Cyber-Attacks in Modular Multilevel Converters

Distributed control of modular multilevel converter (MMC) submodules (SMs) offers several potential benefits such as flexibility, scalability, and modularity. In this approach, low-level control tasks, such as capacitor voltage balancing, can be distributed amongst controllers placed in the SMs. This decreases the computational burden for the central control system that performs high-level control tasks; also, a single point of failure is avoided. Distributed control architecture requires a cyber-physical network (CFN) through which local controllers share all the information necessary to perform their respective control loops. To date, none of the reported works in this field have paid attention to potential imperfections in the CFN. Indeed, previous works are based on the assumption that the network always provides correct information to the local controllers. However, erroneous measurements in the CFN may degrade the distributed control scheme operation, leading to suboptimal or even unstable operation. These events can occur in the presence of cyberattacks, for example, which can be created through illegitimate data intrusion into the distributed control architectures. This article is the first to investigate the impacts of cyberattacks on distributed control schemes used in MMCs. The effects of a specific cyberattack, named false data injection attack (FDIA), on a consensus-based distributed control strategy are studied in this article. Additionally, a method for detecting FDIAs is proposed, along with a countermeasure strategy, to ensure the safe operation of the MMC, while the attack is cleared. The proposals reported in this article are validated using simulation and experimental results.


I. INTRODUCTION
T HE modular multilevel converter (MMC) is a solution for medium to high-voltage, high-power conversion applications, such as high-voltage direct current (HVdc) transmission systems, offshore wind farms, and static synchronous compensators (STATCOMs) [1]. The main features of this converter are: 1) Modular construction, 2) voltage and power scalability, 3) high efficiency, 4) low harmonic distortion, and 5) the use of low-cost, low-voltage semiconductor technology [1].
The MMC comprises several building blocks named submodules (SMs), as shown in Fig. 2. The SM can be a range of different power converter circuits such as the halfbridge, full-bridge, flying capacitor, and neutral-point clamped circuit.
The MMC control scheme involves several objectives: Output current control, circulating current control, and SMs capacitor voltage control. The latter can be divided into three control objectives [2]: 1) Leg voltage control, 2) upper and lower arm capacitor voltage control, and 3) balancing the SM capacitor voltage inside each arm. Typically, these objectives are fulfilled using a centralized control approach, i.e., a single central controller is controlling the whole MMC. This central controller also generates the pulsewidth modulation (PWM) signals for all of the switches [2], [3]. The main disadvantage of this approach is that the central controller needs an extensive processing capability and multiple digital outputs and communication channels for the switching signals, increasing the implementation complexity [2], [3]. This situation is especially critical for the MMC which has a high number of submodules, since the execution time might not be sufficient to perform all of the control tasks in each control cycle [4]. Moreover, the central controller represents a single point of failure. Thus, the centralized control approach limits the modularity, flexibility, and expandability of an MMC with many SMs, in terms of software development. In recent years, the use of the distributed control approach for controlling modular multilevel topologies has received increased attention from researchers (see Table I). In this strategy, local controllers in the SMs (working in a distributed architecture) perform low-level control tasks such as the capacitor voltage balancing and PWM generation. A central controller still performs the high-level control tasks. This approach results in a more reliable and modularized system, with fewer signal wires since the computational burden can be distributed among the local controllers placed in the submodules. [5]. 0885-8993 © 2022 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See https://www.ieee.org/publications/rights/index.html for more information.  The reported works in this area can be categorized, as shown in Fig. 1. In these approaches, low-level control tasks are distributed among local controllers placed in the SMs. This is done by follower controllers in the leader/follower architecture, by distributed control schemes in the hybrid architecture, and by a distributed control scheme based on the consensus theory [6] in the consensus-based architecture. It should be pointed out that, different from the standard approaches (such as leader/follower and hybrid), the consensus-based method only needs sparse communication among the neighboring submodules [6], [7].
The distributed architectures displayed in Fig. 1 have been proposed for several multilevel converter topologies, such as the cascaded H-bridge (CHB) multilevel converter, MMC, and M3C. Table I, summarizes the reported papers proposing distributed control schemes for these topologies, classified following the categorization presented in Fig. 1.
It is worth noting that all the papers reported in Table I assume a reliable CFN that reports true measurements. As already mentioned, erroneous measurements can occur in the presence of cyberattacks [28], which can be created through illegitimate data intrusion into the CFN. Examples of cyberattacks are: 1) False data injection attacks (FDIAs) [29] and 2) replay attacks [30]. Additionally, there are other types, such as denial of service attacks, for example [29]. It is interesting to note that cyber-attack issues are intensively investigated in other electrical systems such as microgrids [28], modern power systems [31], and electric vehicle charging infrastructure [32]. Regarding cyber-attack issues in the MMC (and multilevel converters in general), the recent letter [33] is the only work reported in this area so far. That paper shows (via simulations) that an FDIA in the sensors of an MMC can affect the stability of its centralized control system. However, to the best of the authors' knowledge, there are no published papers addressing cyber-attack issues on distributed control schemes used with MMCs. Thus, several open research questions need to be addressed, such as a study of the impacts of cyberattacks on distributed control schemes, designing methods for their detection, and implementing countermeasures to deal with them.
To fill the research gaps identified above, this article demonstrates that cyberattacks affect the performance and operability of distributed control schemes used for MMCs. In particular, this article focuses on investigating the effects of FDIAs on the performance of a consensus-based distributed control scheme for an MMC. Second, a method, based on the Kalman filter (KF), to detect FDIAs is proposed along with countermeasures to ensure safe operation of the MMC, while the attacks are cleared. The contributions of this article are as follows.
1) This is the first article to investigate the impact of FDIAs, as the most common type of cyberattack, on MMC converters whose submodules are controlled in a distributed way. It is found that cyberattacks can affect the normal operation of the control system of the MMC, leading to power quality issues and operability issues. 2) A Kalman filter-based method to detect FDIAs is proposed. This method is implemented in each local controller of the SMs and operates in a distributed manner. Thus, only scalar mathematical operations are required for its implementation. Based on the information provided for the proposed KF, a countermeasure is proposed to ensure safe operation of the MMC during cyberattacks. Both proposals are validated through simulations and experimental results.
II. DISTRIBUTED CONTROL STRATEGY FOR MMC Fig. 2 shows the three-phase MMC considered in this article composed of two arms (positive and negative) in each phase. Each arm has N half-bridge-based SMs connected in series and an arm inductor L arm . The converter is controlled by the control architecture shown in Fig. 3. In this scheme, control of the output current, the circulating currents, the arm balance, the total energy and the dc-link voltage are performed by the central controller, implemented in the ΣΔαβ0 reference frame, discussed in [34]. The consensus-based distributed control scheme shown in Fig. 3 is based on [26] and [27], and is in charge of the capacitor voltage balancing control. For the sake of completeness, the following section summarizes the main aspects of the consensus theory applied to control the capacitor voltages of each SM within an MMC. More information about this theory can be found in [6].

A. Consensus-Based Distributed Control Approach for MMC
Note that in Fig. 3, the consensus-based distributed control scheme operates separately in each MMC arm. Therefore, the mathematical analysis performed in this section only considers  one arm of the MMC; for the other arms, the procedure is identical. Fig. 4 shows the upper arm in one of the three phases of the MMC displayed in Fig. 2. In this case, a consensus-based control scheme for balancing the capacitor voltages in that arm is implemented as follows: Let us consider that the distributed communication network displayed in Also, let us assume that each SM corresponds to a node of the graph G with a scalar first-order single-integrator dynamics. Under this framework, it can be said that the capacitor voltages which belong to the cybergraph G (see Fig. 4 [26], [27]. In this situation, the consensus can be achieved via a feedback loop by applying the protocol u i given by (1) (known as a local voting protocol [6]). This control is distributed, i.e., it only depends on the immediate neighbors j ∈ N(i) of node i in the graph topology.
In (1), terms b ij represent the entries of the adjacency matrix, meaning that V j is shared with the ith SM if b ij is not zero. The gain k i modifies the transient behavior of the controller: It depends on the current through that arm (I) (see Fig. 4) [26], [27] By using this approach on the control architecture shown in Fig. 3, the overall control action (U overall i ) for the ith SM, which is sent to the modulation stage, is composed of two parts, as shown in (2). In this equation, U i is generated by the central controller to regulate the high-level control tasks (N is the number of SMs per arm), whereas u i is generated by the consensus-based distributed control scheme for achieving the capacitor voltage balancing control amongst the SMs (see Fig. 8 for more details)

III. DEFINITIONS AND IMPACTS OF FDI ATTACKS IN MMC
The previous section introduced the basis of the consensus theory applied to regulate the SM capacitor voltages of an MMC. However, in that approach, the occurrence of cyberattacks was not considered. Such attacks should be considered since they could cause destabilization of the MMC or discreetly penetrate the control system. The attacker could use the latter tactic to collect sensitive data of the system for a posterior coordinated attack [28] and provoke a shutdown of the MMC. It is worth remembering that there are several types of cyberattacks. This article considers the FDIA since it is regarded as a prominent attack methodology in other electrical systems such as dc microgrids and smart grids [28], [31]. Fig. 4 shows an FDIA being executed on the voltage sensor of the SM 1 placed in one of the upper arms of the MMC. Note that, in this figure, the FDIA will be propagated to the other SMs through the distributed communication network, affecting the distributed control scheme in that arm and the whole operation of the MMC.
Let us consider that the MMC converter is regulating the capacitor voltages in its cells via the consensus-based distributed control scheme shown in Fig. 3, as discussed in the previous section. This consensus algorithm is based on voltage measurements; thus, FDIAs, like that shown in Fig. 4, can occur on the voltage sensors of the SMs. In this case, an FDI attack in the ith SM of the MMC is modeled as follows: where κ = 1 denotes the presence of an attack sequence V a i (t) in the voltage measurement V i (t) in the ith SM, otherwise κ = 0. Note that the sensor attack can be conducted by hijacking the local controllers, as shown in Fig. 4, meaning that the attacked controllers send erroneous voltage measurements to their neighbors [35].
A case study is developed to investigate the impact of the FDIAs given by (3) on the control system of the MMC shown in Fig. 3. To this end, the MMC converter illustrated in Fig. 2 is simulated using PLECS software with the parameters listed in Tables II and III. The MMC is controlled using the control scheme shown in Fig. 3, where the central controller is implemented in the ΣΔαβ0 reference frame (see [34]), and the distributed control scheme corresponds to that discussed in Section II-A.
In this test, the sequence attack (4) is used to emulate an FDIA. Here, V a i represents the attack sequence introduced into the voltage sensor measurement of the ith SM located in the upper arm shown in Fig. 4, t attack i is the time instant at which the attack on the ith SM starts and v a i corresponds to the attack element on that SM In this test, the voltage sensors associated with SM 1 and SM 2 (Fig. 4) are attacked by an FDIA at t attack 1 = t attack 2 = 1s which persists, with the attack elements v a 1 = −0.3 p.u., and v a 2 = −0.5 p.u., respectively (the base is v * C , see Table II). Later on, another attack element v a 15 = 0.4 p.u., is introduced on the voltage sensor of SM 15 , at t attack 15 = 2 s. Fig. 5(a) shows the real capacitor voltages on the attacked arm during the whole test. As shown, the capacitor voltage balancing in that arm is lost when the FDIAs of a given magnitude are introduced. In this case, the capacitor voltage in some SMs increase while others decrease, depending on the magnitude and sign of the attack element introduced. This behavior potentially leads to the shutdown of the MMC since some capacitor voltages may reach the overvoltage and/or undervoltage threshold, activating the protection system of the MMC. In the case illustrated in Fig. 5(a), the voltage at SM 1 and SM 2 may activate the overvoltage protection; whereas the voltage at SM 15 may activate the undervoltage protection.
It is worth noting that the capacitor voltages depicted in Fig. 5(a) correspond to the real ones (those measured directly across the capacitor of each SM) before and after the occurrence of the FDIA. However, from the control system point of view, these voltages look different because of the inclusion of the FDIAs. To exemplify this, Fig. 5(b) shows the capacitor voltages seen by the local controllers on the attacked arm during the whole test (the central controller sees these voltages as well). From this figure, it is concluded that the local controllers reach a consensus point between the capacitor voltages before and after the FDIA. In particular, when the FDIAs start at t = 1s and t = 2 s, respectively, the consensus-based control scheme interprets the FDIA as a new operating point of the system (the same for the central controller). However, in reality, the reference operating point of the system has not changed, and the voltage variation on the attacked SMs are due to the FDIA. In this situation, everything looks fine for the control system; however, in reality, the normal operation of the MMC is affected, which might produce a critical failure of the MMC. Fig. 6 shows the grid current before and after the first FDI attack considered in this test. As seen in Fig. 6(a), the grid current is balanced and with a low total harmonic distortion (THD) before the attack. In contrast, when the first attacks start, the grid current becomes unbalanced and its distortion increases, as shown in Fig. 6(b). Therefore, the FDIA also affects the power quality of the MMC.
From the results discussed in this section, it can be concluded that the control system of the MMC cannot distinguish if changes in voltage measurements are due to a change in the reference operating point of the MMC or due to an FDI attack. Also, it was shown that the FDIA affects the voltage balancing in the MMC and its power quality, and may lead to possible operability issues. Thus, methods for its detection and countermeasures to deal with it are needed.
Finally, it must be recalled that, in this article, FDIAs on voltages sensors measurements are studied as the distributed control scheme used for controlling the MMC is based on those measurements [see (1) and (2) in Section II-A].

A. Practical Aspects of Cyber-Attacks Targeting MMCs
To begin with, it is essential to state the difference between cyberattacks and communications errors affecting the communication network of the MMC control system (see Fig. 3). In this sense, communications errors correspond to random, and not persistent failures, such as communication delays and communication link failures [36]. In contrast, cyberattacks correspond to malicious attacks perpetrated by one or more attackers [37], aiming to destabilize the operation of the attacked system.
In the context of cyberattacks targeting MMCs, it is worth recalling that the FDIA considered in this article is modeled by (3). It corresponds to the principal FDIA studied in other electrical systems, such as microgrids and modern power systems [28], [31]. Based on that, and considering that there is very little literature on cyberattacks for MMC [33], the selection of the FDIA (3) is a sensible starting point to provide the first steps to address for research into cyberattacks in MMC. From here, more elaborate FDIA can be studied in future research efforts.
Even though the FDIA (3) could be considered as a basic cyberattack, it represents a real threat to systems. This is evidenced by its use in the following real cases.
1) In [38] and [39], it is argued that an FDIA similar to the one considered in this article [see (3)] can counterfeit the value of the state of charge (SoC) measurements of the battery management system (BMS) in lithium-ion battery banks. Indeed, counterfeit battery bank parameters can make the battery work in an unsafe operating zone. This happened in 2019 in Korea, resulting in fire and damage to the battery bank [38].
2) In [40], a security researcher hacked an Apple MacBook battery introducing an FDIA to deceive the battery state of charge (SoC) estimator into reporting a low charge. This generated the activation of the charging circuit of the battery producing an overcharging of it, and as a consequence, the device was bricked. 3) An FDIA related to energy theft affected energy companies [41] in the USA, generating economic losses to these companies. In these attacks, FDIAs affected smart meters by sending false energy measurements to the utility company [41]. In addition, in the following works have been discussed that FDIAs are a plausible threat for the following real systems. 1) In [42], it is argued that in the cyberattack that affected the Ukraine power grid in 2015, all the conditions to apply an FDIA were fulfilled. That article concluded that the circumstances of the Ukraine blackout are enough to mount a successful FDIA on an electric power system. 2) In [43], it is argued that an FDIA affecting the measurements of power flow through the lines of a power system can cause overloading of one or more lines. This can result in cascading failure as that occurred in the 2003 northeast blackout [43]. Considering the events described above, it can be concluded that FDIAs can be regarded as real threats to real systems; therefore, they must be studied. Now, focusing on the MMC, particularly its use for HVdc applications, it must be considered that this converter is placed in a substation along with other electrical systems, as shown in Fig. 7. As observed, all the devices of the substation are coordinated and monitored by the supervisory control, data acquisition (SCADA) system. The SCADA system is usually hosted on communication infrastructure comprising wide area networks (WAN), field area networks (FAN), local area networks (LAN), among others [44], which is susceptible to cyberattacks [37], [44].
In the context described above, a potential cyberattack might penetrate into the SCADA system via any computer placed in the control center [37]. And from there, it can be propagated to the MMC via the communication network (see Fig. 7). Note that, cyberattacks targeting SCADA systems have been reported several times in real systems; examples of this are: 1) The attack targeting the SCADA system of the sewage control system in Maroochy Shire in Australia [45], 2) the cyberattacks that targeted the SCADA system of the Ukrainian power grid, causing a power outage that affected approximately 225 000 customers [42], 3) the cyberattack that affected the electrical power grid of Israel in 2016 [41]. Therefore, cybersecurity concerning the SCADA system and to the devices in the substation (see Fig. 7) is of vital importance.
Based on the above, and considering that the MMC is a promising solution to transfer power over long distances, with several commercial projects based on it (Trans Bay Cable, Dolwin2, Nano3-terminal dc grid, etc. [46], [47]), it can be concluded that cyberattacks on the MMC seem to be likely and, therefore, they must be considered for future projects based on this converter. In particular, this article starts this research area considering the FDIA (3), and from here, more investigation in this incipient area could be performed.

IV. PROPOSED KALMAN FILTER-BASED METHOD FOR DETECTING FDIAS AND COUNTERMEASURES
As concluded in the previous section, local controllers cannot identify if a variation in their voltage measurements are due to a change in the operating point of the MMC, or due to an FDIA. In the latter case, the FDIAs will affect the control system performance, produce power quality issues, and eventually produce operability issues. To avoid this critical situation, it is paramount to implement methods to detect the FDIA and countermeasures in the local controllers of the SMs to mitigate such an attack. In this sense, Fig. 8 shows the scheme of the proposed distributed detection method along with the proposed countermeasures to deal with FDIAs. In this figure, the local controller related to the ith SM is displayed. As seen, the proposed FDIA detection method aims to complement each SM with an observer that estimates the SM voltage and then compares it with the measured voltage. Based on these voltages, the following magnitudes are calculated locally by the ith local controller (see Fig. 8 and Algorithm 1): 1) The residual index r i (k) and 2) the reliability index ψ i (k), and the compensation gain G i (k). Then, if r i (k) surpasses a predefined threshold, it means that the SM is being attacked, and its voltage reading V i (k) is not trustworthy. In this case, the reliability ψ i (k) is set at 1, and the compensation gain G i (k) is different from zero. The gain G i (k) is used to compensate for the attacked voltage measurements, allowing safe operation of the MMC, while the FDIAs are neutralized. The latter can be done either by injecting corrective action in the attacked sensors or replacing the whole attacked SMs with redundant SMs typically available in MMCs. [1] As observed in Fig. 8, a Kalman filter-based FDIA detection method is proposed. This filter is a well-known algorithm extensively used in many fields. Burgos et al. [48] and Islam et al. [49] provided more information about this method. Focusing on MMCs, there are recent works [49]- [51] proposing centralized KF-based observers for implementing sensorless control schemes. In their implementation, they perform operations among matrices, increasing the computational burden for the central controller. Indeed, as discussed in [52], the algorithm complexity of the KF proposed in [49]- [51] is O(m 2.376 + n 2 ), where m is the observation dimension, and n the number of states, which makes its implementation in MMCs with high number of SMs difficult. Thus, distributed KF-based observers can be an effective solution to overcome this issue. In this article, an FDIA detector based on a distributed KF-based observer is proposed. This observer can be easily implemented in the local controllers of the SMs since its implementation requires only scalar mathematical operations. It is discussed below.
Let us consider the ith SM in the upper arm shown in Fig. 8. The dynamics of the ith SM (in discrete time), are given by (5) [50], [51]. In this equation, T is the sampling time; m i (k − 1) is the modulation index at the time instant k − 1; I(k − 1) is the arm current (see Fig. 8); C i is the capacitance of the ith SM; and w i (k) is the process noise with covariance Q i . Note that in (5), w i (k) quantifies the error in the modeling process [48] To implement the proposed KF-based observer, (5) is considered the state equation of the system, while (6) is considered as the observation equation. In this latter equation, V i (k) corresponds the the capacitor voltage in the ith SM, and v i corresponds to the measurement noise, characterized by a covariance R i Using (5) as the state equation, and (6) as the observation equation, the ith SM could estimate its capacitor voltage running the well-known KF. However, in the context of FDI attacks, additional consideration needs to be taken into account. Indeed, since the KF uses the capacitor voltage V i (k) to update the state, and considering that this voltage is affected by an FDIA, the SM voltage estimation will be affected (it will follow the attacked voltage and not the real one) [53], [54]. Thus, the FDIA detection cannot be made. With this consideration in mind, in this article, an FDIA detection method is proposed based on a modified KF able to work with FDIA in their measurements; it is shown in Algorithm 1. This algorithm considers that it is being run in the local controller placed on the ith SM in the arm shown in Fig. 8. The rest of the local controllers follow the same procedure.
In Algorithm 1, stages 1-3 correspond to the Kalman filter implementation [48]. This implementation is augmented by adding the proposed stage 4, where an analysis of the measurement reliability is performed. In this stage, the voltage V trust i (k) is defined, and is used for updating the Kalman filter (see stage 5 in Algorithm 1). This voltage is equal to the measured one V i (k) if the ith SM is not being attacked. Otherwise, this voltage is considered not trustworthy, and it is compensated by the gain G i (k). (See step 4.) In stage 4, an FDI attack is detected based on the index g i (k). It is defined as the difference between the voltage measured V i (k), and that estimatedV i (k/k − 1) by the KF in stage 3, with the information in k − 1. If the absolute value of g i (k) is above a prespecified threshold c, it indicates that an FDIA is attacking the voltage sensor that measures V i (k), at the time instant k. In this case, the reliability index ψ i (k) is set at 1, the compensation gain G i (k) is calculated at the beginning of the attack, as shown in Algorithm 1 (step 4), and the voltage V trust i (k) is calculated as: . Note that the prespecified threshold "c" is determined heuristically based on the data of healthy operation (operation without any cyberattack) and not healthy operation (operation with FDIAs) of the MMC (this data can get from numerical simulations and/or hardware-in-the-loop studies [35], [55]). Based on this information, it is possible to set the threshold "c" to discriminate between the system with an FDIA and without an FDIA. Finally, the outputs of Algorithm 1, at each time instant, are the compensation gain G i (k) and the residual index r i (k). The first is used to compensate V i (k) in the case of an FDIA on the ith SM (see Fig. 8), whereas r i (k) allows monitoring if an FDIA is attacking the ith SM.

: Measurements Reliability Analysis:
Define V trust i (k) as the reliable measurement used for updating the Kalman filter Define:

V. SIMULATION RESULTS
In this section, the proposed KF-based method for detecting FDI attacks and the proposed countermeasures to cope with these attacks are numerically validated. To this end, the MMC, shown in Fig. 2, is simulated, using PLECS software, with the parameters listed in Table II. The MMC is controlled with the control  system shown in Fig. 3: The central controller is implemented in the ΣΔαβ0 reference frame [34], whereas each local controller is implemented with the control scheme illustrated in Fig. 3. The parameters used for implementing the consensus algorithm (1) and those used for implementing the FDIA detection method are shown in Table III. Note that the cybergraph considered in this test is a fully connected one, meaning that all the SM that belong to a given arm receive information from all the SMs of that arm.
To evaluate the effectiveness of the proposal, the test discussed in Section III and illustrated in Fig. 5 is repeated. It is worth remembering that in this test, an FDIA occurs in SM 1 and SM 2 at 1s, and another FDIA is applied to SM 15 at 2s. In this case, the FDIA detection method is being run in each SM along with the proposed countermeasures. (See Fig. 8.) The FDIAs are effectively detected by the proposed detection method, as shown in Fig. 9. In this figure, the index r i (k) of the 15 SMs that belong to the attacked arm are plotted. It is concluded that the indices associated with SMs 1, 2, and 15 exceed the predefined threshold when those SMs start to be attacked, meaning that an FDIA is being executed on the associated SM. On the other hand, Fig. 10 shows the real capacitor voltages of the fifteen SMs that belong to the attacked arm during this test. By comparing Fig. 5(a) with Fig. 10, it can be concluded that the proposed detection scheme and countermeasures mitigate the FDIAs, ensuring safe operation of the MMC, while those attacks are cleared. Indeed, without any detection method and countermeasures, FDIAs produce overvoltage (V 1 and V 2 ) and undervoltage (V 15 ) in the attacked SMs, as shown in Fig. 5(a). These adverse effects of the FDIAs are neutralized by the proposed method (see Fig. 8), as shown in Fig. 10. Finally, Fig. 11 shows that the proposed detection scheme and countermeasures mitigate the current-quality issues produced by the FDIAs on the grid currents illustrated in Fig. 6(b). These results have shown the effectiveness of the FDIA detection method along with the countermeasures. Experimental validation of these proposals is provided in the next section.

A. Performance of the Proposed FDIA Detection Method Considering Transient Operation of the MMC
In this section, the performance of the proposed detection method in scenarios that produce a transient operation of the MMC is studied. This will provide information about how immune is the proposal to false positives. To this end, the following operating conditions for the MMC were considered: 1) Load change in the dc side of the MMC, 2) change in the dc-link reference voltage, and 3) balanced voltage drop in the grid voltage.
The test considered in this section is composed of four steps. In step 1 (t < 1s), the MMC operation is similar to the test presented in this previous section before 1 s. Then, at the beginning of step 2 (t = 1 s) and onward, the resistive load shown in Fig. 2 is changed from 108 Ω to 72 Ω (increasing the power required by the load). In step 3 (t = 2 s) and onward, the dc-link voltage reference of the MMC is increased at 1.1V DC (see Table II). Finally, in step 4 (t = 3 s) and onward, a balanced voltage drop in the ac grid is generated. The voltage drop corresponds to 30% of the nominal voltage of the grid (see Table II). To evaluate if the proposed FDIA method creates false positives, FDIAs are not applied to the MMC during the whole test. Thus, if the residual indices generated by the proposed detector are close to zero during the entire test, it means that the FDIA detector does not cause false positives for operation modes considered in this test. Fig. 12 illustrates the results associated with this test. As seen, a transient operation of the MMC is generated at the beginning of each step (at 1, 2, and 3 s, respectively). Fig. 12(a)-(c) shows the main variables related to the operating conditions described in the paragraph above. Fig. 12(d) shows the 90 residual indices (one per each SM) generated by the proposed detection method. As observed in this figure, at any time, the threshold for FDIA detection is never surpassed, meaning that the proposed FDIA detection method does not present false positives for the cases considered in this test. This result shows the immunity of the  proposed FDIA detection method against the operation modes (considered in this test) that generate transient states in the MMC.

VI. EXPERIMENTAL RESULTS
To validate the proposed method for detecting FDIAs and the countermeasures to deal with such attacks, an experimental three-phase MMC prototype composed of 18 half-bridge-based SMs was constructed; it is shown in Fig. 13. This MMC converter has three SMs per arm. For the sake of clarity, FDIAs in the upper arm of phase "a" are studied. In this arm, the voltage sensors in each SM are named as (from top to bottom): v U Ca1 , v U Ca2 , and v U Ca3 . The main parameters of the prototype are listed in Table II, and those used for implementing the proposal are shown in Table III boards. These boards are used to interface the A/D converters, to implement the hardware protection system (overcurrents and overvoltages), and to generate the PWM signals of each cell. In this work, the phase-shift PWM technique is used. The grid is emulated using a Chroma 61511 programmable supply and the load is composed of resistors connected to the dc-port side of the MMC. It is worth remembering that the control system used for driving the MMC is shown in Fig. 3. The central controller is implemented in the ΣΔαβ0 reference frame discussed in [34], whereas the capacitor voltage balancing control is performed by the consensus-based distributed control scheme discussed in Section II-A. This latter scheme was implemented in the control platform shown in Fig. 13, where its distributed nature is represented by the adjacency matrix B (see Section II-A). In particular, for the experimental validation, it is considered that there is full communication among the SMs in the same arm.
Each SM of the experimental MMC (see Fig. 13) is implemented with the proposed FDIA detection method given by Algorithm 1, and with the countermeasures illustrated in Fig. 8). The performance of the MMC considering FDIAs in the SM voltage sensors is evaluated for the following cases: 1) Effects of FDIAs in the control system of the MMC, 2) experimental validation of the proposed method for FDIAs identification, and 3) experimental validation of the proposed countermeasures to mitigate the effect of FDIAs.

A. Experimental Validation: Effects of FDIAs on the Performance of the MMC
It must be pointed out that the intent of FDIAs could be either to look for an immediate destabilization of the MMC or to deceive the system operator by discreetly penetrating the control system. In this sense, Fig. 14 shows an example of a destabilization attack causing an immediate shutdown of the MMC. In that example, the measured voltage related to v U Ca1 is attacked, at t 1 , by an FDIA as follows: Table II). Thus, both the central and distributed controllers run with this attacked voltage measurement. As seen in Fig. 14, this simple attack produces an increase in the capacitor voltage of the attacked SM, producing a trip of the overvoltage hardware protection associated with that SM. Because of that, the identification and countermeasures to mitigate FDIAs should be studied for MMC.

B. Experimental Validation of the Method for Detecting FDIAs
In this test, the voltage sensors v U Ca1 and v U Ca2 are attacked at t 1 and t 2 =t 1 +400 ms, respectively. The capacitor voltages v U Cai with i∈{1, 2, 3} along with the grid currents are shown in Fig. 15(a) and (b), respectively. Initially, the capacitor voltages are balanced around v * C . At t 1 , the voltage sensor of v U Ca1 is attacked by adding 60% of v * C , in this case, the consensus algorithm is trying to ensure the local balance among v U Cai with i∈{1, 2, 3}, however, due to the cyberattack, the real value of this cell capacitor voltage decreases to ≈25 V. Despite the attack, the cell voltages v U Ca2 and v U Ca3 are still balanced. At t 2 , the voltage sensor of cell v U Ca2 is attacked by adding 40% of v * C . After this attack, the three cells within the upper arm of phase a have different voltages in steady state, in particular, v U Ca1 →27 V, v U Ca2 →42 V, and v U Ca3 →69 V, as shown in Fig. 15(a). Note that, capacitor voltages displayed in Fig. 15(a) were directly measured across the capacitors in the attacked arm. The control system does not see these voltages due to the FDIAs. Fig. 16(b) shows the SM capacitor voltages seen by the control system. Initially the control platform sees a peak in the measured voltage due to the attack and then the consensus algorithm tries to balance the SMs using the attacked measurements. As a consequence, the control regulates the attacked voltages and it achieves a consensus point. However, the real capacitor voltages are not balanced, as shown in Fig. 15(a) In the situation described above, both FDIAs are effectively detected by the proposed detection method, as shown in Fig. 16(a). This figure shows the r index of each cell used to identify and quantify the magnitude of the attack. At t 1 , an attack is detected and its magnitude is 0.6, afterward at t 2 the second cell is attacked and as a consequence r 2 is equal to 0.4. Finally, by comparing the real capacitor voltages [see Fig. 15(a)] with those estimated by the proposed KF [see Fig. 16(c)], it is concluded that the proposed strategy can estimate the actual SM capacitor voltage.
Finally, a zoomed view of the grid currents displayed in Fig. 15(b) is shown in Fig. 17(a)-(c). The grid current in regular operation, without any attack, is depicted in Fig. 17(a) and it has a THD=3.4%. After each attack, the harmonic distortion of the grid current increases; i.e., after the first and second attack the THD of the grid currents is THD=5.1% and THD=17.3%, respectively. Finally, note that in this test, the proposed countermeasures were not activated.

C. Experimental Validation of the Proposed Countermeasures
In this test, the voltage sensors v U Ca1 and v U Ca2 are simultaneously attacked at t 1 by the following FDIAs: Then, at t 2 = t 1 + 800 ms, the proposed countermeasures shown in Fig. 8 to mitigate such attacks are activated. In this case, for the attacked SMs, both the centralized and distributed control systems use the compensated voltage measurements to run their respective control strategies. Fig. 18(a) and (b) shows, respectively, the real capacitor voltages in the attacked arm, and the grid current during this test. These figures show that the capacitor voltages are balanced before the FDIAs (t < t 1 ). The same occurs with the grid  currents. Then, at t 1 , when the FDIAs are initiated, both the capacitor voltage balancing and current quality are affected. Finally, at t 2 (and onward), these issues are corrected by the proposed countermeasures. Finally, some internal variables of the control algorithm are recorded, in particular, the r index, the cell capacitor voltages seen by the control and the cell capacitor voltage estimated by the proposed Kalman filter are shown in Fig. 19(a)-(c), respectively. From Fig. 19(a), it is concluded that the proposed method for detecting FDIAs effectively detects the cyberattacks emulated in this test. Note that the r index still indicates the presence of FDIAs after the activation of the countermeasures (t > t 2 ). This is because the attacks are still present in the system and need to be cleared.
Comparing Fig. 18(a) with Fig. 19(c), it is concluded that the proposed KF follows the real voltage during the whole test, showing its effectiveness.
Finally, Fig. 19(b) shows the capacitor voltages seen by the control system of the MMC. From t 1 to t 2 the control system runs with the attacked voltage measurements, whereas at t = t 2 , these attacked measurements are compensated by the proposed countermeasures (see Fig. 8), noticeably improving the operation of the MMC, as shown in Fig. 18 after t = t 2 .
The experimental results presented in this section have shown the effectiveness of the proposed method for detecting FDIAs along with the proposed countermeasures to deal with them.

VII. CONCLUSION
This article has studied the effects of FDIAs on control schemes used for controlling MMC. It was found that FDIAs produce power quality issues and eventually can lead to a shutdown of the MMC due to the activation of its protection system. Also, a method for detecting FDIAs was proposed and validated via simulations and experimental tests. This method can easily be implemented in the local controllers placed in the SMs of the MMC, and it does not require a high computational burden as it performs only scalar mathematical operations. In addition, countermeasures to mitigate FDIAs were proposed and validated through simulations and experimental results. These results show the effectiveness of the proposed method to overcome the adverse effects on the normal operation of the MMC produced by FDIAs. Finally, this article provides the foundation for research into cyberattacks on MMC type circuits, as so far, there is very little information in the literature on this topic. It is worth remembering that the MMC is deemed to be a prominent solution for medium to high-voltage and high-power applications. Indeed, it is a critical link in modern power systems (such as wind-farms interfacing, HVdc systems). Therefore, it is a potential target for cyberattacks, and the result could be very significant. For this reason, it is necessary to explore this area of research.
As future work, the following tasks can be studied further: 1) The extension of the proposal to consider cyber-attack issues targeting the central controller (see Fig. 3), 2) to study FDIAs on measurements associated with current sensors, 3) the study of more sophisticated FDIAs and methods for their detection, and 4) to study methods for detecting FDIAs that considers fault conditions of the MMC. From 2013 until 2016, he has been a Postdoctoral Researcher with Aalborg University, Aalborg, Denmark. From 2016 until 2020, he was an Associate Professor with Aalborg University, Denmark. He is currently a Professor with the Technical University of Denmark, Kongens Lyngby, Denmark. He made a Guest Professor stay with Nottingham University, Nottingham, U.K., during spring/summer of 2018. He has authored and coauthored more than 330 technical publications (more than 150 of them are published in international journals, mostly in IEEE), 10 book chapters and a book in this field, as well as filed for several patents. His research interests include application of advanced control, optimization and artificial intelligence inspired techniques to provide innovative and effective solutions to emerging challenges in design, control, and diagnostics of power electronics intensive electrical distributions systems and microgrids.
Dr. Dragičević was the recipient of the Končar Prize for the best industrial Ph.D. thesis in Croatia, the Robert Mayer Energy Conservation Award, and the Alexander von Humboldt fellowship for experienced researchers. He