Analysis of Cyber Attacks Against Micro-PMUs: The Case of Event Source Location Identification by Kamal, Mohasinina et al.
UC Office of the President
Recent Work
Title
Analysis of Cyber Attacks Against Micro-PMUs: The Case of Event Source Location 
Identification
Permalink
https://escholarship.org/uc/item/8vn3n09z
Authors
Kamal, Mohasinina
Farajollahi, Mohammad
Mohsenian-Rad, Hamed
Publication Date
2020-02-01
 
Peer reviewed
eScholarship.org Powered by the California Digital Library
University of California
1Analysis of Cyber Attacks Against Micro-PMUs:
The Case of Event Source Location Identification
Mohasinina Kamal, Student Member, IEEE, Mohammad Farajollahi, Student Member, IEEE,
Hamed Mohsenian-Rad, Senior Member, IEEE
Abstract— This paper investigates cyber-attacks against
distribution-level phasor measurement units, a.k.a., micro-PMUs.
The focus is on a specific use case of micro-PMUs for locating the
source of events in distribution systems. A method is proposed
to detect the attack, based on two different detection criteria.
Furthermore, a novel optimization-based algorithm is developed
to identify which micro-PMU(s) are compromised. Importantly,
the proposed attack detection and identification methods do not
require prior knowledge on the number and location of affected
micro-PMU(s). The proposed methods and algorithms are test
through computer simulations on the IEEE 33-bus test system.
Keywords: Micro-PMUs, event location, cyber attacks, attack
detection, attack identification, differential synchrophasors.
I. INTRODUCTION
Distribution-level phasor measurement units (PMUs), a.k.a.,
micro-PMUs, have recently found important applications in
power distribution systems [1]. One of such applications is
event source location identification (ESLI), which can be used
for asset monitoring, load modeling, etc., c.f. [2].
In this paper, we seek to answer the following questions:
1) What if the micro-PMUs are compromised via a cyber-
attack, such as a false data injection attack [3], how would
that affect the performance of the ESLI algorithms? 2) How
can we detect an attack against micro-PMUs in the context of
the ESLI problem? 3) Once an attack is detected, how can we
identify the exact micro-PMUs that are compromised?
A. Literature Review
Since micro-PMUs are an emerging sensor technology, their
applications are being explored only recently; and there is
very limited studies related to their cyber-security. In fact,
the majority of the studies in this field PMU cyber-security
focus on traditional PMUs at transmission level. A general
survey of cyber-security challenges in PMUs is presented in
[4]. In [5], a method is proposed to detect anomalies in PMU
data by continuously monitoring the equivalent impedances of
transmission lines obtained from PMU measurements. In [6],
an on-line data-driven attack detection algorithm is proposed
by utilizing spatio-temporal correlations among multiple time
instants of synchrophasor measurements across a transmission
network. In [7], a mixed integer linear program is developed
to disable compromised PMUs, such that the remaining PMUs
continue to maintain the observability of the power system,
while minimizing the probabilistic threat levels of the PMUs.
As for the few studies that have recently addressed cyber-
security in micro-PMUs, in [8] a hierarchical anomaly detection
This work is supported in part by UCOP grant LFR-18-548175. The
corresponding author is Hamed Mohsenian-Rad. E-mail: hamed@ece.ucr.edu.
method is proposed, which considers a set of rules as signatures,
along with an optimal placement algorithm for micro-PMUs,
to achieve the maximum sensitivity in detecting an anomaly
with limited number of sensors. Also, in [9], distribution-level
FACTS devices, i.e., D-FACTS, are used to detect false data
injection attacks on power grid state estimation.
Our approach here is fundamentally different from the studies
in [8], [10], because our focus is on utilizing certain inherent
aspects of the ESLI algorithms that can help evaluate the
impact of the attack on the event source location identification
results, detect the attack because of such impacts, and ultimately
identify the micro-PMU(s) that have been compromised.
B. Summary of Contributions
The contributions in this paper can be summarized as follows:
1) Starting from the basic ESLI algorithm in [2] which
utilizes micro-PMU measurements to locate the source
of events in distribution systems, we show the extent of
how injecting false data into the micro-PMUs can result
in the mis-identification of the event locations.
2) We develop a novel attack detection method, based on
two different detection criteria, where the decisions for
attack detection are carried out based on certain residual
calculations or a notion of checking consistency in results.
3) We also develop an optimization-based attack identifica-
tion algorithm to identify the number and the location(s)
of the compromised micro-PMU(s), once the presence
of an attack is detected. The technical characteristics of
the proposed methods are also discussed.
4) The analysis in this paper sheds lights on the impor-
tance of measuring both magnitude and phase angle in
distribution synchrophasors, as well as the importance
of protecting such measurements. Thus, this paper also
contributes to the ongoing efforts in the broader field of
understanding micro-PMU data and their applications.
II. ATTACK MODEL
The focus in this paper is on the specific application of micro-
PMUs in solving the Event Source Location Identification
(ESLI) problem, c.f. [2]. In this section, we first explain how
the ESLI method in [2] works. After that, we discuss how a
cyber-attack against micro-PMUs can affect the ESLI results,
i.e., causing a misidentification of the location of the event.
A. Background: Event Source Location Identification
Consider a distribution feeder. Suppose an event occurs
somewhere along this feeder. The event could be, a load
2Y1
Z1 Zn-1
∆Ik
∆Vn∆Vk
|V
d
|   V
d
|I
d
|    I
d
Z
u Z
d
∆V2 ∆Vn-1∆V1
∆I1
Y2
∆I2
Yk
∆Ik
Yn-1
∆In-1
Yn
∆In
Downstream
 
 
|V
u
|   V
u
|I
u
|    Iu
 
 
Upstream
Fig. 1: Representation of a distribution feeder based on compensation theorem equivalent circuit. Measurements are done by two micro-PMUs.
switching, a capacitor bank switching, a connection or dis-
connection of distributed energy resources (DERs), an inverter
malfunction, a minor fault, etc. The question in the ESLI
problem is the following: what is the location of the root cause
for a distribution-level event, i.e., at what exact distribution
bus does the load switching, capacitor bank switching, DER
connection/disconnection, or device malfunction occur?
As shown in [2], micro-PMUs play a major role in solving
the ESLI problem. Specifically, if a micro-PMU is installed at
the beginning of the feeder and another micro-PMU is installed
at the end of the feeder, then the synchronized voltage and
current phasor measurements from these two micro-PMUs can
be used to accurately identify the location of the event. This
can be done by taking a few steps, as we summarize next.
The first step is to construct the differential synchrophasors:
∆V = Vpost − Vpre,
∆I = Ipost − Ipre, (1)
where the pre- subscript indicates the measurements right before
the event and the post- subscript indicates the measurements
right after the event. By applying the compensation theorem
from circuit theory [11], we can construct an equivalent circuit
for the distribution feeder to analyze the event, as shown in
Fig. 1. Here, the feeder has n buses and the event occurs at bus
k, which is not known. Two micro-PMUs are installed at the
beginning and at the end of the feeder, denoted by superscript
u and superscript d, respectively. They are used to measure
the differential synchrophasors ∆V u, ∆Iu, ∆V d, ∆Id.
The second step is to use the equivalent circuit of the feeder
and calculate the differential nodal voltages at each bus, denoted
by ∆V1, · · · ,∆Vn; once by doing a forward calculation that
starts from micro-PMU u; and once by doing a backward
calculation that starts from micro-PMU d. Given the fact that
the location of the event, i.e., bus k, is unknown, we will end
up having the following correct and incorrect calculations:
{∆V f1 , · · · ,∆V fk−1,∆V fk ,︸ ︷︷ ︸
correct
∆V fk+1, · · · ,∆V fn }︸ ︷︷ ︸
incorrect
{∆V b1 , · · · ,∆V bk−1,︸ ︷︷ ︸
incorrect
∆V bk ,∆V
b
k+1, · · · ,∆V bn}︸ ︷︷ ︸
correct
.
(2)
From (2), if all measurements are accurate, then we must have
∆V fi = ∆V
b
i for i = k; and ∆V
f
i 6= ∆V bi for i 6= k.
Finally, the third step is to identify the location of the event
by identifying the bus which has the minimum discrepancy in
its calculated nodal voltages. In a general case, suppose m ≥ 2
ΔV
Vpost
 
Vpre
εpost
εpre
ΔVerr
Fig. 2: An illustration of how an attack against micro-PMU measurements can
affect calculating the differential nodal voltage synchrophasors.
micro-PMUs are available, one at the beginning of the feeder,
one at the end of the feeder, and one at the end of each lateral.
The location of the event is identified as
k = arg min
i
φi, (3)
where at each bus i, the discrepancy is defined as
φi =
m−1∑
j=1
m∑
s=j+1
||∆V ji −∆V si ||2. (4)
For the rest of this paper, we refer to the above three steps
as the ESLI algorithm, see [2] for more details.
B. Attack Against Micro-PMUs
Suppose one or more micro-PMUs are compromised. The
question is: how will it affect the performance of the ESLI
algorithm? To answer this question, consider the fact that the
ESLI algorithm is built on analyzing differential synchropha-
sors. Thus, what matters here is the impact of the attack not on
measuring phasors but rather on calculating differential phasors.
This issue is illustrated in Fig. 2. Suppose the pre-event and
the post-event voltage phasors are measured as
Vpre + pre (5)
and
Vpost + post, (6)
where pre and post are phasors indicating the injected error
into the pre-event and post-event readings of the micro-PMU.
The error in differential voltage phasor is obtained as
∆V err = Vpost + post − (Vpre + pre)
= ∆V + post − pre.
(7)
Thus, the key in affecting the ESLI algorithm is the value of
phasor post− pre. If pre and post are the same then the attack
3has no impact on the ESLI algorithm. However, in general,
post and pre are not the same; thus, ∆V err deviates from ∆V .
Such deviation is benign as long as it does not change the
solution of the argument minimization problem in (3).
III. ATTACK DETECTION AND IDENTIFICATION
In this section, we propose methods to be integrated into the
ESLI algorithm in order to detect and subsequently identify
attacks against micro-PMUs. Our proposed methods are built
directly upon the way that the ESLI algorithm works. Therefore,
it can be easily integrated into the ESLI algorithm.
Recall from Section II that, if all measurements are accurate,
then the minimum discrepancy, i.e., φk, which is the optimal
objective value of the argument minimization problem in (3),
must be close to zero. A larger value of φk could be an
indication of bad data, which includes the case where one or
multiple micro-PMUs are compromised. Therefore, we may
detect an attack in the ESLI algorithm if the following holds:
I(φk > δ) = 1, (8)
where I(.) is the indicator function, which is 1 if φk > δ; and
0 otherwise. The value of the threshold δ can be set as:
Prob(φi > δ : φi is chi-squared) = α, (9)
where α is a predetermined parameter which represents the
probability of the presence of an attack vector.
Note that, the above method simply indicates that the results
in calculating the differential synchrophasors are inconsistent
with each other. Therefore, further inspection is needed in order
identify the root cause of the observed inconsistency.
The inconsistency in calculating differential synchrophasors
can be quantitatively measured also by using a notion of
variance, which at each bus i can be defined as:
Var{∆Vi}M = 1
m
m∑
l=1
(∆V li )
2 −
(
1
m
m∑
l=1
∆V li
)2
, (10)
where ∆V li denotes the differential phasor at bus i that is
calculated by solving the equivalent circuit starting from micro-
PMU l, where l = 1, . . . ,m. Here, M denotes the set of all
buses with micro-PMUs. The cardinality of set M is m.
As an alternative to (8), we can detect an attack also by
checking the above variance, i.e., when the following holds:
I (Var{∆Vi} > σ) , ∃ i, (11)
where σ is a known parameter, which is calculated by analyzing
the attack and non-attack cases. Note that, both (8) and (11)
seek to detect inconsistency in the measurements from different
micro-PMUs with respect to the ESLI algorithm. However, this
is done directly in (11), but indirectly in (8), where it checks for
inconsistency in calculating the minimum discrepancy solution.
Importantly, the notion of variance in (10) can be used also
to identify the attack, i.e., to identify which micro-PMU(s) are
causing the inconsistency. This can be done as we explain next.
Suppose we use the measurements from only a subset of
micro-PMUs, denoted by D ⊂ M , where the cardinality of
set D is d. Note that, d < m. The variance with respect
to the identification of the event bus location based on the
measurements that come from set D is obtained as:
Var{∆Vi}D = 1
d
d∑
l=1
(∆V li )
2 −
(
1
d
d∑
l=1
∆V li
)2
. (12)
Please notice the subscript M in (10) versus the subscript D
in (12). Accordingly, the basic idea in our proposed attack
identification method is to compare (12) with (10) to see if
the inconsistency is suddenly resolved, i.e., variance suddenly
drops, if we remove the measurements that come from the
micro-PMUs in set M\D. In that case, we can argue that the
compromised micro-PMUs are either in set D or in set M\D.
Next, suppose we make a guess on the number of com-
promised micro-PMUs. That is, suppose we assume that the
number of compromised micro-PMUs is p. We would naturally
want to remove the measurements from these p micro-PMUs.
However, even if this is a correct guess, we still need to figure
out which micro-PMUs are compromised. We can resolve this
issue by solving the following optimization problem:
arg min
X
max
i
{
1
m− p
m∑
l=1
Xl(∆V
l
i)
2
−
(
1
m− p
m∑
l=1
Xl∆V
l
i
)2}
(13a)
subject to
m∑
l=1
Xl = m− p (13b)
Xl ∈ {0, 1}, l = 1, . . . ,m. (13c)
Here, vector X is binary and it has m rows. For each l =
1, . . . ,m, if Xl = 0 then we remove the measurements from
micro-PMU l. In this regard, the constraint in (13b) is to make
sure that we always use the measurements from exactly m− p
micro-PMUs, i.e., we remove the measurements from exactly
p micro-PMUs. As for the objective function, it indicates
the maximum variance, across all buses, in calculating the
differential nodal voltage synchrophasors. Our goal here is
to remove the measurements from exactly p micro-PMUs to
achieve the minimum variance, i.e., the minimum inconsistency
in calculating the differential nodal voltage synchrophasors.
Since the binary-relaxation of problem (13) is convex, it can
be solved using software such as CVX (http://cvxr.com/cvx/).
If our initial assumption regarding the choice of parameter
p is correct, then by solving problem (13) we identify which
micro-PMUs are compromised, as long as we have:
p ≤ b(m− 1)/2c. (14)
Next, we need a mechanism to identify the number of
compromised micro-PMUs. This can be done by applying
a sensitivity analysis, similar to the one in [12]. In this regard,
suppose F (p) denotes the optimal objective value in problem
(13) for a given parameter p, where p is upper-bounded as
in (14). Note that, by construction, F (p) is a non-increasing
function of p. Accordingly, let us define a normalized version
of function F (p), denoted by N(p), as follows:
N(p) =
{
1, if p = 0
F (p)/F (0), if p 6= 0 (15)
4Sub.
Micro-PMU 1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
19 20 21 22 26 27 28 29 30 31 32 33
23 24 25
Micro-PMU 2
Micro-PMU 3
Micro-PMU 5
Micro-PMU 4
Fig. 3: The IEEE 33-bus test system that is used in our case studies. The micro-PMUs are deployed at the end of main feeder and laterals [2].
Algorithm 1 Attack Detection and Identification
1: Run ESLI Algorithm.
2: P = { }; p = 0;
3: if conditions (8) or (11) hold then
4: for p = 1 to b(m− 1)/2c do
5: Solve the optimization problem (13).
6: if condition (17) holds then
7: Set P to include all l for which Xl = 0.
8: Set p as the cardinality of P .
9: break;
10: end if
11: end for
12: end if
13: return P , p
Note that, F (0) is essentially the same as the maximum of the
variance in (10) across all buses. That is, we have:
F (0) = max
i
Var{∆Vi}M . (16)
Since the non-increasing function N(p) starts from 1 and
gradually approaches 0, one can determine parameter p by
applying a horizontal cut to function N(p) at a proper threshold
(0 < µ < 1), for which the following condition holds:{
N(p)− 1 > µ
N(p) ≤ µ. (17)
In this regard, parameter µ can be selected by using historical
data of different fault and attack scenarios, so as to maintain a
desirable sensitivity of the identification system.
The proposed attack detection and identification method is
summarized as in Algorithm 1. This algorithm returns set P
as the set of identified compromised micro-PMUs; and its
cardinality p. If no attack is detected then P = { } and p = 0.
IV. CASE STUDIES
The performance of our proposed method is examined on
the IEEE 33-bus test system, as shown in Fig. 3.
A. Impact of Attack
Suppose micro-PMU 2 is compromised. Fig. 4 shows the
results when the attack injects errors into the measured voltage
magnitude at this micro-PMU. When the injected error is zero,
the ESLI algorithm identifies the correct event location, which
is at bus 10. However, once we inject error into the voltage
7 8 9 10 11 12 13
Identified Event Bus
-1
-0.8
-0.6
-0.4
-0.2
0
0.2
0.4
0.6
0.8
1
Ad
de
d 
m
ag
ni
tu
de
 in
 p
.u
.
10-3
Fig. 4: The identified event location by the ESLI algorithm under various levels
of injected error into the voltage magnitude at micro-PMU 2. The true event
location is bus 10. The injected errors cause incorrect location identification.
7 8 9 10 11 12 13 14
Identified Event Bus
-200
-150
-100
-50
0
50
100
150
200
Ad
de
d 
ph
as
e 
an
gl
e 
in
 d
eg
re
e
Fig. 5: The identified event location by the ESLI algorithm under various
levels of injected error into the voltage phase angles at micro-PMU 2. The
injected error into the voltage magnitude is fixed at 8× 10−4 per unit.
magnitude, the ESLI algorithm results in incorrect location
identification, either to the left to buses 9, 8, 7, or to the right
to buses 11, 12, 13. The direction and extent of deviation from
the correct bus depends on the sign and size of the error.
Next, consider the results in Fig. 5, where the attack injects
errors into the measured voltage phase angle. There is also a
small but fixed injected error into the voltage magnitude at
8× 10−4 per unit. We again see that the attack can result in
major mis-identification of the event bus. The results in this
figure however are not as monotone as those in Fig. 4.
51 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33
Bus numbers
0
2
4
6
8
10
12
14
16
i
No Attack
Attack
k  0 k
 > 
Fig. 6: The discrepancy index φi across all buses.
Fig. 7: Distribution of φk under (a) no attack; and (b) attack.
B. Analysis of Attack Detection
Again, suppose only micro-PMU 2 is compromised. Fig.
6 shows the profile for the discrepancy index φi across all
buses, once without an attack and once with an attack. From
(3), the minimum of each curve is where the ESLI algorithm
identifies as the location of the attack. Under the attack, the
event location is identified incorrectly at bus 26. However, the
more important observation is that, the minimum discrepancy,
i.e., φk, is almost zero when there is no attack, but it is a large
number when there is an attack. And that’s exactly the idea
behind using (8) to detect the attack. Of course, parameter δ
should be selected such that it can distinguish the difference
between the value of φk in the two curves. This can be done
using (9). From the distribution of φk in Fig. 7, we use δ = 0.2.
C. Analysis of Attack Identification
Here, we study two cases, and the results are shown in
Figs. 8(a) and (b), respectively. In case I, only micro-PMU
3 is compromised. In Case II, micro-PMUs 3 and 5, are
compromised. By choosing µ = 0.1, the number and location(s)
of the compromised micro-PMU(s) are identified correctly in
both cases. Algorithm 1 returns P = {3} and p = 1 in Case I
and P = {3, 5} and p = 2 in Case II; which are all correct.
0 1 2
Number of hacked micro-PMUs (p)
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
N
(p)
(a)
0 1 2
Number of hacked micro-PMUs (p)
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
N
(p)
(b)
 = 0.1 = 0.1
Fig. 8: Function N(p) for attack identification: (a) Case I and (b) Case II.
V. CONCLUSIONS
In this paper, a novel methodology and algorithm is proposed
to detect the presence of an attack against micro-PMUs and
also to identify which micro-PMUs are compromised; both for
the application of micro-PMUs in solving the ESLI problem.
The proposed methods are built upon the way that the basic
ESLI algorithms work. Therefore, they can be easily integrated
into the existing ESLI algorithms. Case studies are presented
to evaluate the performance of the proposed methods and
their characteristics. It is shown that they are effective in both
detecting and identifying the attacks against micro-PMUs.
REFERENCES
[1] H. Mohsenian-Rad, E. Stewart, and E. Cortez, “Distribution synchropha-
sors: Pairing big data with analytics to create actionable information,”
IEEE Power and Energy Magazine, vol. 16, no. 3, pp. 26–34, May 2018.
[2] M. Farajollahi, A. Shahsavari, E. M. Stewart, and H. Mohsenian-Rad,
“Locating the source of events in power distribution systems using micro-
pmu data,” IEEE Trans. on Power Systems, vol. 33, no. 6, Nov 2018.
[3] H. Sandberg, A. Teixeira, and K. H. Johansson, “On security indices
for state estimators in power networks,” in First Workshop on Secure
Control Systems (SCS), Stockholm, Sweden, Apr. 2010.
[4] A. Sundararajan, K. Tanwir, A. Moghadasi, and A. I. Sarwat, “Survey on
synchrophasor data quality and cybersecurity challenges, and evaluation
of their interdependencies,” Journal of Modern Power Systems and Clean
Energy, vol. 7, no. 3, pp. 449–467, May 2019.
[5] S. Pal, B. Sikdar, and J. H. Chow, “Classification and detection of pmu
data manipulation attacks using transmission line parameters,” IEEE
Trans. on Smart Grid, vol. 9, no. 5, pp. 5057–5066, Sep 2017.
[6] M. Wu and L. Xie, “Online detection of false data injection attacks to
synchrophasor measurements: A data-driven approach,” in Proc. of the
50th Hawaii international conference on system sciences, HI, Jan. 2017.
[7] S. Mousavian, J. Valenzuela, and J. Wang, “A probabilistic risk mitigation
model for cyber-attacks to PMU networks,” IEEE Trans. on Power
Systems, vol. 30, no. 1, pp. 156–165, Jan 2015.
[8] M. Jamei, A. Scaglione, C. Roberts, E. Stewart, S. Peisert, C. McParland,
and A. McEachern, “Anomaly detection using optimally placed micro-
pmu sensors in distribution grids,” IEEE Trans. on Power Systems, vol. 33,
no. 4, pp. 3611–3623, July 2018.
[9] B. Li, G. Xiao, R. Lu, R. Deng, and H. Bao, “On feasibility and limitations
of detecting false data injection attacks on power grid state estimation
using D-FACTS devices,” IEEE Trans. on Ind. Informatics, June 2019.
[10] T. Sreeram and S. Krishna, “Managing false data injection attacks during
contingency of secured meters,” IEEE Trans. on Smart Grid, May 2019.
[11] K. S. Kumar, Electric circuits and networks. Pearson, India, 2009.
[12] S. Amini, F. Pasqualetti, M. Abbaszadeh, and H. Mohsenian-Rad,
“Hierarchical location identification of destabilizing faults and attacks in
power systems: A frequency-domain approach,” IEEE Trans. on Smart
Grid, vol. 10, no. 2, pp. 2036–2045, March 2017.
