key: cord-0640317-30ba3ykj
authors: Ospina, Juan; Liu, XiaoRui; Konstantinou, Charalambos; Dvorkin, Yury
title: On the Feasibility of Load-Changing Attacks in Power Systems during the COVID-19 Pandemic
date: 2020-11-19
journal: nan
DOI: nan
sha: cd5cc101aa3135395e8fdccd07c76dbc719981a9
doc_id: 640317
cord_uid: 30ba3ykj

The electric power grid is a complex cyberphysical energy system (CPES) in which information and communication technologies (ICT) are integrated into the operations, markets, devices, and services of the power grid infrastructure. The growing number of internet-of-things (IoT) high-wattage appliances such as air conditioners, water heaters, and electric vehicles being connected to the power grid, together with the high dependence of ICT and control interfaces, make CPES vulnerable to high-impact, low-probability load-changing cyberattacks. Moreover, the side-effects of the COVID-19 pandemic demonstrated a modification of electricity consumption patterns with utilities experiencing significant peak load and net-load reductions. The unusual sustained low load demand conditions could be leveraged by adversaries in order to cause frequency instabilities in the CPES by compromising hundreds of thousands of IoT-connected high-wattage loads. This paper presents a feasibility study of the impacts of load-changing attacks on CPES during the low net-load demand conditions caused by the lockdown measures implemented during the COVID-19 pandemic, specifically, during the state-at-home orders (SAHO) declared by different states in the United States. We analyze the load demand reductions caused by the lockdown measures using dynamic mode decomposition (DMD), focusing on the March-to-July 2020 period and the New York region as the most impacted time period and location in terms of load reduction due to the SAHO being in full execution. Our feasibility study evaluates load-changing attack scenarios using real load consumption data from the New York Independent System Operator and shows that an attacker with sufficient knowledge and resources could be capable of producing frequency stability problems, with frequency excursions going up to 60.5 Hz and 63.4 Hz, when no mitigation measures are taken.

The wide-scale deployment of information, sensing, and communication technologies in electric power systems (EPS) contribute to various power grid functionalities. For example, Internet-of-Things (IoT) devices are widely utilized in industrial assets to provide control and monitoring support for supervisory control and data acquisition (SCADA), advanced metering infrastructure (AMI), and other types of communication and control infrastructures. As a result, during the last few years, the efficiency, robustness, and reliability of cyberphysical energy systems (CPES) have been greatly improved. At the same time, the vulnerabilities inherited from the IoT ecosystem have expanded the CPES threat surface. The roll-out of customer-end IoT-controllable high-wattage devices and distributed energy resources (DERs) unlocks new vulnerabilities on the demand-side of CPES and opens new avenues for adversaries to launch large-scale coordinated remote attacks on power system's assets. For example, DERs or modern controllable loads use IoT devices to coordinate their operations with other CPES (e.g., via IoT-based smart meters or other home assistants such as Amazon Echo and Google Home). Naturally, these IoT interfaces become great attack vectors due to the countless vulnerabilities engendered by the complex IoT supply chains. Insecure remote login passwords of IoT devices can be exploited for malware infection as in the Mirai botnet which, in 2016, successfully compromised thousands of household IoT devices in a distributed denial-ofservice campaign [1] . Firmware updates are another source of contamination [2] , e.g., consumer devices as printers [3] , relay controllers [4] , [5] , etc.. Ghost domain name system (DNS) attacks can infect IoT devices by routing them to malicious DNS servers [6] . Attacks on electricity consumers and DERs are essentially facilitated by the negligence of the customers that use default or weak security credentials [7] .

Adversaries capable of compromising IoT-controllable high wattage loads and DERs of CPES can maliciously affect the stability of the grid, causing degradation of grid equipment or even power outages and large-scale blackouts [8] . Although currently hypothetical due to the low penetration rates of highwattage loads and DERs (prosumers), these types of attacks are projected to become realistic in the near future as the penetration rates are anticipated to grow exponentially. Due to the distributed nature of load-changing attacks to disturb the system from the demand-side, as well as the various ways of attack payload weaponization [9] , it is difficult for system operators to detect and mitigate such attacks in order to maintain frequency stability and ensure that voltage and frequency levels are within operational limits. In addition, IoTbased attacks to CPES do not require operational knowledge of the power system and are very easy to repeat.

Existing work on load-changing attacks 1 has focused on the modeling and analysis of attack vectors in which system conditions, e.g., electric power demand and electricity prices, make use of forecasting models which do not account for sudden reductions in peak demand and delivered energy nor modification of consumption patterns [14] . The authors in [15] have demonstrated that load-changing attacks can cause controlled load shedding but not cascading failures. Sudden IoT attacks increasing the system load demand will cause under frequency load shedding (UFLS) control to split the frequencies of the buses into islands of different operating regions of the grid when the system cannot handle the load and the frequency drops. In [12] , the authors investigated the feasibility of a load-changing attack using compromised electric vehicles (EVs). After canvassing publicly available data, they recovered the exact configuration of the high-voltage power grid and public EV charging stations (EVCS) in Manhattan, NY. Using this publicly available data, the work designed a data-driven attack mechanism requiring from around 500 to about 5,000 compromised Tesla EVs, depending on grid conditions and attack parameters, to destabilize the frequency, leading to a major blackout. Furthermore, a dynamic loadchanging attack against power system stability is studied in [10] . The authors formulated the problem as a close-loop attack in which a dilettante adversary controls the changes in the compromised load based on the system frequency feedback.

Starting in early 2020, the novel coronavirus disease (COVID- 19) severely affected the entire globe as a public health and economic crisis. At the same time, the COVID-19 pandemic caused substantial changes in the operations of bulk power systems and electricity markets. One of the most evident effects of the health crisis on EPS is the reduction in peak demand and consumed energy; electricity demand remains lower than typical expectations during the pandemic in many regions of the world. For example, the electricity demand in June 2020 in EU countries was 10% below the 2019 levels. In Italy, the 2019-2020 year-on-year change in electricity demand, weather corrected, reached 28% during the 15th week of 2020 [16] . Similarly, there was a 13% electricity demand drop during the lockdown period in China. Comparing with the expected demand, New York City's hourly demand in mid-April 2020, ranged from roughly 5% to 21% below typical levels; reductions in electric consumption averaged 21% below expected during the 8 a.m. hour [17] . The impact on energy consumption and peak demand as well as the alternation of the consumption patterns has brought numerous challenges for utilities and system operators. Different practices have been followed to proactively mitigate technical issues and maintain normal operating conditions of CPES [14] . Examples include switching off and on automatic voltage control systems, capacitors, and reactors, utilizing STATCOM (static synchronous compensator) and UPFC (unified power flow controller) devices to absorb reactive power, or the use of automatic UFLS and reserve arrangements, among others.

Besides the technical and business impacts of COVID-19 on the electric industry, the pandemic increased the dependency on the Internet (e.g., remote work). This reliance expands the number of cyberspace-related incidents as malicious attempts have proliferated to exploit this sudden unplanned shift in society. COVID-19 drives criminal and political cyberattacks across networks, cloud, and mobile phones; pandemic-related attacks increased exponentially from under 5,000 per week in February 2020, to over 200,000 per week in late April 2020 [18] . For instance, COVID-19 scams often use phishing emails and malicious websites to promote fake vaccines and cures, fraudulent charity drives, and false information on government aid, while at the same time delivering malware to unsuspecting users and insecure services. Table I shows a summary of some of the most prominent threats and vulnerabilities exacerbated due to the COVID-19 pandemic and lockdown measures. Example attack categories range from malware, Zoom bombing, and phishing attacks all the way to sophisticated critical infrastructure attacks that could compromise the integrity of the power grid. Due to the barrage of cyberattacks during COVID-19, the malicious exploitation potential of ICT and control interfaces of IoT-controllable loads could, more than ever before, constitute a realistic cyber-threat to power grid operations.

In this paper, we focus on analyzing the feasibility of loadchanging attacks in power systems during the 2020 COVID-19 pandemic while using the previous year (2019) as a baseline. The contributions in this paper can be summarized as follows:

• We perform a dynamic mode decomposition (DMD) and statistical analysis of load consumption data during the COVID-19 outbreak in order to identify dynamic load patterns that could cause abnormal loading conditions in CPES, and thus create vulnerable circumstances that attackers could use in their advantage to perform loadchanging attacks. • We investigate the possibility of attackers compromising the stability of power systems taking into consideration abnormal loading conditions caused by lockdown measures as the ones seen during the COVID-19 pandemic. • We experimentally examine and simulate load-changing attack scenarios that could adversely impact the frequency of CPES during the decreased load demand conditions caused by COVID-19 lockdown measures. The rest of the paper is organized as follows. In Section II, the impact of the lockdown measures are evaluated based on the COVID-19 pandemic response timeline using DMD and statistical analyses. The most affected region in the U.S. is identified and then used jointly with the threat model presented in Section III. In Section III, we present the threat model of the load-changing attack and the operational standards for frequency stability in EPS at some of the regions evaluated across the U.S. Section IV presents the experimental setup and results of the case studies used to evaluate the feasibility of load-changing attacks during low net-load demand periods, as the ones observed during the COVID-19 pandemic. Finally, Section V presents conclusions and discussion.

Before examining the feasibility of load-changing attacks in CPES during the COVID-19 pandemic, it is important to first understand the impact that the lockdown measures, due to the novel COVID-19 pandemic, had in the electricity consumption around the U.S. In order to understand this impact, we obtained and analyzed electricity consumption data obtained from a cross-domain open-source data hub, COVID-EMDA [27] . This data hub integrates weather, satellite imaging, mobile device location, and electricity market data from seven regions that cover some of the top hardest-hit states in the U.S, i.e., California, Texas, Midcontinent Central region, Kansas, Illinois, New York, and Massachusetts. In this paper, we focus our attention in analyzing seven main representative urban areas that belong to the major Regional Transmission Operators (RTOs) in the U.S. Urban areas have been the ones most affected by COVID-19 spread and lockdown measures; according to the United Nations (UN), they have become the epicentre of the pandemic with more than 90% of all reported cases [28] , [29] . The representative urban areas analyzed and In order to understand the load demand changes and the magnitude of the COVID-19 impacts across the seven major regions examined, we first analyze the possible reasons of why such changes occurred. Thus, we compiled a series of important events, in a timeline, that correlate with the load variation during the outbreak. Fig. 1 shows the timeline for the different regions analyzed. As seen in this timeline, the majority of the lockdown measures in the analyzed states occurred during the March-to-May period of 2020. Also, it should be noted that re-openings in most of these places occurred during the second and third weeks of May. Based on this timeline, we selected the period ranging from March 1st to June 30th as the one to compare with the previous year (2019) for load consumption comparisons and impact analysis.

In Fig. 2 , we can observe how the electricity consumption in the major U.S. zones and RTOs during the COVID-19 pandemic of 2020 was notably reduced, compared to 2019, during the period of March 1st to June 30th. The most affected time periods are the ones between 6 am and 12 pm in all regions. Also, the most affected city due to the lockdown measures is clearly NYC since a significant load demand reduction can be observed at all times during the lockdown period. In regions such as Central-MISO and NYC-NYISO, overall low net-load demand conditions can be observed throughout the day. In NYC, the highest load difference between the average load of 2019 and 2020 is found at the time period of 11 am to 12 pm, where a load difference of around 860 MW exists (around 10% of the total maximum load). Similarly, in Central-MISO, the highest load difference between the average load of 2019 and 2020 is found at the time period of 7 am to 8 am, where the load difference is around 2,020 MW (around 5% of the total maximum load). These results indicate that NYC is one of the most affected regions by the COVID-19 lockdown measures, and thus, we focus our attention on this region. DMD is a recently developed method capable of performing spatio-temporal decomposition of high-dimensional data [30] . This process captures snapshots or measurements in time from a given system and decomposes them into dynamic modes or patterns that can be used to explain the system's behavior. In our case, our 'system' is determined by the load consumption data during the time period of the COVID-19 outbreak of some of the most affected regions in the U.S. In order to apply DMD, we structure the load consumption data: x m+1 represents future measurements (snapshots) and x m represents previous measurements from the vector x ∈ R n ; where n represents the number of spatial points at each snapshot. For data pairs in x, a best-fit linear operator matrix A is defined as:

..x n ] at snapshot m. In our case, the spatial points n represent the individually normalized load consumption values for different affected regions across the U.S. It is important to note that according to [30] , the relationship presented in Eq. (1) does not need to be exact since other theoretical works have demonstrated the approximation of A (i.e., the full high-dimensional system matrix) asà (i.e., the rank-reduced representation) can be used for complex non-linear system applications [31] . This approximation is useful as it avoids computational complexity of performing the full eigendecomposition of the high-dimensional system matrix. Using this relationship, we can essentially separate our dynamic system into datasets:

where X and X ∈ R n×m−1 . Combining Eq. (1), (2), and (3), the relationship of the states in our system can be described as:

where the DMD modes, also called dynamic modes of the evaluated dynamical system, are the eigenvectors of A, while each DMD mode corresponds to a particular eigenvalue of the matrix A [30] . However, as mentioned before, in a highdimensional system, the matrix A may be intractable to be analyzed directly. So, in order to avoid the full eigendecomposition of A, DMD makes use of its rank-reduced representation in terms of the proper orthogonal decomposition-projected matrix,Ã. All the steps necessary for performing DMD in a given dataset are presented below: 1) Perform the singular value decomposition (SVD) of X:

where * denotes the conjugate transpose, and U ∈ C n×r , Σ ∈ C r×r , and V ∈ C m×r . Here, r is the rank of the reduced (truncated) SVD approximation to X. For more details regarding the process and benefits of truncation in DMD see [30] . 2) Calculate the matrix A using the pseudoinverse of X obtained using SVD:

3) Compute the eigendecomposition ofÃ:

where the columns of W are eigenvectors and Λ is the diagonal matrix that contains the respective eigenvalues. 4) Finally, the reconstruction of A can be performed using W and Λ, where the eigenvalues of A are determined using Λ and the eigenvectors, that represent the patterns of the DMD modes, are determined by the columns of Φ. Φ is then computed as follows:

The utilization of the discussed DMD method can identify coherent spatio-temporal patterns (modes -Φ) in the dataset by calculating the respective eigenvectors and eigenvalues. Each eigenvalue describes the growth or decay and oscillatory patterns observed in each dynamic mode (eigenvector) identified in the dynamic system. Therefore, DMD is applied to spatio-temporal raw load consumption data, across different regions/cities in the U.S., in order to identify the effects and patterns that the COVID-19 outbreak caused in load consumption reduction across these regions. The ∆t chosen are 1-hour and 1-day resolutions so that the variations of the patterns across the selected temporal scales can be easily translated to load consumption variations during the different COVID-19 related events.

The first step performed in our examination is a spatiotemporal analysis designed to capture the variations in load consumption patterns between the years 2019 and 2020. As mentioned previously, we focus on the March-to-July time periods of the aforementioned years since these were the periods when COVID-19-related actions, such as SoE and SAHO, were in full execution. To perform the proposed DMD analysis, we processed and organized the raw load consumption data from the seven different regions (cities) across the U.S. This data is used to create X and X matrices, where m (temporal snapshots) represents different days in the time-period evaluated (March 1 to July 8th), and n (spatial) represents the different regions/cities evaluated (LA, Chicago, NYC, MISO-Central, Boston, KCK, and Houston). Fig. 3 shows the raw data and outputs of the DMD process executed using the 2019 and 2020 load consumption data, respectively. As seen in this figure, there are significant differences in the load consumption from the years 2019 and 2020 for most of the cities evaluated. By analyzing the temporal and spatial modes identified by the DMD process, we can characterize how the COVID-19 countermeasures impacted load consumption patterns in the seven studied regions. In essence, we can observe, through load consumption data, how COVID-19 was spreading through the U.S. and along the response timeline. In addition, we can also observe that, from the seven cities analyzed, NYC was one of the most affected regions in terms of significant load variation across the U.S. Cross-referencing these results with the timeline presented in Fig. 1, Fig. 3 clearly depicts how this low load-valley period is more prominent during the NYC SoE and SAHO events.

The second analysis using the DMD approach is performed based on temporal load consumption data available from NYC. According to the statistical analysis performed in the previous subsection and the spatio-temporal DMD analysis of all the U.S. regions, the NY region was one of the most affected by the COVID-19 lockdown measures in terms of load consumption variation. In Fig. 4 , it can be observed how the DMD process is applied in order to identify temporal modes for load consumption during the daily 24 hours and, at the same time, identify the temporal modes in a slower frequency rate (i.e., 1-day resolution) during the March-to-July time periods of 2019 and 2020. The lower left side of the figure shows the eigenvalues, identified modes, and eigenvalue spectrum outputted by the DMD process while the right side shows the reconstructions of some of the most prominent modes that characterize each temporal domain. Noticeable differences between the 2019 and 2020 load consumption can be seen in the figures shown on the right side. For example, based on modes 1 to 3, we observe how the 2020 data is significantly lower (represented with a darker blue) during the morning hours of the day, while modes 5 to 8 show how the evening load is flattened out as the lockdown measures were implemented during the COVID-19 response timeline. On the other hand, the plot reconstructing modes 9 to 12 shows a clear side-by-side comparison that demonstrates how, during the same time period of 2019 vs. 2020, load demand significantly decreased as the COVID-19 outbreak worsened throughout NYC. 

Based on all the analyses conducted, further investigations are carried out to evaluate the impact of the lockdown measures in NYC, i.e., the most affected city during the analyzed period. Fig. 5 and Fig. 6 show heatmaps comparing the normalized load consumption of NYC during the March 1st to June 30th time period. The vertical represent the different days in the period and the horizontal represent the time of the day. As seen, there is a clear difference between the same periods during 2019 (pre COVID-19 pandemic) and 2020 (during the COVID-19 pandemic). It can also be observed that the most significant variations in load demand reduction are concentrated during the SAHO declared in NYC, that began in March 22 and ended in May 15, as seen in the presented timeline (Fig. 1) . The variation observed during this period can be characterized by a 20% to 30% reduction in load demand during weekdays.

In order to avoid bias from load changes due to nonpandemic related events, we analyzed the weather conditions, and specifically temperature data for NYC during the same period of time. Figs. 7 and 8 show the normalized temperature values for NYC during the period of March 1st to June 30th. The temperature data is normalized using -7.22 Celsius as the minimum value and 33.9 Celsius as the maximum value. Based on this data, four days are selected as candidates for investigating the feasibility of load-changing attacks due to low net-load demand conditions, April 9, April 10, April 11, and April 12. These days are selected due to their similarity in temperature values between 2019 and 2020 and falling inside the SAHO time period declared in New York. Choosing these days allowed us to discard temperature as a driving factor of the significant variation in electricity consumption, and helped us to focus on the possible repercussions a pandemictype event, as the one being experienced, could cause in the cyberphysical security of EPS.

To characterize the temperature similarities between the days during the March 1st to June 30th period, average percentage differences are calculated between the respective days of 2019 and 2020. From the 122 days analyzed in the aforementioned time period, April 11 is under 10% of the days that had lower average temperature differences between 2019 and 2020. April 12 is under 20%, April 9 is under 35%, and April 10 lies under 50% of the days that had lower average temperature differences between 2019 and 2020. In addition, we also took into account that April 9 and 10 were weekdays while April 11 and 12 from 2020 were weekend days. Modern EPS integrate different technologies, such as intelligent controls and real-time measurement devices, providing system operators with real-time visibility and thus improving system security, stability, and reliability. However, this integration can be a double-edged sword since the use of more interconnected IoT devices exposes the power grid to new cyberattack vectors altering completely the threat model. As more high-wattage loads are equipped with IoT devices, the feasibility of a load-changing attack significantly increases. In this section, we focus on describing load-changing attacks that can be performed by attackers with sufficient motivation, capabilities, and resources to cause major disturbances in transmission and distribution systems via the use of botnets capable of simultaneously controlling large groups of highwattage loads and DERs.

In this work, we consider an attacker capable of leveraging vulnerabilities of IoT devices to compromise and control highwattage appliances, such as HVACs, water heaters, or EV chargers. By simultaneously switching on and off or granularly adjusting the power consumption of hundreds or thousands of compromised devices, the attacker may be able to cause severe adverse impacts, such as frequency instabilities and over/under voltage conditions, in the CPES. Table II shows the threat model used for the load-changing attack according to the assumptions and related work in the area. As observed, for the load-changing attack, the attacker can be considered as an oblivious (i.e., no detailed knowledge of EPS topology) or semi-oblivious (i.e., has limited information of the EPS topology) adversary. In addition, since the attack can be performed through IoT-connected devices, no possession is required. This means that the attacker does not needs to physically possess the attacked device(s) since they can be compromised through the communication network. For specificity, the attack is considered a targeted attack since the adversary's target are devices (e.g., IoT connected highwattage loads) capable of directly affecting the power grid and possibly cause instabilities that could lead to blackouts and frequency fluctuations in the system. In layman's terms, specificity relates to how specific the attack is, i.e., targeted or non-targeted. As for adversary's resources, in the investigated load-changing attack, we consider a Class II adversary categorization, where Class I represents an adversary that does need and/or has sufficient resources to carry out very complex attacks without being detected, and Class II represents an adversary that needs and/or disposes of sufficient motivation and resources to materialize the coordinated loadchanging attack without being easily detected. This Class II categorization is assumed due to the complexity related to performing a coordinated load-changing attack capable of simultaneously affecting multiple load zones in the power grid that could cause significant damage in the system. This type of attack differs from the dilettante attack mechanism in [12] and requires significant resources and knowledge, such as the appropriate instruments and training for being able to infect and/or compromise multiple high-impact load zones, to be effectively carried out.

In addition, the load-changing attack is considered to have an iterative attack frequency and a multiple-times reproducibility in terms of the attack model formulation of the threat modeling approach. This means that the attack needs to be performed in an iterative manner, i.e., the adversary must attack multiple loads and iteratively change their set-points in order to accomplish the desired effect of destabilizing the system (iterative attack). Also, the attack is considered a multiple-times attack since it can be performed or reproduced multiple times before being detected and mitigated by operators. Furthermore, the attack level in the attack model formulation is considered as a Level 1 (L1) or Level 2 (L2) attack according to the level at which the vulnerable assets (e.g., smart HVACs, IoT-connected motors, PLCs, HMIs, breakers, controllers, etc.) are compromised. These levels can be at the industrial network layer or the local network layer. The attack technique describes the attack method used by the adversary. In the case of the load-changing attack considered, the attack technique is assumed to be a modification of control logic or a wired/wireless compromise of the controllable loads that affects the integrity of the data in the system. The loadchanging attack is considered as a subset of data integrity attacks (DIA) due to the fact that the attack is targeted at affecting the integrity of either the system's measurements (e.g., current, voltage, power, or status measurements) or the system's controls (e.g., power set-points or status control changes, etc.). Finally, the premise of the attack is related to the integrity of the cyber-system, i.e., how the attack affects primarily the integrity of the ICT devices that make 

The load-changing attack presented in this work can be characterized as a DIA-type of attack. In order to present its mathematical formulation, we first consider a cyberphysical system (CPS) plant described by:

where x(k) ∈ R n represents the physical system's states, u(k) ∈ R l represents the control variables, and y(k) ∈ R m represents the system's measurements. The matrices G ∈ R n×n , B ∈ R n×l , and C ∈ R m×n represent the system, input, and output matrices, respectively. The system input measurement noise is represented by the term e ∈ R m . The cyber-system of the CPS can be generally expressed as:

H ∈ R l×m represents the control matrix [32] . Fig. 9 shows a diagram that depicts the variables affected by the DIA loadchanging attack in the CPS structure. Figure 9 : Diagram of CPS model and load-changing DIA cyberattack.

As observed in Fig. 9 , in a DIA, either the measurements (y) or the controls (u) could be compromised by the adversary via fabrication or modification. More specifically for a loadchanging attack, the controls (u) of the IoT-controllable loads are 'altered/attacked' as: u a = u + ∆u (12) where u a represents the 'altered/attacked' control variables, u represent the original control variables, and ∆u represent the variations injected by the adversary in the control variables. This modification of controls affects the CPS by:

y a = C x(k + 1) + B∆u(k) + e(k + 1)

where y a and x a represent the input measurements and states of the CPS affected by 'altered' control variables. Mapping the above formulation to a load-changing attack, we can modify the term u a so it represents 'altered' load demand in a CPES as follows:

where p represents the controllable load demand in the system, p i is the initial 'un-altered' load demand, ∆p represents the portion of the total load demand affected by the load-changing attack, and p a represents the total load demand 'altered' by the load-changing attack at one bus. If the attackers simultaneously compromise more than one load/bus in the system, Eq. (15) can be extended as:

p a,n (k) + P loss (16) where P T represents the total demand in the system, m is the number of total 'unaltered' loads in the system, n is the total number of loads compromised by adversaries, and P loss represents the total losses. Due to the network power balance, to maintain frequency stability, the sum of all the generation needs to be approximately equal to the total demand and losses in the system:

where N g represents the number of g generators in the system. Hence, in order to understand the effect of load changes in the frequency stability at each generator bus, we can investigate the swing equation which describes the behavior of rotor dynamics in transient stability studies. The swing equations shown in Eq. (18) -Eq. (20) describe the relationship between the input mechanical power (P m ), output electrical power (P e ), and the rotational speed of the generator (ω) [33] . The term P e is directly related to P g as seen in Eq. (21), since it represents the generator power output plus electrical losses of the generating unit.

2H ω s

H represents the constant normalized inertia, ω s is the synchronous speed (i.e., 50 or 60 Hz), and δ is the power angle. V s is the voltage at the generator bus, V r is the voltage at receiving bus, and X is the reactance based on the classical model of a generator. The relationship between the electrical frequency ω(t) with the power angle δ is shown in Eq. (19) . Therefore, it is evident based on these relationships that any sudden change in load demand caused by high-wattage loads turning on/off in the CPES will affect P e , and thus cause frequency fluctuations as seen in Eq. (20) .

Before analyzing the feasibility of load-changing attacks in a system experiencing low net-load demand conditions such as the ones observed in our investigations, we first explore what are the operational challenges that exist in EPS and are related to load demand changes. According to the Electric Power Research Institute (EPRI) [34] , there are different types of challenging operational conditions, related to net-load demand changes, that could cause steady-state or dynamic threats to the contingency security of EPS. These challenging operational conditions are: 1) Peak-demand conditions: Congested networks or generation capacity is limited. 2) Rapid change in demand or supply conditions: A rapid change in demand or supply. For example: morning demand ramps, PV-related net demand ramps, or sudden failure of EPS elements. 3) Low net-demand conditions: Periods when the system load demand is significantly reduced. During these periods, system voltages may rise and system inertia may be affected. Excess generation may be forced to remain online to meet the demand at a later time. In addition to handling these operational challenges, system operators must provide protective mechanisms to resolve system instabilities, protect system assets, and maintain normal operations. Some of these mechanisms are, for example, underfrequency relays designed to trip when the system's frequency is lower than some predefined values. These predefined values are generally given as frequency bounds programmed into protection mechanisms, and thus are essential to determine the types of remedial actions needed to maintain system stability. The North American Electric Reliability Corporation (NERC) is a nonprofit corporation that provides comprehensive standards for EPS operation in North America. More specifically, NERC requires power systems to operate within a frequency range of 59.5 Hz to 62.2 Hz. If the frequency is out of these bounding ranges, underfrequency or overfrequency protection relays trip parts of the system with the objective of protecting the respective system assets and the overall grid infrastructure [35] . Similarly, the Electric Reliability Council of Texas (ERCOT) sets its own frequency thresholds to be 59.3 Hz for underfrequency and 61.8 Hz for overfrequency, respectively. In addition, some system operators may have more complex protection mechanisms that provide rules to shed a certain percentage of the load in the system in case of frequency stability issues [36] . Since our load data and load-changing attack scenarios are based on NYISO and NYC, we utilize the operational standard (frequency thresholds) provided by NYISO. In comparison with NERC and ERCOT, NYISO has more strict criteria to mitigate underfrequency and overfrequency scenarios. NYISO defines a major system disturbance as any event that causes the frequency to drop below 59.9 Hz or increase over 60.1 Hz [37] . The specific thresholds given by NERC, ERCOT, and NYISO are provided in Table III. More specifically, for underfrequency scenarios, NYISO requires fast UFLS to be performed at different percentages when the frequency is rapidly declining. Consecutive 7% load shedding is performed when the frequency drops below 59.5 Hz, 59.3 Hz, 59.1 Hz, and 58.9 Hz. At this point, if the frequency is still declining, transmission operators must take the necessary steps to minimize damage and service interruption. However, the UFLS required in ERCOT differs from the one applied in NYISO due to its different operational thresholds. In ERCOT, the UFLS starts at 59.3 Hz, where 5% of the system load is tripped. Then, an additional 10% of the load is tripped at 58.9 Hz and an additional 10% at 58.5 Hz. It is important to remember that the intent of UFLS is not to recover the frequency but to stop the frequency decline [38] .

On the other hand, for overfrequency scenarios, both ER-COT and NYISO have similar procedures to follow in order to maintain compliance with the NERC Balancing Authority ACE Limit (BAAL) standard. Specifically for the NYISO case, a sustained high frequency of 60.10 Hz is considered an indication of a major load generation imbalance, and if it continues to decline it can be declared as a 'major emergency' [37] . In order to address this emergency NYISO takes the following actions [37] : 1) Request all over generating suppliers to adjust their generation and match schedules. 2) Reduce the applicable dispatchable generation to minimum operating limits. 3) Request internal generators to voluntarily operate in 'manual' mode and below minimum dispatchable levels. 4) Attempt to schedule variable load or storage to alleviate the problem. 5) Request reduction or cancellation of all transactions that are contributing to the imbalance event. 6) If the overgeneration (i.e., overfrequency) scenario persists, NYISO will declare a 'major emergency' and decommit applicable internal generators until the violation is eliminated.

In this section, we present the experimental setup used for evaluating the feasibility of a load-changing attack in a system such as NYISO during low load demand periods such as the ones encountered during the COVID-19 pandemic. As presented in Section II, four days are selected as candidates for investigating the feasibility of load-changing attacks during low net-load demand periods. These days are April 9, 10, 11, and 12 of 2019 and 2020.

For our experimental analysis, 5-minute resolution load data are obtained from the 11 load zones that exist in NYISO. Due to the lack of NYISO topological information, we utilize NYISO load data and the respective NYISO load zones are mapped to every load bus in the IEEE-14 bus test system [39] , [40] . Below, we describe how to prepare the data in order to examine our load-changing attack case studies. First, the mapping of the NYISO regions to IEEE-14 bus system is performed as follows: #11 9) I -DUNWOD → Bus #12 10) J -N.Y.C. → Bus #13 11) K -LONGIL → Bus #14 Fig. 10 shows the NYISO map with the corresponding mappings. In order to adapt the NYISO load values to the IEEE-14 test system, we performed a normalization process that consists of obtaining the average load consumption of each zone (based on historical data), calculating a ratio of load demand, and finally computing the corresponding load value for the IEEE-14 test system. Fig. 11 demonstrates all the steps of the process based on the WEST zone. All other regions follow the same process for computing their corresponding values. The adapted version of the IEEE-14 bus test system, with its respective 2019 and 2020 load profiles, is modeled and evaluated using the Power System Analysis Toolbox (PSAT) [41] . PSAT is an open-source MATLAB toolbox specifically designed to perform power system analysis and simulation.

Four 24-hour runs for the days April 9, 10, 11, and 12 are analyzed and inputted into the adapted IEEE-14 bus test system modeled in PSAT. The objective of this study is to find times where the system could be more vulnerable to load-changing attacks due to low net-load demand conditions caused by action events of the COVID-19 pandemic lockdown.

For each case study, or day analyzed, a preliminary analysis is conducted to determine the time of day when the 2020 system is more vulnerable (i.e., has lower demand) than the Figure 11 : Normalization process for IEEE 14 test system using NYISO load data.

2019 system, and also to determine the loads (or buses) that have the highest impact in frequency stability of the system. In other words, this analysis indicates the period where the biggest difference in the total load demand of the system exists, when comparing 2019 and 2020 load profiles, and then clearly shows which buses, if compromised, would have the highest impact in the 2020 system. The total load demand difference is calculated by subtracting the total load demand of 2019 minus the total load demand of 2020: where LD is the total load demand difference between 2019 and 2020, and T L is the total load demand of the respective years. Additionally, in order to determine the buses (or loads) that, if compromised, would have the highest impact on the 2020 system when compared to the 2019 system, a ratio of the load at each bus and the total load for the specific year (i.e., 2019 or 2020) is calculated. Then, these ratios are subtracted to compute the load impact index difference (LIID) for each individual bus in the system as seen in Eq. (23) .

where L is the load at the respective load i for the respective year, 2019 or 2020. It should be noted that all the values used in this analysis are in per unit (p.u.). After the preliminary analysis is conducted and the 'ideal' period of time to attack the system is identified, a loadchanging attack is conducted in each selected day and period, while the frequency of the system is monitored. The selection of the compromised bus(es) for each case study depends on the results obtained in the preliminary analysis. More details regarding the specific case studies are presented below.

C. Case Study 1: April 9 1) Preliminary Analysis: A preliminary analysis is performed in order to identify the 'ideal' time period and bus(es) that would need the minimum effort to cause a high impact in the system when a load-changing attack is performed; or simply the period when a peak of LD matches with a negative peak in LIID. Figs. 12(a) and 13(a) show the LD and the LIID for April 9. Based on the results from the analysis, the period when the highest difference in load demand between 2019 and 2020 arises is in the hours between 6:30 am to 7:30 am and 4:30 pm to 6:00 pm. The highest LD value during the morning period is 0.309. However, in order to find the discussed 'ideal' period for the load-changing attack, we also need to find out the most negative LIID value observed during the examined periods and then correlate it to the high LD value period observed in the LD graph. As seen in Fig. 13(a) , the 'lowest' negative LIID values occur during the 11:30 am to 1:30 pm period, with a peak of -0.0248. Nonetheless, when correlating these two values, we can clearly see that our LIID (d) Figure 13 : Load impact index difference (LIID) calculated for each bus in the system for the days: a) April 9, b) April 10, c) April 11, and d) April 12.

peak period does not match with any of the two LD identified periods, so no bus(es) in the system can be identified as the one(s) that could cause a high impact in the 2020 system when compared to the 2019 system scenario. Any load-changing attack implemented in 2020 system will have a similar effect on 2019 system, making April 9 a difficult day to analyze in terms of how more vulnerable the system is when low net-load demand conditions exist.

2) Load-changing attack Impact: According to the analysis obtained from the preliminary analysis step, we recognized that for this particular day there are no time periods where an attacker could effectively compromise the frequency of the system when compared to 2019 with minimum effort. Both systems (2019 and 2020 scenarios) would have a fairly similar response, thus making it very hard to evaluate the feasibility of a load-changing attack when low net-loading conditions exist. This is indicated by the fact that the lowest (most negative) value of LIID does not align with the highest value of LD in the analyzed scenario. In a nutshell, April 9 is a day when an attacker would no see any significant differences between attacking a system with lower loading conditions, based on how the 2020 system scenario compares to the 2019 system scenario.

D. Case Study 2: April 10 1) Preliminary Analysis: Figs. 12(b) and 13(b) show the LD and the LIID for April 10. Based on these results, we identify that the period when the highest difference in load demand between 2019 and 2020 occurs is in the hours between 5:00 am and 10:00 am, more specifically, at 7:30 am when the LD value is 0.356. Following a similar approach as the one presented in the previous case study, we correlate the most negative LIID value of the analyzed day, which occurs between 8:30 am and 9:00 am (i.e., the negative peak of the purple line), with the period of maximum LD. It is worthwhile to remember that the negative LIID value tells us which bus(es) in the system will have the greatest impact in the 2020 system while requiring the minimum effort (minimum load change required) when compared to the 2019 system. Based on the observed correlation, we conclude that attacking bus #5 (purple line) between 8:30 am and 9:00 am (i.e., the negative peak of the purple line), together with bus #9 (light blue line), would cause the greatest impact on the frequency stability of the 2020 system scenario. 2) Load-changing attack Impact: Based on the preliminary analysis, we simulate a load-changing attack on the loads connected to bus #5 and bus #9 for both the 2019 and 2020 system scenarios. Fig. 14 shows the impact of the 5-second load changing attack during 300 seconds (i.e., 5 minutes from 8:40 am to 8:45 am), where the load-changing attack is executed at 200 seconds. As seen in the graph, the frequency of the 2020 system scenario crosses the overfrequency NYISO limit of 60.1 Hz when the load-changing attack disconnects the compromised loads (i.e., loads at bus #5 and bus #9). On the other hand, the 2019 system scenario presents no overfrequency problems and thus we can see that the low net-load demand of the 2020 system makes more feasible the implementation of a high-impact load-changing attack that could compromise the stability of the system. It should also be noted that a more sustained attack (e.g., a 1 or 5-minute attack) has the potential of causing more severe problems.

E. Case Study 3: April 11 1) Preliminary Analysis: Similar to April 10, April 11 seems to be a day where a load-changing attack could be feasible if mitigation measures are not taken. But, to confirm this, we perform the preliminary analysis and identify the highest LD values and the most negative LIID values based on Figs. 12(c) and 13(c). These figures show the LD and the LIID for April 11. Based on these results, the period when the highest difference in load demand between 2019 and 2020 exists is in the hours between 7:30 am and 3:00 pm. Similarly to the previous case study, in order to find the 'ideal' period for the load-changing attack, we need to find out the most negative LIID value observed during the examined period and then correlate it to the high LD value period observed in the LD graph. Correlating these two graphs, we observe that attacking bus #9 (light blue line) between 1:00 pm and 2:00 pm (i.e., the negative peak of the light blue line) would cause the greatest impact on the frequency stability of the 2020 system scenario.

2) Load-changing attack Impact: A load-changing attack on the load connected to bus #9 is implemented for both the 2019 and 2020 system scenarios, according to the results obtained in the preliminary analysis. Fig. 15 shows the impact of the 5-second load changing attack during 300 seconds (i.e., 5 minutes from 1:40 pm to 1:45 pm), where the loadchanging attack is executed at 200 seconds. This graph shows how the frequency of the 2020 system scenario crosses the overfrequency limit of 60.1 Hz and goes up to 60.5 Hz when the load-changing attack compromises the load connected at bus #9. Differently, the 2019 system scenario presents no major overfrequency problems, so we can conclude again that the low net-load demand of the 2020 system makes more feasible the implementation of a high-impact load-changing attack that could negatively impact the stability of the system.

F. Case Study 4: April 12 1) Preliminary Analysis: Using a similar approach as the ones implemented in the previous case studies, a preliminary analysis is conducted to determine the 'ideal' time period to attack the April 12 system scenario. Figs. 12(d) and 13(d) show LD and the corresponding LIID values for April 12. As seen in these graphs, the period when the highest difference in load demand between 2019 and 2020 appears is in the hours between 6:30 am to 12:30 pm, with a peak value of 0.628 at 8:10 am. This period can be correlated to the period when the most negative LIID values are observed, which in turn, is the period between 10:00 am and 11:30 am (i.e., the negative peak of the orange line with a peak negative value of -0.0257 at 10:35 am). Using this information, we conclude that attacking bus #3 (orange line) between 10:00 am and 11:30 am would produce the greatest impact in the frequency stability of the 2020 system scenario, while requiring the minimum attacker's effort, when compared to the 2019 system.

2) Load-changing attack Impact: Following the same approach described in previous case studies and based on the preliminary analysis results, we perform a load-changing attack on the load connected to bus #3 for both the 2019 and 2020 system scenarios. Fig. 16 shows the impact of the 5-second load changing attack during 300 seconds (i.e., 5 minutes from 10:33 am to 10:38 am), where the load-changing attack is executed at 200 seconds. Different from previous results, both the 2019 and 2020 systems have severe frequency stability problems since the frequency peaks at around 64.02 Hz and 63.46 Hz for the 2019 and the 2020 system scenarios, respectively. Diving deeper into these results, we discovered that bus # 3 is one of the most critical buses in the system due to the fact that it represents an average of around 37% of the total load of the 2019 system scenario and 36% of the total load of the 2020 system scenario. This makes bus #3 one of the most critical buses in the system, and the results that are shown in Fig. 16 clearly demonstrate that no matter if the system is experiencing low loading conditions (2020 system) or not (2019 system), a load-changing attack that disconnects this high-impact load zone would cause severe frequency fluctuations. In a nutshell, an attacker with enough capabilities to perform an attack targeted at bus #3 of the analyzed system will cause severe problems in the frequency stability of the system.

This paper explores the feasibility of load-changing attacks in CPES that experience abnormal low loading conditions caused by events such as the COVID-19 pandemic and its corresponding lockdown measures. We explore the differences in loading conditions of the main affected regions in the U.S. and analyze the abnormal load patterns caused by lockdown measures in these regions, with a primary focus on the NYSIO region, by applying dynamic mode decomposition (DMD) in load consumption data from the years 2019 and 2020. Based on these analyses, we formulate a load-changing attack in CPES and further explore the feasibility of such attack in a system experiencing the low loading patterns identified by the DMD process. Finally, we simulate and evaluate the impacts of load-changing attacks with low loading conditions (2020), when compared to the 2019 historical loading conditions, in a test grid system using NYISO data . Our results demonstrate that low loading conditions can be leveraged by attackers with the objective of compromising the frequency stability of power systems. Specifically, the presented case studies show that an attacker with sufficient resources and capabilities would require less effort to compromise a system experiencing low loading conditions such as the ones experienced during the COVID-19 pandemic of 2020.

Future work will focus on performing more complex studies considering unbalanced systems and distribution systems with high penetration of renewable energy systems. Systems with high penetration of renewable energy resources are expected, due to the impacted system inertia (removing synchronous power generators has the consequent result of less system inertia with impacts on transient and small-signal stability), to be more vulnerable to load-changing attacks when considering their effects in other system areas and control routines such as voltage regulation.

Understanding the mirai botnet

Taxonomy of firmware trojans in smart grid devices

When firmware modifications attack: A case study of embedded exploitation

Impact of firmware modification attacks on power systems field devices

Confirm: Detecting firmware modifications in embedded systems using hardware performance counters

Ghost domain names: Revoked yet still resolvable

The white house warns on russian router hacking, but muddles the message

Blackiot: IoT botnet of high wattage devices can disrupt the power grid

How weaponizing disinformation can bring down a city's power grid

Dynamic load altering attacks against power system stability: Attack models and protection schemes

Grid shock: Coordinated load-changing attacks on power grids: The non-smart power grid is vulnerable to cyber attacks as well

Public plug-in electric vehicles + grid data: Is a new cyberattack vector viable?

Securing power distribution grid against power botnet attacks

Sharing knowledge on electrical energy industry's first response to COVID-19

Not everything is dark and gloomy: Power grid protections against IoT demand attacks

COVID-19 impact on electricity

COVID-19 related updates

Cyber attack trends: 2020 mid-year report

INTERPOL report shows alarming rate of cyberattacks during COVID-19

Watch out for coronavirus phishing scams

How hackers are using COVID-19 to find new phishing victims

After 'Zoom bombings', other incidents, FBI warns of videoconferencing hijacking amid coronavirus

Zoombombing' attacks disrupt classes

Weekly internet health check, US and worldwide

Cybersecurity to be a crucial priority in power utilities' agenda as threats continue to grow amid COVID-19, says GlobalData

The US power sector has prevented millions of cyberattacks in 2020 -that takes 24/7 commitment

A cross-domain approach to analyzing the short-run impact of COVID-19 on the US electricity sector

Policy brief: COVID-19 in an urban world

Progression of COVID-19 from urban to rural areas in the United States: A spatiotemporal analysis of prevalence rates

Dynamic mode decomposition: data-driven modeling of complex systems

Discovering dynamic patterns from infectious disease data using dynamic mode decomposition

A novel data integrity attack detection algorithm based on improved grey relational analysis

Power system analysis & design, SI version

COVID-19: Flexibility and the Gridimproving available flexibility for abnormal grid operating conditions

NERC reliability standard

Section 2: System operations and control requirements

NYISO emergency operations manual

ERCOT fundamentals training manual

A case study on implementing false data injection attacks against nonlinear state estimation

Enhanced resilient state estimation using data-driven auxiliary models

Power System Analysis Toolbox (PSAT)