervised	MAE 1.2 × 10${}^{-5}$, [113]

provides state-of-the-art AI-based cyber-attack mitigation techniques, their applications in multiple resilient control designs, and a measure of performance metric along with the specific target of cyber-attacks in the microgrids.

5. Learning-Based Cyber Attack Detection and Mitigation

The vulnerability of microgrids to cyber attacks can be addressed using various data-driven and learning-based techniques for cyber attack detection. The conventional methods are over-reliant on the accurate model of the system while learning-based techniques leverage the computation power and amount of data from the system. Several techniques have been used in the literature to detect and mitigate cyber attacks on microgrids such as transfer learning, explainable learning, ensemble learning, and physics-informed AI.

Transfer learning uses the pre-trained models for the detection of malicious attacks which decreases the need for a huge amount of training data. Transfer learning can be further divided into inductive transfer learning, unsupervised transfer learning, and transducive transfer learning [114]. Representation subspace distance (RSD) based transfer learning is applied to the DNN-based estimator in [115] to improve the cyber security of the microgrid. In smartgrids, cyber-attacks may impede access to local data which can cause issues in power planning and dispatch decisions. Deep transfer learning for load forecasting can provide high-quality load prediction with less data so that in case of missing local data the prediction data are readily available [116]. In general, forecasting methods can be improved by utilizing the generalizing capability of transfer learning without the need for excessive data. A Lower Upper Bound Estimation (LUBE) method is used for FDI attack detection in [117] to provide Prediction intervals (PIs) over smart meter data at the consumer end. In [118], Hilbert–Huang Transform and Deep Learning are employed on distinctive data sets generated via bootstrap for FDI attack detection.

The recent advances in machine learning have improved performance metrics, but the ML models are largely black boxes. Explainable learning or Explainable AI (XAI) is a discipline of AI that tries to explain the predictions and outcomes of machine learning models [119]. From a cyber-security perspective of the microgrid, operators need to trust models and their predictions. XAI is important for the interpretation of decisions in critical scenarios such as flagging a measurement and initiating an inquiry for a particular attack. The cost of misclassification in certain circumstances can be too large [120]. In [121], an XAI framework for fault detection and classification is developed and tested on a 50kW microgrid testbed. An Intrusion Detection System (IDS) is designed in [122] that provides an explanation of each classification through statistics-based measures using Shapley additive explanations (SHAP).

Ensemble learning involves diverse data sets, training various member classifiers, and combining classifier results through various techniques [123]. Extreme-Learning Machines (E³LM) are used to detect the anomaly cases caused by FDIAs and validated on IEEE 14-, 57-, and 118-bus systems [124]. Physics Informed AI leverages the fusion between the physics-based models and the AI advances. Physics-Informed Neural Networks (PINN) and Physics-Informed Reinforcement Learning find a range of applications in power systems [125,126,127,128]. In [129], a Distributed Deep Reinforcement Learning (DRL) strategy is used to design an optimal defensive strategy against FDI attacks in microgrids under a few assumptions. Though promising, the physics-informed AI depends on the accuracy of the model and the dataset. The cyber security of microgrids against attacks can be improved by investing efforts in enhancing the model fidelity. On the other hand, XAI is a relatively new field and it can be leveraged further to make sense of the decisions about the detection of cyber attacks for the grid operators. Various AI-based techniques for cyber-attack detection and mitigation in microgrids are summarized in Figure 5.

Table 5. Summary of works using various Learning-based methods for cyber-attack detection and mitigation.

Learning Method	Attack	Algorithm	Data	Performance Metric
Transfer Learning	FDI, DoS	RSD-based transfer learning	MATLAB/Simulink based simulation	RMSE 3.332 × 10−3, [115]
	FDI	Deep transfer learning	Raw power fluctuations data from neighboring cities	MAPE 2.87%, RMSE 0.042, [116]
	FDI	Lower and Upper Bound Estimator (LUBE) combined with Optimization	Smart meters on the customer side	Confusion matrix CR 91.64% FR 8.63%, [117]
	FDI	Deep learning using Krill Herd Optimization algorithm	Distinctive datasets generated via bootstrap	Accuracy 93.76%, [118]
Explainable Learning	FDI	XAI framework using python libraries		Accuracy, recall and precision, [121]
	FDI	Explainable AI using SHAP	UNSW-NB15	True Positive Ration (TPR) and False Positive Ration (FPR), [122]
Physics-based Learning	FDI	DRL	microgrid simulations	Average security level [129]

provides a summary of various learning-based techniques for cyber-attack detection and mitigation in microgrids, data acquisition, attack types, and a measure of performance metric.

6. Case Study

To show the effectiveness of AI-based cyber-attack mitigation, an islanded AC microgrid is considered with cyber-attacks targeting the communication network as shown in Figure 6. The physical layer contains DERs and loads, whereas the cyber layer has communication protocols for information exchange among DERs. The primary controller is implemented locally at DERs using a conventional droop control technique that provides a relationship between the frequency ${\omega }_i$, the reactive power $Q_i$, the active power $P_i$, and the voltages $v_o$.

The voltage and frequency droop characteristics are given by:

$$\left\{\begin{array}{c}{v}_o=v^{*}-n_{Q_i}{Q}_i,\hfill \\ w_i=w^{*}-m_{P_i}{P}_i,\hfill \end{array}\right.$$

(3)

where $v^{*}$, ${\omega }^{*}$ are the primary voltage and frequency reference values, and $m_{P_i}$, $n_{Q_i}$ are the active and reactive power droop coefficients, respectively. At the secondary level, distributed cooperative control is utilized to reduce the voltage and frequency error when compared to the nominal values generated by the primary control. The secondary control sets a reference for the primary control such that the voltage and frequency of each DG are synchronized with their respective reference values ($v^{*}$ and $w^{*}$):

$$\left\{\begin{array}{c}\underset{t\to \infty }{lim}∥v_o-v^{*}∥=0,\hfill \\ \underset{t\to \infty }{lim}∥w_i-w^{*}∥=0.\hfill \end{array}\right.$$

(4)

The distributed cooperative secondary voltage and frequency control for a single DER requires its own information and that of the neighboring DERs to achieve the control objectives. The reference for the inverters is produced by the voltage and current controllers utilizing droop-control methods [6].

Two types of FDI cyber-attacks are considered for this case study. Firstly, the desired reference set value for the controller is replaced with false data to compel the system to follow an incorrect set of reference values. The attacker replaces the intended signal $u_n\left(t\right)$ entirely with its multiple using a constant $\gamma$, resulting in:

$$x\left(u_n\left(t\right)\right)=\left\{\begin{array}{c}{u}_n\left(t\right),whent<t_o,\\ \gamma \ast u_n\left(t\right),whent>t_o.\end{array}\right.$$

(5)

FDI cyber-attack is initiated at $t=2$ s with $\gamma =0.5$, targeting the DER2 voltage communication link. Secondly, a periodic time-varying cyber-attack is initiated by injecting a periodic sinusoidal signal with time period $\left(\omega t\right)$ and amplitude $\xi$ into the normal signal $u_n$, as follows:

$${\psi }_n\left(t\right)=\left\{\begin{array}{c}0,whent<t_o,\\ \xi sin\left(\omega t\right)\ast u_n\left(t\right),whent>t_o.\end{array}\right.$$

(6)

In this case, false data are injected into DER3 voltage communication link at $t=2$ s with $\xi =0.5$ and $w=2\pi 60$ rad/s. The microgrid continues to operate normally for $t<2$ s.

To mitigate the negative impacts of FDI cyber-attacks a NARX ANN-based resilient controller is designed. to replace the state-of-the-art PI-based controller in the secondary layer of distributed cooperative control. The architecture of NARX ANN has a hidden layer with 10 nodes, an input layer with 13 nodes for voltage and frequency information, and an output layer with four nodes for corresponding reference output for each DER. This structure is optimized after multiple trainings and found best suited for this work. The preceding batch of output and input, $y(k-i)$ and $x(k-i)$, respectively, establish the NARX ANN’s output $y\left(k\right)$ that constructs an autoregressive model to predict the current value of the dynamical system [44]. These delayed output values act as pseudo-states to extract system dynamics from time series data. This characteristic makes NARX ANN a promising choice for nonlinear dynamical system modeling in applications like intelligent control having a mathematical model given as follows:

$$y(k+1)=f[x(k-n),\dots ,x(k-d_x-n+1),y\left(k\right),...,y(k-d_y+1)],$$

(7)

where $y\left(k\right)$ is the model output, $x\left(k\right)$ is the model input at discrete time interval k, $d_x$ is input memory order, and $d_y$ is output memory order. AI-based model development involves three main steps including data acquisition, training of the model, and performance evaluation using standard metrics as shown in Figure 7. This model development process is established from the state of the art, and has been effectively implemented in the power systems domain [130].

The test microgrid in this case study consists of four DERs coupled through RL lines to provide power to two RL loads. This microgrid is designed in MATLAB Simulink with a distributed cooperative control-based secondary controller. The design parameters of the microgrid are given in

Table 6. The design parameters of the test microgrid and real-time digital simulator are given.

Parameter	Value	Parameter	Value
$L_{12}$	(0.23 + j318 µ) $\Omega$	$V_{ref}$	300 V
$L_{23}$	(0.35 + j1847 µ) $\Omega$	$L_{filter}$	1.35 mh
$L_{34}$	(0.23 + j318 µ) $\Omega$	$C_{filter}$	50 µF
Simulator	OP5600 from OPAL-RT	Processor	4 Cores, 3.0 GHz
Software	RT-LAB 2019	FPGA	Xilinx® Artix®-7 from OPAL-RT

. Further details regarding distributed cooperative control design and system parameters can be found in [6,44]. The DERs share voltage and frequency information over the communication network to meet the control objectives.

After the FDI attack, the proposed NARX ANN-based control is compared to the PI-based control, with the results depicted in Figure 8. As illustrated in Figure 8a, the proposed controller maintained the required output voltage at the output of DER2 after the initiation of the FDI cyber-attack. Similarly, after the FDI cyber-attack, the NARX ANN-based voltage controller maintained the specified output voltage at the output of DER3, as shown in Figure 8b. The proposed NARX ANN-based distributed secondary control has demonstrated improved reference tracking capabilities compared to the PI-based control under cyber-attack, as shown in Figure 8.

7. Discussion

Few AI-based models currently offered in the academic literature have been implemented in practice; the majority are still in the theoretical stage. Many AI and ML approaches, like fuzzy expert, which simulates logical thinking, SVM, which can locate a hyperplane in a high-dimensional space for classifications, and deep learning-based on ANN with numerous hidden layers in the network, have been incorporated into numerous articles. There are multiple reasons for this, such as irreproducible studies, the absence of any benchmarking models or statistics in the literature, and the lack of comparisons to other state-of-the-art models. As a result, the literature is abundant and of diverse quality. In AI-based research studies, models are typically compared with models that are far less capable than the state of the art in that family, rather than with statistical models or other models of AI. Instead of being technique-specific, useful insights and breakthroughs must be transferable between different approaches.

The majority of AI-based modeling uses three stages: initial training to choose parameters, validation to prevent over-fitting, and testing with unknown data that is distinct from the training and validation phases. There are some variations in these stages that are also employed, such as cross-validation, which involves multiple training and validation runs on historical data from various time periods. The selection of parameters is frequently made using metaheuristic algorithms or a mixture of them. Similar to this, several ANNs topologies with varied numbers of neurons, hidden layers, and activation functions are suggested to demonstrate superior performance. Such hyperparameter tuning might be effective in a given situation, but it might not be applicable in all circumstances. Therefore, research needs to shift its emphasis to creating new techniques, useful guidelines, and new ANN structures like recurrent ANN and deep learning with transfer and explainable frameworks. Continuous learning, environment adaptation, and extremely fast output computation are all capabilities of ML approaches. However, addressing the highly intricate nature of power system operations processes to prevent blackouts or to find an optimum operating point without violating any operational limitation is still too safety-critical to accept an ML-based solution. Because there are no performance guarantees, it is challenging for power system operators to trust an AI-based method. AI-based models can be utilized as a tool to help, for instance, by utilizing their computational power to rapidly assess thousands of scenarios. This will aid in the widespread use of AI models in the field of power systems. Applying explainable and interpretable methods is necessary to increase confidence in AI models. This would enable the AI-model output to be verified throughout the whole input space as opposed to just a small dataset. Additionally, physics-informed AI models can be applied by incorporating physics-based models into the training phase of AI models, allowing the model to learn from them rather than creating data as part of the training process.

In order to increase automation, flexibility, and efficiency in operations, energy and critical infrastructure companies are actively developing an industrial Internet of Things (IoT). This is achieved by seamlessly integrating information technology (IT) applications with operational technology (OT) to control physical assets. However, these goals will not be achieved without IoT cybersecurity monitoring and detection. Siemens Energy has developed an AI-based Managed Detection and Response (MDR) system. MDR’s monitoring methodology and technology platform leverage AI and machine learning to gather and model energy asset intelligence. Siemens Energy has created a new platform for Security Information and Event Management (SIEM) called ${EOS.ii}^{\mathrm{TM}}$. This is a scalable and adaptable AI-based platform for monitoring and detection and is intended to be the cornerstone of a next-generation fusion security operation center for IoT. It is made to allow for the quick collection, processing, and prioritization of useful information in industrial operating situations. ${EOS.ii}^{\mathrm{TM}}$ applies machine learning to combine IT and OT monitoring and cyber-attack detection capabilities [131,132].

8. Conclusions

This paper provides a comprehensive review of microgrids’ cyber vulnerabilities and AI-based techniques to enhance the security of microgrids. This includes AI-based cyber-attack detection and mitigation to achieve a resilient operation of microgrids in the presence of extensive communication networks. Cyber security is addressed from a physical and cyber layer perspective containing power-electronics-based converters, smart metering devices, and information-sharing networks. Cyber-attack’s potential targets and their impacts on the operation of microgrids are discussed. AI-based cyber-attack detection and mitigation in microgrids were summarized, along with a case study where utilizing such techniques is presented. In addition, learning-based techniques are also covered to overcome the black-box nature of AI-based models. The proposed ideas have the potential to counter the challenges posed by cyber-attacks on microgrids.