| The large distributed electric power system is a hierarchical network involving the transportation of power from the sources of power generation via an intermediate densely connected transmission network to a large distribution network of end-users at the lowest level of the hierarchy. At each level of the hierarchy (generation/ transmission/ distribution), the system is managed and monitored with a combination of (a) supervisory control and data acquisition (SCADA); and (b) energy management systems (EMSs) that process the collected data and make control and actuation decisions using the collected data. However, at all levels of the hierarchy, both SCADA and EMSs are vulnerable to cyber attacks. Furthermore, given the criticality of the electric power infrastructure, cyber attacks can have severe economic and social con- sequences.;This thesis focuses on cyber attacks on SCADA and EMS at the transmission level of the electric power system. The goal is to study the consequences of three classes of cyber attacks that can change topology data. These classes include: (i) unobservable state-preserving cyber attacks that only change the topology data; (ii) unobservable state-and-topology cyber-physical attacks that change both states and topology data to enable a coordinated physical and cyber attack; and (iii) topology- targeted man-in-the-middle (MitM) communication attacks that alter topology data shared during inter-EMS communication. Specically, attack class (i) and (ii) focus on the unobservable attacks on single regional EMS while class (iii) focuses on the MitM attacks on communication links between regional EMSs. For each class of attacks, the theoretical attack model and the implementation of attacks are provided, and the worst-case attack and its consequences are exhaustively studied. In particularly, for class (ii), a two-stage optimization problem is introduced to study worst-case attacks that can cause a physical line overflow that is unobservable in the cyber layer. The long-term implication and the system anomalies are demonstrated via simulation.;For attack classes (i) and (ii), both mathematical and experimental analyses suggest that these unobservable attacks can be limited or even detected with resiliency mechanisms including load monitoring, anomalous re-dispatches checking, and historical data comparison. For attack class (iii), countermeasures including anomalous tie-line interchange verification, anomalous re-dispatch alarms, and external contingency lists sharing are needed to thwart such attacks. |
