Cyber–physical security for on-going smart grid initiatives: a survey

: The smart grid is an upgraded concept of electricity network with tight coupling among information, control, and bi-directional communication technologies. Along with the silent features of the on-going smart grid, cyber–physical security appears to be a deep concern due to its significant dependence on sensing technologies, complex networks of computers, intelligence, and wide-area communication infrastructures. Moreover, the smart grid is an extensive critical infrastructure and vulnerable to coordinated cyber–physical attacks. As a result, cyber–physical attacks cause significant threats to the confidentiality and integrity of the power data, including power outages, cascading failures, and unnecessary expenditure. In this study, security issues of smart grid, including cyber–physical interdependency, attack varieties, detection methods, requirements, standards, challenges, and future prospects, are taken into consideration for both cyber and physical systems, aiming to provide an extensive understanding of vulnerabilities and solutions for the smart power grid. By revealing the inherent features of cyber–physical security in the smart grid, this survey study is addressed to facilitate future research in these two areas.


Introduction
The smart grid (SG) is an electric network with a combination of communication, control, and intelligent monitoring system that uses innovative and self-healing technologies to serve better functionality. The SG uses advanced technologies such as cloud computing, big data, internet of things (IoT) etc. to maintain a secure and complex cyber-physical system [1]. Usually, the traditional electricity grid consists of high-voltage transmission lines and low-voltage distribution lines. The power stations connect with the substations through high-voltage transmission lines, and substations connect with neighbourhoods through low-voltage distribution lines. The main components of the SG are the traditional electricity grid and the data communication layer. The data communication layer enables the digital communications of the modern electricity grid [2]. Also, the on-going SG allows cost reduction and lower energy consumption through smart appliances. A smart meter maintains the distribution, dynamic load management, and real-time monitoring of energy use. Hence, the modern power grid is an essential part of human life and feasibly envisioned as the largest engineering approach in the world.
The SG incorporates several computing and communication devices, smart meters, and real-time control of electric appliances that facilitate real-time communication between various components. Those intelligent components monitor power usage and report to the centralised computer in the digital format. The combination of cyber systems (communication, information technology (IT), security, and automated control infrastructures) and physical systems leads to the development of cyber-physical systems. Each system is regulated by its own physical and logical regulations, protocols, standards, and features [3,4]. In this way, the SG combines the information and communication technology (ICT) to construct smoother power system operation and control [5][6][7][8][9][10] but susceptible to malicious attacks [11][12][13][14][15][16][17]. ICT causes security risks and vulnerability to cyber-physical attacks [18]. Therefore, cyber-physical security is an essential part of the SG. Also, the risk of cyber-physical attack is a serious matter in human society, where an intruder can attempt to locate and utilise weaknesses in the modern power grid to promote political interests or gain self-benefit [19]. In several research works, governmental and non-governmental bodies reflected attention on the susceptibility of power grids to cyber-physical security [20]. For example, North American Electric Reliability Corporation Critical Infrastructure Protection has identified the insufficiency to protect critical cyber infrastructure in power systems through standard 002-009 [21]. In recent times, the components of the advanced metering infrastructure (AMI) and the supervisory control and data acquisition (SCADA) system grow a serious attackable target point. Therefore, an adversary can manipulate smart meters or compromise sensors for economic benefits in the electricity market. Also, sophisticated groups are incredibly motivated to perform coordinated attacks instead of single attacks. On the other hand, the internet and modern communication system assist the distributed groups to implement cyber-physical attacks on critical infrastructure [22].
Cyber-physical interdependence means that the true output of the power elements or the entire physical system relies on the proper functioning of the cyber system and its components. The interdependence among the cyber and physical world is growing simultaneously and imposed remarkable challenges [23]. History shows the vulnerability of industrial control systems and the victims of cyber-attacks. In 2003, Canada and some regions of the United States experienced a power blackout for four days, which affects nearly 50 million people and 61,800 MW of power [24]. This massive blackout was caused by a failure of the software programme [25]. In the same year, 2003, Italy was affected by a country-wide blackout, recognised as a result of the interconnection between electricity and communication networks [26]. In 2008, cyber-attacks in Russia that brought down the Georgian power system were introduced during the Russian-Georgian war [27]. In April 2009, The Wall Street Journal reported that cyber spies entered the U.S. power grid, and software programmes that interrupted the whole power system. In 2010, Stuxnet, a complicated and extensive piece of malware that targeted Siemens industrial control schemes and exploited four zero-day vulnerabilities in Windows operating systems. As a result, 60% of Iran's nuclear facilities remain targeted and caused the fear of cyber warfare [28]. This Stuxnet attack was performed as a stealthy attack targeting both hardware and software [29,30]. In 2010, the Stuxnet attack occurred on the SG [31,32] costs the government 1 trillion USD to the U.S. economy [33]. Also, in 2015, the cyber-attack on Ukraine's electricity grid showed that the enemy could compromise the internal devices and exploit the ability of the equipment [26]. In specific, Ukraine blackout caused the power outage of ∼225,000 customers for several hours [34,35] (see Fig. 1).
The SG surrenders to potential vulnerabilities due to heavy dependence on communications and network systems [37]. On account of this challenge, the National Institute of Standards and Technology (NIST) is developing the future power grid [38]. In this circumstance, this work is considered as the light shed between the cyber and physical world. The rest of this paper is organised as follows: in Section 2, we review the state-of-the-art SG. In Section 3, we present the architecture of the SG and its technical components. In Section 4, we present the cyber-physical interdependency in the SG. In Section 5, we discuss different types of cyber-physical attacks in the SG, including detection and protection techniques. In Section 6, we discuss the requirements and security standards of the SG. In Section 7, we address the challenges and future prospects. Finally, in Section 8, conclusions are summarised.

Review of state-of-the-art
Several researchers have extensively studied cyber-physical security and infrastructure of the SG. The infrastructure is very complicated and challenging to manage different portions. The critical part of this infrastructure generates extra difficulties for ensuring physical security. Ding et al. [39] worked on the control theory perspective, presented an overview of attack detection and security control for industrial cyber-physical systems. The cyberphysical threats targeting communication-based security systems were analysed in [18], where two physical solutions are considered and tested, including the introduction of redundancy on the contact system and a more sophisticated communicated-assisted security scheme. Colak et al. [40] provided a detailed review of the crucial challenges in the SG in terms of ICT, sensing, measurement, control and automation technologies, electric power, and energy storage technologies. The different security aspects and solutions of the SG were addressed in [41]. In the literature [42], the authors classified the essential components of modern power system infrastructure, namely, SCADA systems, AMI, plug-in hybrid electric vehicles, communication protocols, and standards. Also, they presented the differences between IT networks and smart power grid based on security architecture, objectives, technologies, and quality of services.
In the presence of cyber-physical interdependence of the SG, the authors proposed a strategy in [43] for determining the costminimum locations for developing certain communication hubs by eliminating cascading failure from the power grid to the communication network. In [44], the authors proposed two methods focused on stochastic well-formed networks and stochastic activity networks to measure the interdependence between information and electrical systems. Both approaches are dependent on stochastic Petri nets and seek to evaluate the efficiency of a cyber-attack-facing physical power system. In [45], the authors identified four layers of security risk for the implementation of a SG heterogeneous cyber-physical system, namely the perception layer, platform layer, network layer, and application layer. The main focus of [46] is to define the formulation of the attack vector with prevention and detection mechanisms for various components, thus cohesively providing countermeasures against cyber-physical security threats. The vulnerabilities and operational threats of transmission lines are considered in [47] regarding cyber and physical attacks in a cyberphysical power network by constructing specific game-theoretical models.

SG architecture
The physical systems are made resilient by combining robustness and reliability, while the cyber network is improved by several standards to guarantee security. The cooperation between cyber and physical systems creates new challenges with existing ones. First, we need to understand the architecture of the SG to address the problems [48]. The components used in the architecture are new or high-level of legacy devices. They are correlated with advanced power electronics components, including semiconductors, superconductors, and advanced devices [49]. Fig. 2 presents the NIST updated logical reference model of the SG with a composite high-level view of each domain [38]. The updated conceptual model reflects many changes throughout the system. Each area and its subdomains introduce technical roles and services for the SG. They include different types of services, connections, and decision-makers, which are involved in making decisions and exchanging information to achieve identified objectives. There are mainly seven logical domains in the SG. The top three areas (markets, service providers, and operations) manage the electricity flow and provide relevant information and services to consumers and utilities.
The bottom four essential components of grids are following: (i) generation produces electric energy using nuclear reaction fossil fuels, hydroelectric dams, tidal forces, solar and wind; (ii) transmission is a way to transfer high-voltage electricity to electrical substation; (iii) distribution is used to step down and spread out current for consumption purpose. The transmission and distribution domain introduces intelligent substations that can be controlled remotely with sensors and intelligent electrical devices; (iv) customer presents consumption in commercial, industrial, and residential areas [50]. In the following model, three types of customers are available: home area network (HAN), building area network, and industrial area network. AMI is used in these areas to monitor all incoming and outgoing flow of electricity and information. The AMI is implemented with sensors and sensor networks that monitor real-time generation, consumption, and power quality deficiencies.
The intelligent transmission network is an integrated system consisting of three components (i.e. smart transmission network, smart control centre, and smart substation) [51]. The smart substations are constituted with capacitors, circuit breakers, switches, and transformers, which monitor the level of performance in the distribution system. Moreover, the management  [27,31,32,36] 234 IET Cyber-Phys. Syst., Theory Appl., 2020, Vol. 5 Iss. 3, pp. 233-244 too short for a cascade. Fig. 3 illustrates the dependency graph shown for an abstract SG model. The edges of the dependency can be indicative of four forms of dependency, namely cyber-physical, physical-cyber, cyber-cyber, and physical-physical.
Recognising two separate homogeneous networks is the essential prerequisite for investigating and identifying interdependencies between all constituent elements of the cyberphysical infrastructure as complex systems. The physical relationship between nodes and the nature of the contact medium are the two main standards for separating the overall system into homogeneous networks. At some points, interconnected networks are connected to one another. Such interdependence usually means that the proper functioning of one entity relies on the presence and precise functioning of some additional components. Thus, there are mainly four types of interdependencies listed in [55]: direct network-element interdependencies, direct element-element interdependencies, indirect network-element interdependencies, and indirect element-element interdependencies. The effect of the failures in an individual component of one network may be split into the influences of different network-component failures [56]. Most of the research findings of the interdependent network are focused on the one-to-one communication coupling ruler. In the practical case, the power system is connected with the communication system with numerous dependent links. A power station may supply power to different information stations when multiple power stations are operated by an information station [57]. According to [58][59][60], cyber-physical power systems can be generated using the information-power flow model which comprises the following four parts. where u is the vector of physical control variables, x is the vector of physical state variables, N is the discrete time-stamp that characterises the control span of Nth, p is the vector of physical network element parameters, D is the vector of disturbance variables, and A is the node-branch incident matrix of a power grid. 2. Energy flow → information flow. The transition from energy flow to information flow applies to the measurement process in a SG that can be modelled by the following measurement mapping: where Φ is the measurement mapping matrix and z is the vector of cyber measurement variables. If measuring errors are not known, the mapping matrix is a diagonal matrix composed only of elements 0 and +1, where each element +1 corresponds to a vector of measurement. The related diagonal elements of the measurement mapping matrix are adjusted according to the form of failures when evaluating the calculation failures. 3. Information flow. The decision-making mechanism of control centre is described with the information flow model. The information system produces cyber-side control commands y based on the measurement variables z, which can be defined as a mapping of measurement variables to control cyber-side variables is the common type of constraint in an optimisation function. The decision-making process for information flow is also specific with numerous specialised systems in the control centre. 4. Information flow → energy flow. The transfer from information flow to energy flow refers to the phase of regulation, which can be modelled through the following power mapping: where C is a Φ-like diagonal matrix. For a cyber-physical power grid, we have the following information-energy flow model in conjunction with the above four parts: The interdependence among the power system and the communication system can make the power grid more vulnerable to targeted attacks, faults and natural hazards [61][62][63][64]. Such an interdependence relationship stretches the instability structure of the power grid. For instance, primary communication network failure can lead to instability and faulty control within a SG. These instabilities can cause the function of defence in a SG, resulting in a loss of power supply to any communication devices and, subsequently, additional failures in the communication systems. The additional communication failures in the power grid will lead to greater instability and initiation of extra load shedding [65]. Such a cycle can proceed recursively and cause a cascade of failures [66]. These cascading failures can have a devastating effect over multiple cycles and potentially bring down the entire SG [67].

Cyber-physical attack scenarios
Cyber-physical systems refers to a generation of systems that monitor and control physical processes from the cyber realm utilising sophisticated computational and communication technologies with humans in the loop [68]. Potential threats may impact both the cyber and physical systems in such a way, since cyber-physical system security is extremely important at all levels, including design, operation, and deployment [69].

Physical attacks
Physical attacks on components of power systems not only interrupt the supply of power to consumers but also cause significant economic pressures for other power stakeholders such as transmission system operators, utility companies and distribution system operators [70]. Sniper attack on the California transmission substation targets power system components such as generators, transformers, and transmission lines to change the topology of power systems, which can generate direct power blackouts and potentially cause cascading collapses [71]. Moreover, they can be easily detected, even if the associated security systems that monitor the physical component's status (operational or failed) are also affected. Transmission lines and related security equipment are also affected as physical attacks [72]. The principal cause for this implies that transmission lines extend over a wide geographical region which is more natural to be physically attacked than secured substations. Also, the total output in a power system should be equal to the total load when a substation is fallen, it is difficult how to use cyber-attacks to mask the sudden loss of generation and/or load, and still requires extended work. The tripping of transmission lines should not interrupt the power network. After a physical attack, both the topology of the power network (reflected by the branch-bus incidence matrix A) and the susception of the transmission line (reflected by the branch susceptance matrix D) are modified, as is the Jacobian matrix H. Although the active power injection on each bus continues the same with such a new network configuration, the real system state will change, and the active power flow on each transmission line will further redistribute depending on the physical laws (Kirchhoff's voltage law and Kirchhoff's current law) of the power systems. After the physical attack, let H p = H + ΔH be the Jacobian matrix for new measurement where ΔH is the measurement variance matrix. Moreover, after the physical attack, let x p = x + Δx be the new state variables, where Δx is the state variance vector. Defines z p as new post-physical attack quantities. The relation between z p and x p is based on the DC power flow model as follows: where a p is defined as a physical attack vector, given by a p = HΔx + ΔHx p . In other words, the effect of a physical attack on the state estimation can be modelled as the insertion of a physical attack vector a p into meter measurements. After the physical attack, let x^p denote the newly estimated state variables.
Since the control centre is ignorant of the physical change of H, the system operator employs the old H matrix to estimate state variables as follows: After the physical attack, let r p indicate the new measurement residual, which is the contrast between the estimated measurements z^p and the observed measurements z p The physical attack vector a p includes a novel error (I − K)ΔHx p towards the measurement residual. Thus, bad data detection is expected to detect this new error. Otherwise, it instantly senses the physical attack. However, several security mechanisms for improving the physical security of power grids have been discussed. Intrusion detection devices, lighting, access controls, fencing, sensors, buffer zone security, and cameras are suggested as security mechanisms with more economical reliability and lower reliability. An alarm guards/police communication mechanism can be developed to accelerate response time to intrusions and reduce potential damage to the attacks. More efficient methods of security such as underground or double circuiting of transmission lines need significantly greater investment costs. Therefore, it is unrealistic and politically unjustifiable to defend all grid elements from physical attacks. [70]. Cyber-physical attacks are significantly different from attacks against conventional IT systems. Although attacker strategies are similarly matched with conventional attacks, their ability to impact heavily depends on the power applications or control functions provided by those systems. Fig. 2 illustrates how an electric grid would be impacted by a cyberattack. Next, an attacker would need to compromise the availability, integrity or confidentiality of a part of cyber-infrastructure. The loss would then have an effect on some power systems that were used to support the grid. The ability of the attacker to control some application of power would then result directly in some physical system effect.

Bad data injection attack (BDIA)
BDIA is an essential cyber-physical attack that causes energy stolen, device break-down, and dispatch. Such an attack can disrupt the cyber domain and create an impact on the physical world. The amount of cyber-attacks on cyber-physical systems has increased that creates critical consequences such as blackouts [73]. However, BDIA is first proposed in [74] and consists of two sides: cyber and physical attack [75]. On the cyber side, an attacker performs an invalid operation on communication networks or smart meters by introducing delay or failure. Also, an attacker changes meter reading and feeds tempered data to the control centre. If an attacker knows the configurations of the power system, it is easy to construct bad data on the physical model, in which the detection process can be bypassed. BDIA on the cyber-physical system can be classified as in Fig. 3.
Suppose, an S has N buses. The measurement (z) can be written as follows: where x is the state variable and e is measurement noise. In the physical side, an attacker can maliciously temper the measurement as follows: where a represents the attack vector. In general, the control centre can transfer data to the state estimator by using a communication channel (see Fig. 4). If an attacker targets a communication channel and changes the measurement value, the state estimation and realtime market will be affected [77].
Moreover, bad data can be considered as wrong connections, measurement bias or drifts in the power system. If attacker injects data, z′ = H(x) + b + e and residue vector r = z − Hx^. If r T Σ e −1 r is the weighted least square of measurement error, the bad data detection can be written as r T where ς is the detection confidence probability. The measurement is considered as bad data if the largest normalised residual is greater than the pre-specified identification threshold [53] The adaptive partitioning state estimation is an effective detection method for bad data injection attacks [78] (see Fig. 5). Let us assume each state variable is mutually independent. If an error occurred in the meter according to the normal distribution, the weighted sum-squared residual J(x^) would follow χ m − n 2 distribution. Here, m represents the number of measurements, n is the number of state variables, and m -n is the degree of freedom.
In this case, the following hypothesis can be found: where χ (m − n) . p 2 is the threshold resembling for detection confidence. Instead of least square state estimation, the fast decouple load flow method can be used to detect power system attack [80] −B′Δθ = ΔP/V −B′Δθ = ΔQ/V In general, χ 2 -test can be referred to as fast decouple load flow test, which is defined as follows: , bad data will be detected. Sou et al. [81] proposed the bad data injection with a minimum number of compromised sensors, as typically the number of devices cracked by the adversary is usually limited. In [82], the authors presented an algorithm based on graph theory that helps to decide how many and which measurement signals an attacker can strike to minimise his efforts to keep the attack hidden from the detection of bad data. The authors implemented two distributed sparse attack models in [83], including the distributed sparse attacks, in which attackers modified local measurements, and the collective sparse attacks, in which attackers obtain additional topology knowledge to execute a sparse attack. In [77], the authors considered the attackers were without topology knowledge and independent component analysis was implemented to create the attack vector.

False data injection attack (FDIA)
Cyber-physical attacks are the main threats to the use and growth of the various SG technologies. False data injection attacks are a major category of cyber-physical attacks with widely varied styles and impacts that have been widely reported recently. Communication-based attacks depend on the actual physical communication channel to execute the attacks at the virtual network of the cyber-physical system without any interference. Such attacks can be performed either by shutting down the channel of communication or by sending false messages. Global positioning system (GPS) spoofing is a type of FDIA on the GPS signal transmitted to the device where the attacker produces the GPS signal and injects false data into it [84]. Other well-known communications-based attacks are message replay and relay threats. The consequences of communication-based attacks have a serious effect on the cyber-physical system as huge data is transmitted through these communication channels. Physical attacks leverage a physical vulnerability to the security systems. The main category of physical-based attacks is physically damaging to the network. However, certain physical attacks such as electromagnetic damage like an electromagnetic pulse or overvoltage are feasible without physically touching the physical parts. In the physical layer, FDIA is also a threat where the data of a specific device could be distorted to have falsified readings. Many physical-based attacks involve attacks on pollution protection emission security that are focused on device leakages such as sound, light, heat or electromagnetic radiation. Typically these spy-based attacks are the preliminary stage for an FDIA [85].
State assessment is an essential feature of the SG. However, the performance of the state assessment can be susceptible to FDIA. If an attacker knows the configuration of the power system, it is easy to manipulate the measurements of the meter by injecting malicious data. Two types of scenarios have been found in [6]: generalised FDIA and random FDIA. An attacker uses small error in measurements in generalised FDIA and finds an attack vector that leads a wrong estimation in random FDIA. In general, attackers have some mandatory requirements for a successful attack, such as they have to understand the topology or current configuration of the power system. Then, attackers manipulate the measurement of the meter.
Let us consider, n state variables (x 1 , = x m ) are monitored by m meters with m measurements (z 1 = z m ). The relation between state variable and meter measurements is defined as H matrix (m × n), which is determined by impedances and topology. An attacker accesses the H matrix and injects malicious measurements. Therefore, FDIA with complete information [86] is following: the measurement of the compromised vector can replace z, z a = z + a; where a represents the false data vector and z a is the false measurement vector. We have measurement noise [81], Many efforts were made to further recognise and analyse the numerous cyber-physical attacks such as FDIA on SGs. In [87], the authors proposed an unknown input observer-based detection and isolation method to improve the detection performance against the FDIAs in cyber-physical system integrity protection schemes. In [85], the authors demonstrated FDIA that could lead to load shedding and unnecessary generation rescheduling. This is achieved by injecting false measurements. Thus control and operation of the power grid involve false reactions or no reactions that eventually lead to unsafe conditions based on these false measurements. Konstantinou et al. [87] proposed how an FDIA in the GPS signal can lead to a major load shedding. Such load shedding is focused on the out-of-step security system which uses sensors based on GPS. After spoofing the GPS signal, the security system uses falsified movement by triggering excessive loads shedding. The automatic generation control (AGC) system is recognised for its serious impact by adversaries on the power grid. In [88], the authors proposed an FDIA on the AGC system and expanded the hazardous effect of frequency deviation. In [40], the FDIA effect on the wide-area control system is discussed, where false measurement leads the secondary voltage controller to establish incorrect set points for the voltage controller in the SG. This adds to the destruction of the overall security of the system. Frequency-based FDIA is thoroughly investigated in [89], where the authors discuss the impacts of FDIA on SG frequency control. In addition, they demonstrate a simple FDIA and how such an attack will spread and lead to a complete blackout. It is worth noting that the effects of stability have economic impacts.

Denial of service (DoS) attack
DoS attack is a great concern because of the strict availability requirements of the power grid. In this case, the attacker floods the external interface of the virtual private network (VPN) with arbitrary data to interrupt the connection with SCADA. Such an attack implies an unknown attacker attacks the main VPN interface with a transmission control protocol Syn flood attack. Since the VPN is employed to secure the distributed network protocol 3 (DNP3) traffic of the SCADA system, flooding the VPN would limit its ability to communicate the SCADA traffic between the substation and the control centre. The control centre is newly configured with DNP3 packets to provide polling device status every 1 s [90]. Generally, the DoS attack destroys the legitimate activity by obstructing the communication between remote terminal unit (RTU) and master terminal unit (MTU). Consequently, it causes hang, crash, or reboot of the system. Moreover, network performance acts very slow and faces communication delays. It is straightforward to launch such an attack but very difficult to prevent. An attacker targets RTU or MTU to proceed with DoS attacks. Three types of DoS attacks occur on RTU: bandwidth consumption, programming flaws, and resource starvation [91].
DoS attack causes a significant effect on the dynamic performance of the power system by flooding traffic in the network and creating a jam in the communication channel. Then, network congestions are found, and telemeter measurements are lost [92]. In the next, the control centre cannot update and affect the power system. In general, the DoS attack acts as a switching system on the sensing channel. Thus, the DoS attack on x can be modelled as follows: The possibility of DoS attacks is also a critical issue in the SG since it restricts the supply of accurate and usable measurements [93]. An attacker can use the omnipresent two-way communication to flood the AMI infrastructure with malicious packets through compromising any smart meter that can adequately paralyse the networks of meters [94].

Distributed DoS (DDoS) attack
The DDoS attack is a significant threat to the AMI of the SG. The key objective is to smash the control of the grid operation and hamper the quality observation and billing systems [95]. Moreover, it creates a jam in the communication network, consumes the data bandwidth, and wastes the processing power of the system. There are three possible types of DDoS attacks found in the AMI environment: attacks on the protocol, infrastructure, and bandwidth [96]. The impact is that victims may suffer network down for several hours or days or even weeks [97]. The cumulative sum method [98] is capable of making a difference between current and long-term average observation. This method works if the current observation increases faster than the long-term average observation. On the contrary, if the observed difference becomes minimal, the coefficient will turn back to zero. Therefore, the DDoS attack is found when a cumulative sum coefficient exceeds its chosen threshold [99].
Several prevention methods of the DDoS attack can improve the systems, firewalls, and protocol security. A cloud-based firewall is an effective prevention technique that uses cloud computing technology and capable of reducing the compulsion of storage and data of the SG AMI environment. It permits only legal traffic from AMI to cluster servers [95]. Moreover, small-scale DDoS attacks can be prevented by using different packet filtering techniques, such as ingress or egress filtering and router-based packet filtering [100].

Replay attack
Security issues of cyber-physical systems represent great importance due to cyber-attacks that may induce catastrophic consequences on the SG. In recent years, replay attacks have attracted more prominence because of the Stuxnet incidents [101]. A replay attack is a network attack that maliciously repeats a previous snapshot of legitimate data. Such an attack contains measurements to mislead the systems [102]. Mainly replay attack is broadly carried out for two purposes: steal energy and physical damage to the system. Stuxnet is one of the most famous examples of such an attack [103]. Stuxnet sends the measurements to the SCADA system and harms centrifuges for a long period. In a replay attack, an attacker gets the access of smart meter and injects control signal to the system. In specific, attackers record the sensor value and modify this value, then transfer the modified value to actuator [104]. Thus replay attack is a serious attack that affects the integrity and authorisation process. The fault diagnosis matrices (ℳ k ) reflect the impact of the presence or absence of abnormal signal. The fault diagnosis matrices are found for normal system as follows: If an unusual signal is present, the fault diagnosis matrices reflect anomalous value. Then, an attacker can steal the observed value without any impact of the system [105]. In general, the replay attack can be divided into two steps [106]. In the first step, attackers collect sensor readings and store the collected data in J(t) u a (t) y a (t) = 0 where Γ y is the disclosure resource. In the second step, attackers replay and interfere with the collected data Therefore, the cyber-physical system under replay attack is represented as follows: Several security methods were introduced to prevent SG attacks, including replay attacks [107]. In [108,109], the authors proposed an authentication scheme to oppose the replay attack, which requires further physical watermarking or noisy signal on the nominal control data. The concept is successful because the innovation of the statistical property of the Kalman filter is drastically modified. In such a situation, the attacker is unaware of the watermarking and the matrix Gaussian methods, which are inconsistent with identically distributed (i.i.d.) and Gaussian independent watermarking. In [108], the authors design the optimal watermarking for detection purposes when developing the conditions of control cost.

Requirements and security standards
This section focuses on the requirements and standards for security issues of a SG network. The security of the system should be robust enough to prevent cyber-attacks and provide advanced controls for system stability and reliability. Therefore, NIST has developed the standards for the communications network to incorporate SG security.

Security, reliability, robustness, and availability
Safe transportation and reliable information storage are essential for power utilities, grid control, and billing functions [111]. Efficient security mechanisms and standardisation efforts with regard to power grid protection should be established to prevent cyber-attacks. One of the most critical demands for power utility is to ensure process reliability. On the other hand, older power infrastructure, higher energy usage, and higher demand are crucial reasons to raise power grid reliability issues. Thus, the use of modern communication protocols, faster and robust control devices, communication & IT technologies, and embedded intelligent devices can improve system reliability and robustness [112]. The SG deployments in large scale can offer excellent options for wireless technologies, such as limited bandwidth, security, and reduced installation costs. However, wired technology is expensive [111]. Therefore, a hybrid communication technique combined with wired and wireless technologies is employed to ensure reliability, robustness, and availability [113] (see Table 1).

Scalability and quality-of-service (QoS)
The communication network contains several components, such as smart meters, intelligent sensor nodes, smart data collectors, and renewable energy sources. The incorporation of web service and security protocols manages the intelligent network properly. Degradation of performance, such as delayed or interruption, can expose reliability. Thus, a QoS system is required to fulfil the communication requirements. Also, connection outage probability, jitter, and average delay are the main specifications of a QoS requirement. It is essential to specify the possibilities of the system for deriving the QoS requirement. The local price of the margin usually determines the power cost, which varies with the load [114]. The location margin price of load and other parameters can be derived from a constraint optimisation problem, where the Lagrange limit factors can be regarded as price.

SG standards
The standards prevent and limit interoperability between advanced systems, smart meters, intelligent devices, and renewable energy sources. Thus, SG standardisation efforts are made to achieve seamless interoperability, robust information safety, and higher safety. However, NIST, IEC, IEEE, ISO, ITU, 3GPP, KATS, and JISC are known and worth mentioning as standard development organisations. A joint working party on the SG standardisation efforts is formed with CEN, CENELEC, and ETSI to achieve the objectives of the EU Commission's policy [113].

Standards & interoperability
Interoperability describes the technical infrastructure and software systems that communicate with other technologies and systems. Technological implementations must combine systems and intelligent devices with software and hardware to achieve the best capabilities. In short, interoperability is characterised as the ability to share and easily use information safely and conveniently with the users of networks, computers, systems, and applications. In 2004, the U.S. energy department created the GridWise architecture council (GWAC) to formulate the principles of interoperability [115]. Consequently, the GWAC developed an interoperability context settling framework to highlight the progress of SG interoperability [116]. In 2007, NIST's primary responsibility was to guide the design of a structure that provides protocols and model standards for achieving interoperability of the SG devices and systems [117]. The initial set of 16 interoperability standards was released by NIST in May 2009, covering a wide variety of topics including distributed generation (DG) modules, cybersecurity, and smart meters [118]. In September 2009, a document was published containing 80 fundamental principles of interoperability and 14 'priority action plans' to resolve standard's gaps. In January 2010, the 'NIST framework and roadmap for SG interoperability standard' was launched, and the latest version was updated in September 2014 [38]. SG Interoperability Panel (SGIP) was founded in November 2009 that provides technical support to NIST's interoperability project. The objective of SGIP is to regulate all stakeholders of the SG to facilitate standardisation and promote the SG devices and systems interoperability. Besides, SGIP works on critical energy issues for utilities, regulators, equipment manufacturers, and implementation firms. Therefore, the SGIP is globally recognised as a standards-setting organisation [115].

Challenges and future prospects
Every complex system has challenges, and the SG holds no exception. Architecture and technology of SGs meet various security challenges and threats ranging from cyber-attacks, thefts, terrorism, natural disasters, and so on. In the case of a breakdown of SG due to all of the potential effects and threats introduce SG IT network failures, power grid blackouts (small and significant outages), incorrect perception of the state of the actual system, cascade failures, electricity market chaos, disabled user devices, threatened human health etc. [119] (see Fig. 6). Different security issues of the SG were outlined in [120,121], such as the possibility of breach of a high volume of confidential consumer information by adversaries, thefts, malware propagation in the cyber systems, physical components damage, and instantaneous system malfunctioning. There are also some serious challenges for SG cyber-physical security, including distributed control devices vulnerability, lack of physical protection against natural or environmental disasters such as floods, fire outbreaks, earthquakes, tsunamis, landslides, explosions, dangerous radiation leaks, dust corrosions, and pollutions. Faulty control structures in traditional networks that failed to account for cyber threats, the trade-off between system performance and security requirements, aging infrastructure in particular that most facilities were installed many decades ago, dynamics of industrial bottlenecks activities etc. Consequently, these challenges and obstacles make different sectors vulnerable. Such risks and challenges have prompted investigation focus to study numerous security issues and privacy through the development of strategies to curb established threats and enhance their resilience and security. Some of these studies [37,45,122,123] address different aspects of the security challenges.
The security of SG communication has become an open challenge [122,[124][125][126]. There are some factors, such as human behaviour, regulatory policy, commercial interests, and political elements, affect the SG communication system [127]. One of the open research challenges is to design a secure filter to obtain an adequate index of security performance. However, the existing filtering systems may not work, since it is challenging to estimate when/how the system is affected by cyber-attacks. For example, the traditional Kalman filter can achieve the least modification of filtering errors by analysing the knowledge of noise statistics. In the case of attacked cyber-physical systems, this assumption may not correct since the statistical characteristics of the transmitted signals cannot be achieved [128,129]. Moreover, the integration of complex and heterogeneous subsystems is high-priced and required new domain-specific methods, models, and tools for advancement manner. Therefore, several novel challenges are essential parts of the SG to design, improve, and control. Also, challenges for SG applications depend on the following aspects: the interaction among multiple systems, modelling and design integration, integration and verification, and testing of cyber-physical systems [127]. The challenges of the cyber-physical system reflect the functional roles of SG networks, i.e. generation, transmission, and distribution [130]. The threats exist at the level of automatic voltage regulation, governor control, and automatic power control at the generation level.
Regrettably, for the SG, the resources available in cyberphysical security are not enough. First, the grid's size, connectivity, and complexity make eliminating all the attack surfaces difficult. It may also break down existing obstacles such as firewalls. Next, the mentioned methods are unable to compensate for physical attacks where an attacker communicates physically with the grid. For example, a separate encrypted sensor may be positioned in close contact to intrude on the confidentiality of an encrypted sensor. Therefore, the validity of a meter can be breached by inserting a shunt, causing electricity to avoid the unit. Similarly, authenticated encryption and firewalls cannot avoid an attacker with physical access from manipulating the control commands. The physical shielding of sensors and actuators can compromise availability. Standard anti-jamming technology cannot mitigate such an attack. Moreover, cybersecurity does not have prescriptive tools to cope with the physical security of the SG, as it does not allow for properties of reliability and performance. For example, the device reboot is one typical solution when detecting a software programme is compromised. However, this can be risky because of the dynamics and stability of the grid. Alternatively, steps should be taken carefully in a cyber-physical system to ensure elegant deterioration [123]. The several strong-profile interruptions in power grid that have arisen due to natural disasters such as hurricane Katrina and super storm Sandy [131].
The SG system is exposed to a large number of attacks in operating systems and physical devices. Generally, operating systems are designed with a lack of security features. Most of the physical devices are old-fashioned and having insufficient memory space. They cannot support high-level security mechanisms due to the limited computational capacity. For example, smart meters are designed for lower power consumption with limited memory and computational resources. Hence, they cannot support some required security mechanisms, such as cryptographic accelerators, and proper random number generators. If these components are compromised, a potential vector is presented to compromise the whole system [132].
There are so many research efforts being put in place by researchers worldwide to improve the stability and durability of the SG, using different techniques to tackle the challenges posed in different forms. However, recent studies either aim to resolve a question or to provide a specific definition of sources of threats with no recorded emphasis. Below are some relevant works on cyber-physical protection aimed at providing the solution to some established threats. In [133], a Petri Net was modelled with comprehensive analysis and implementation of failure detection in the SG. However, the approach was limited to collecting the security system information in a distribution system with DGs for fault recognition or failure detection. Likewise, De Santis et al. [134] developed a method to detect faults in the grid activity of medium-voltage feeders in Rome, Italy. In addition, the encryption solution for an advanced metering network (AMI) of the SG has been suggested and introduced in [135] for a specific AMI encryption method. A computational algorithm for dynamic stochastic optimal power flow was introduced in [136] as a method required in SG infrastructure to obtain grid protection and efficiency with advanced demand side management capabilities. Security and privacy were well expressed in [137] using homomorphic encryption.
As a critical infrastructure, the SG is monitored and controlled over the standard internet-based protocols. While the use of IoT is emphasised for future implementation, several challenges are observed that lead the system to downfall [138]. Juniper researchers [139] show that cybercrime breaches rise tremendously as the number of connected IoT objects rise. Hence, the cost of data breaches will increase ∼$2.5 trillion worldwide by 2022. Moreover, they estimate that 33 billion cyber data records will be stolen by 2023, and the numbers will continue to rise [140] (see Fig. 7).

Conclusions
The SG requires maximum security as critical infrastructure. In this study, we focus explicitly on cyber-physical attack varieties, interdependency, requirements, and security standards by providing a comprehensive and systematic review of the state-of-the-art. In this efficient manner, a complete architecture is required to establish security at the initial point. Some essential steps should be conducted to highlight significant outcomes and achievements. In the first instance, a connecting set of requirements and standards is necessary. The requirements and standards must be constructed with proper attention to ensure stability. In this case, NIST has a direction to execute the fundamental steps. Finally, we expect to