Distinguishing Between Cyber Attacks and Faults in Power Electronic Systems—A Noninvasive Approach

With the increased cyberinfrastructure in large power systems with inverter-based resources (IBRs), it remains highly susceptible to cyber-attacks. Reliable and secure operations of such a system under a large signal disturbance necessitate an anomaly diagnosis scheme, which is substantial for either selective operation of relays (during grid faults) or cybersecurity (during cyber-attacks). This becomes a challenge for power electronic systems, as their characteristic response to such large-signal disturbances is very fast. Hence, we accumulate our efforts in this article to characterize them accurately within a short time frame. A novel noninvasive anomaly diagnosis mechanism for IBRs is presented, which only requires locally measured voltage and frequency as inputs. Mapping these inputs in a $XY$ -plane, the characterization process is able to classify between the anomalies within 5 ms. To the best of our knowledge, this mechanism provides the fastest decision in comparison to the existing techniques, which also assists the equipped protection/cybersecurity technology to take corresponding decisions without enforcing any customization. The proposed scheme is validated on many systems using real-time (RT) simulations in OPAL-RT environment with HYPERSIM software and also on a hardware prototype. The results verify the effectiveness, scalability, and accuracy of the proposed mechanism under different scenarios.

In addition, due to the advancements in information and communication technologies (ICTs), IBRs follow a standard hierarchical control framework [1], which transforms into a cyber-physical system highly vulnerable to cyber-attacks. The recent case study by Recorded Future's Insikt Group revealed that from mid-2020 onward within India's power sector [2], RedEcho carried out suspected network intrusions, which targeted four out of five Regional Load Dispatch Centers (RLDCs) that are directly responsible for balancing supply and demand in real-time (RT) to maintain a stable grid frequency. As a result, power electronic systems security becomes a key driver for protection against such threats.
In the hierarchical layer, a distributed framework has come out as a better alternative when compared to the centralized one with enhanced reliability, scalability, and cost efficiency. The above-mentioned control configuration operates by exchanging information between two neighboring DERs. Despite enhanced reliability of operation, they can be easily compromised by cyber threats and communication failure. Such anomalies not only restrict the cyber layer, but will also compromise the physical layer operation [3]. By definition, an anomaly can be described as anything that causes abnormal behavior in the system. In IBR-based systems, the physical anomalies are shunt faults (both balanced and unbalanced faults) on the bus or line. On the other hand, cyber-attacks can be grouped into cyber anomalies caused by a third-party adversary, accounting for illegitimate activities such as data manipulation, data integrity, and data delay/loss [4], [5]. Data manipulation attacks are commonly termed false data injection attacks (FDIAs), which affect the integrity and confidentiality of a system. Whereas, data can also be delayed temporarily or can be lost permanently, commonly termed a denial of service (DoS) attack, due to communication failure or injection of random packets to cause a large delay. As the essence of DoS attacks allows it only to be modeled as a large delay, we do not necessarily account for this as a cyber-anomaly in this article, as we are investigating the response to large signal disturbances. Hence, we focus on the impact of largesignal FDIA on different control layers [6] to differentiate them quickly from system faults.

A. Literature Survey
Recent literature suggests that there are two ways to detect these cyber-physical intrusions in a system: model-based 2168-6777 © 2022 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
and data-driven approaches. In [7] and [8], support vector machines (SVMs), decision trees, and random forest techniques have been proposed for physical anomaly identification. Further to improve the fault detection accuracy, discrete Fourier and wavelet transforms have been used to preprocess the input data in [9]. An adaptive sliding mode observer-based approach was presented in [10] for cyber anomaly detection, assuming complete knowledge of communication topology. Another method based on a stochastic linear discrete modelbased scheme for FDIA detection without state estimation was proposed in [11]. In [12], a neural network-based FDIA detection is proposed. Since these approaches discuss the detection and diagnosis of the cyber and physical anomalies separately, a tailor-made scheme to differentiate them from each other still needs to be explored. It becomes equally crucial as cyber-attacks can be deliberately designed having intrinsic characteristics like a physical fault [13], which will lead to operational failure, if not detected correctly. Embarking closely on the cyber-physical anomaly diagnosis problem, a data-driven intelligent anomaly identification technique is used to locate and classify faults and cyberattacks. Although it eliminates complex mathematical modeling, it still requires qualitative data for training pertaining to different fault scenarios. The availability of such qualitative data also limits the design of high-accuracy anomaly diagnosis mechanisms. In [15], a parametric time-frequency logic framework has been presented without any model information. The time-frequency content from the training data is extracted to detect traces of anomaly in testing data. In [16], local frequency and average voltage measurements of standalone inverters in an ac microgrid are mapped into a XY -plane to differentiate between the cyber-physical anomalies within a margin of 100 ms. As the power electronic protection systems respond within 10 ms (half-cycle for a 50-Hz system) [17], the deployment of the above-mentioned schemes will remain limited. Hence, a new principle mandates a quick analysis of the prevailing cyber-physical situation in the system and consequently aids the underlying protection/cybersecurity technology in mitigating the corresponding anomaly.

B. Article Contributions
To simplify this diagnosis, this article presents a novel noninvasive technology to characterize cyber and physical anomalies. It encapsulates physics-informed empirical laws to devise a sample-based trajectory window, where different regions have been formulated for each anomaly. In particular, these regions are mapped in a f -V d plane for each DER. When any movements in these defined regions are detected within a moving window of 5 ms, the corresponding diagnosis will then be formalized. As a result, not only this scheme makes a fast and accurate decision, but also allows the consecutive resilient technologies (protection systems/cybersecurity mechanism) enough time to comprehend the underlying diagnosis. We envision this diagnosis mechanism to be an effective methodology for improving the resiliency of IBRs. We consider large-signal FDIAs on frequency and voltage measurements and test the efficacy of the proposed mechanism with several types of faults (such as LG, LLLG, LL, and LLG) on buses and lines of the distribution systems.
Hence, the key contributions of the article can be summarized as follows.
1) We introduce a novel noninvasive anomaly diagnosis scheme to differentiate faults from cyber-attacks. We verify our contributions theoretically using physicsinformed laws. These laws are then governed online by mapping their trajectories in the f -V d plane. Since this diagnosis principle is exploited entirely against locally measured quantities, this makes it a noninvasive approach. 2) We also conceptualize additional features in the proposed mechanism, where FDIA attacks (of any scale) on frequency and voltage in an ac power electronics network can be accurately diagnosed within 5 ms. To the best of the authors' knowledge, this mechanism provides the fastest decision in comparison to the existing techniques. 3) We formalize our findings through a selective and fast decision within 5 ms for any power electronics network, which is engineered based on the minimum tripping time (around 10 ms [17]) during faults. 4) We validate our findings by testing its efficacy and scalability in different systems like CIGRE LV and IEEE 37-bus distribution system with certain customization. In addition, it has been highlighted how this mechanism provides accurate decisions even during transient disturbances, cascaded cyber-attacks, and faults. On the other hand, it also guarantees resiliency against noisy measurements. The remainder of this article is organized as follows. A brief description of modeling and control of IBRs is provided in Section II. The problem behind cyber-physical anomaly diagnosis is explained in Section III. The proposition of the decentralized anomaly diagnosis scheme and its performance validation are presented in Sections IV and V, respectively. Finally, we conclude with our remarks and future work in Section VI.

A. Physical Architecture
To simplify the discussion of modeling and control structure of a networked power electronic system, a two-bus test setup is considered an exemplary model in Fig. 1. Each DER comprises a dc source (e.g., renewable energy or energy storage systems), dc/ac inverter, LC filter, and RL output connector [1]. The different types of faults considered in this article are shown in Fig. 1, which includes (f1) bus faults and (f2) line faults. These faults can be any of these LG, LLLG, LL, or LLG faults with varied fault resistance (R f ) values. The intelligent electronic devices (IEDs) are connected at each end of the line segments to protect the system against any physical faults. In this article, we consider overcurrent relays (OCRs) as the protection infrastructure. In the physical architecture, the i th and j th DERs are interconnected to each other via tie-line resistance R i j and reactance X i j . In the primary control layer, there are current and voltage control with a droop controller. Detailed modeling and equations can be referred from [18].
As the secondary controller (SC) output directly influences the droop controller entity, we consider further scrutiny here. The droop controller employed in the i th DER to locally regulate frequency and voltage, based on their active power P i and reactive power, respectively, Q i can be given by where ω ref and V nom are the desired nominal frequency and voltage, respectively. It is worth notifying that f = ω/(2π) is used, whenever required. The active and reactive power droop coefficients are represented by m p and n q , respectively. The relation between instantaneous active (or reactive) power, p (or q) when passed through a low-pass filter (ω c as the cutoff frequency), the active (or reactive) power corresponding to the fundamental component is expressed by where instantaneous active (or reactive power) is represented as As droop controllers do not allow zero steady-state error operation under loaded conditions, SCs are usually employed, where communication becomes intrinsically necessary. Its design and modeling principles are explained in Section II-B.

B. Cyber Architecture
As we have discussed in Section I that cooperative coordination is preferred over its centralized counterpart due to its enhanced reliability and stability, we formalize our findings using a cooperative control framework in a system with M DERs in this article. As shown in Fig. 1, SCs communicate among themselves in a sparse cyber network to achieve the desired objectives of frequency restoration and proportionate active and reactive power sharing [19].
Considering each node in the cyber layer as an agent (DER in the physical model) as x = {x 1 , x 2 , .., x M } and linked by edges E G via an adjacency matrix A G = [a i j ] ∈ R M×M . a i j is given as the communication weight from node j to node i . Each agent shares information where N i denote the set of neighbors of agent i . The matrix representing incoming information can be given as Similarly, the matrix representing outcoming information can be given as can be obtained, given as L = D in − A G . These correction terms are then added to (1) and (2) to get Neglecting the dynamics of inner control loops, we can The frequency and voltage error terms designed to be compensated by the SC are e i ω and e i v , respectively, at the i th DER. On expanding these error terms, we geṫ e i ω andė i v are then fed into the secondary layer PI controllers G i ω and G i V , respectively. These PI controllers can be represented as Finally, the correction signals can be obtained using Upon combining droop and secondary control signals for frequency control from (7), (12), we get Similarly, combining droop and secondary control signals for voltage control (9), (13), we get As evident from (12) and (13), the collaborative nature of the distributed control framework provides a smooth surface for the flow of attack vectors from one DER to another. Thirdparty adversaries can attack any DER or a communication link, which can later circulate throughout the system, thereby affecting the system operation in many ways. As shown in Fig. 1, points of access by an adversary can be: (a1) for reference signals and (a2) for secondary control commands to primary controllers. We consider the large-signal frequency and voltage FDIAs for DER i where α and β, being unity, denote the presence of cyberattack on frequency reference (labeled as (a1) in Fig. 1) and voltage correction signal (labeled as (a2) in Fig. 1 (12), (13), (10), and (11) that the secondary control correction terms will anyway be compromised. Furthermore, the stealth attacks [20] can be easily curated to resemble that of grid faults. Hence, these attacks need to be immediately removed as soon as they are implanted into the system.

III. PROBLEM STATEMENT
The IBRs are often limited to 1.1-1.5 times of their nominal current rating (I rated ) [21], owing to the maximum current capability, prescribed reliability indices, and lifetime of the semiconductor switches in each DER. Therefore, conventional overcurrent devices fail to detect and isolate the faulty section in such networks, specifically for low values of fault current. Furthermore, it is difficult to choose overcurrent settings that are both sensitive and selective. One of the straightforward approaches is to increase the fault current contribution by installing over-rated inverters (usually three times the rated current). This method will work effectively with the existing OCR, but at the cost of higher investment on the inverters [22]. This technique has already been used in a real-world test connecting large battery storage in an islanded LV MG [23]. In this article, we consider IBRs to be over-rated to three times the rated current to allow sufficient current for OCR operation.
The peak value of current is continuously monitored by OCR as a combination of active and reactive currents using where I p represents the peak value of current, I d is the active current (the d-axis component of peak current), and I q is the reactive current (the q-axis component of peak current).
To minimize the voltage drop and to ensure a fast voltage recovery after a fault, each converter limits its reactive current using where I max is the maximum allowable current that prevents the inverter from overcurrent damage. A critical disturbance Fig. 2. Time-domain simulation of current for a cycle with various cyberphysical anomalies at DER A of a two-bus test system (see Fig. 1).
in the system can be checked using the following condition in [24] by continuously monitoring the peak value of current from each converter: At a given instant k, a disturbance is detected, only when any three successive samples satisfy the condition in (20), as shown in Fig. 2. The operating region and nonoperating region of an OCR are highlighted in Fig. 2. It can be observed that for all cyber-physical anomalies, including a bus fault or cyber-attack on f ref and V sec are capable of triggering the OCR as three consecutive samples exceeding the threshold value, which eventually leads to a TRIP decision within 20 ms. This would not only cause maloperation of relays during cyber-attacks, but also isolate a normally operating DER corresponding to that OCR, thereby affecting the reliability of supply to the consumers. Hence, this article proposes a noninvasive method to diagnose and differentiate between cyber-attacks and faults as quickly as possible. As mentioned earlier, the deviations in voltage versus deviations in frequency are used as a decisive mechanism in the proposed method to diagnose cyber-physical anomalies in IBRs. In this regard, the design theory of the proposed scheme and its formal proof is elaborated in Section IV.

IV. PROPOSED ANOMALY DIAGNOSIS SCHEME-MODELING AND FORMAL GUARANTEES
To design the anomaly diagnosis, it is vital to understand the key differences between faults and cyber-attacks. Their difference has been summarized in Table I.
For a three-phase fault, the voltage and current can be expressed as Leq sin(θ − α) (22) where v f (t) and i f (t) are the voltage and current during the fault and t is the fault inception time. The equivalent resistance and impedance in the faulted loop are represented by R eq and L eq , respectively. |Z | = (R 2 eq + (ωL eq ) 2 ) 1/2 and α = tan −1 (ωL eq /R eq ). From (21) and (22), it is clear that changes in both voltage and current during fault depend on the system parameters, thus are inherent functions of system dynamics. Different from faults, cyber-attacks in (16) and (17) will have different behavior, which is highly dependent on the overall system loading condition and will always implicit the SC dynamics as they are introduced as disturbances in that loop. This can be justified using the theoretical analysis below, which has been conducted for R and RL loading conditions.
In Fig. 1, the voltages at bus B2 can be given by where I i − θ i is the output current of the i th DER. Using (1) and (2), we can further obtain where γ i = α i +θ i . Finally, to compensate for the error caused by the line drop and to acquire equal reactive power sharing, we introduce a cooperative SC term V i sec using is the error between reactive power droop terms of local and neighboring DGs. Finally, adding (25) in (24) and segregating the control terms to the RHS, we get Since the reactive power drop and inductive load at bus B1 administers the total reactive power generation from bus B2 and assuming the line drop to be negligible, we can equalize the reactive power generation from bus B2 to be approximately equal to the reactive power demand Q d , we get When we augment the model for voltage-based cyber-attacks given by into (28), we get Using (30), we can conclude that for any values of V Ci sec , the trajectory movement for voltage with respect to frequency will always be positive since all the terms in LHS are positive as long as there are no faults (where V i will drop down). Finally, when there are only R loads instead of RL loads, Q d = 0. As a result, the voltage change is regulated in proportion with the active power demand and can be associated with a change in γ i as per (1), which can then traverse into the negative region in the proposed trajectory monitor.
The significance of anomaly diagnosis is presented in Fig. 3 to certify the relevance of the proposed mechanism in addressing the problem. Considering a typical operation time of commercial OCRs to be around 20 ms (in a 50-Hz system) [25], the proposed diagnosis scheme provides a solution by investigating the trajectory of f ( pu) and V d ( pu) within 5 ms (20 samples/cycle) window, to have a selective and fast decision such that the protection system remains unaltered. As the permissible limits of frequency deviation are commonly around ±1% and that of voltage deviation is ±5% from the rated value [26], the trajectory as per the proposed method lies within these allowable limits, as shown in Fig. 3. The origin (O) is at (0, 0). It is worth notifying that the operating frequency is denoted by f ref in Fig. 5.
For a sampling frequency of 1 kHz, the deviations of frequency and the d-axis voltage from the instant of disturbance (considering kth time instant) detected from (20) can be expressed by where f i pre and V i pre d are buffer data of frequency and voltage measurements for a 5-ms window stored as predisturbance values, which are constantly updated. The frequency and voltage at each instant can be calculated using (14) and (15), respectively. Finally using Table II, the cyber-physical anomalous regions are classified. For any physical anomaly (like bus/line faults), trajectory movement is along the negative V d -axis with a frequency deviation between ±1% (in quadrants III and IV), whereas for voltage-based cyberattacks, the initial traversal is along the positive V d -axis  to the positive side of the f -axis (i.e., toward the right) and vice versa. To demonstrate its efficacy and scalability, the proposed scheme has been tested on an RT platform in two case studies in the OPAL-RT environment. This has been proven to be effective for various scenarios of faults, cyberattacks, loading conditions, the simultaneous occurrence of cyber-physical events, and the addition of noise in the measured data (input to the proposed anomaly diagnosis scheme). All the above-mentioned scenarios have been discussed in detail in Section V.

V. PERFORMANCE EVALUATION
The performance of the proposed method is tested on two benchmark distribution systems: CIGRE LV distribution system and IEEE 37-bus distribution systems. These systems were modified to incorporate the inverter-interfaced DERs to operate in an islanded mode where the nominal voltage level of these systems is 400 and 381 V, respectively. In addition, the nominal frequency f ref is equal to 50 Hz for both systems. To prove the robustness of the proposed scheme, it has been tested under multiple scenarios: 1) physical anomalies (like LLLG, LG, LLG, and LL faults) on buses as well as in between lines; 2) effect of fault resistance (R f ) during physical anomalies; 3) effect of load variations; 4) cyber anomalies like frequency-and voltage-based attacks considered one at a time, on individual DERs; 5) simultaneous cyber-attacks on multiple DERs; and 6) the measured data (input to the proposed scheme) was mixed with noise signal to obtain the signal-to-noise ratio (SNR) of 30 and 40 dB.

A. Response to Faults and Cyber-Attacks in the Modified CIGRE LV Benchmark System
The standard CIGRE LV distribution system was modified by adding five inverters at buses B6, B10, B18, B16, and B15 as shown in Fig. 4.
Operating with a fixed switching frequency f s = 10 kHz, the apparent power S of the loads along with their power factor  are highlighted in Fig. 4. The line and load parameters of the benchmark system can be obtained from [27] assuming fixed dc sources with balanced loads. To evaluate the performance of the proposed scheme, inverter-interfaced systems have been simulated in RT in OP-5700 with HYPERSIM software as shown in the testbed in Fig. 5. The physical and cyber layer of DER is modeled in HYPERSIM, and RT simulation is carried out through OP 5700. Furthermore, SEL-3530 RTAC serves two purposes of generating the frequency reference signal and monitoring the signals like voltage, power, and frequency through the human-machine interface (HMI). The sampled value protocol is incorporated for distributed secondary control, and DNP3 is integrated to generate the frequency reference signal and monitor the signals in a microgrid. The equations as discussed in Section II for primary and SCs are presented in Fig. 5. The detailed description of the testbed can be referred from [28]. The control parameters corresponding to primary and secondary control of DERs in the modified CIGRE LV islanded distribution system are mentioned in Table III. The proportional gains of voltage and current control are denoted as K pe and K pc , respectively. Furthermore, integral gains of voltage and current control are denoted as K ie and K ic , respectively. The DER A in this system is selected to be the target of cyber-physical anomalies. The response of deviations in the d-axis voltage with respect to deviations in the frequency for DER A is illustrated in Fig. 6, for a 5-ms cycle window. During normal conditions, the trajectory would lie within the permissible limits around the origin.
To illustrate various anomalous situations in a simple way, plots for frequency-based attacks are not zoomed in. However, as trajectories for voltage-based cyber-attacks and faults are on either side of the V d -axis, these regions are zoomed in to illustrate the follow-through into the quadrants. The time-scale separation between the primary and SCs differs by considerably large values (approximately ten times), it can consequently aid in differentiating between the cyber-physical anomalies.

B. Responses for the Modified IEEE 37-Bus Distribution System
The standard IEEE 37-bus system was also modified by adding seven inverters at buses B15, B18, B22, B24, B29, B33, and B34 as shown in Fig. 7. The inverter control parameters are tabulated in Table IV. For the purpose of brevity, the network and load parameters can be referred from [29].
In Fig. 8, the efficacy of the proposed diagnosis certificates in the trajectory monitor is tested for faults at different locations. In this scenario, we consider a bus fault at B15 and a line fault between B14 and B15 to check whether the trajectory monitor provides any distinctive performance. However, the trajectories provide a nearly accurate response for different kinds of faults, which is diagnosed by DER A in an unbiased fashion. In this case, the effect of line impedance during faults is apparent for faults with high resistance, as shown in Fig. 9. However, the proposed diagnosis anyway remains valid as the trajectory movement is always inclined in the defined regions in Table II.
Furthermore, an effective response to various loading conditions like increment and decrement of load resistances R L and reactances X L by a factor represented by s% individually was tested and verified. As shown in Fig. 10, the load is varied by 10% at B15 (denoted as L15). In particular, the load at B15 is halved and then doubled to its original value. As per the proposed noninvasive method, the trajectories anyway lie within the normal operating region/boundaries, which can be seen in Figs. 10 and 11. In addition, simultaneous cyber-attacks across different buses are also simulated to verify the efficacy of the proposed approach in affected buses. For V sec attack at DER A and  LLLG fault between B11 and B33 (close to DER F), it can be seen in Fig. 12 that the proposed mechanism characterizes and localizes the anomaly as per the designated regions in Table II. It can be followed that the faulted trajectory moves along the negative Y -axis, unleashing within Q III and Q IV. However, for voltage-based cyber-attacks, the trajectories move into the positive V d -axis covering Q I and Q II validating the proposed diagnosis mechanism. Finally, the proposed scheme was tested with noisy measurements having an SNR of around 30 dB. This test was performed with the addition of white Gaussian noise into V d and f signals. Regardless of the noise, it can be seen in Fig. 13 that the scheme performs well even under distorted data, as it can successfully diagnose between the cyber and physical anomalies. for modified IEEE 37-bus distribution system for W1 at DER A in Fig. 7. Fig. 9. Trajectories of voltage and frequency deviation at DER A for LLLG fault at B15 with different R f for modified IEEE 37-bus distribution system for W1 in Fig. 7. Fig. 10. Trajectories of voltage and frequency deviation at DER A with small variations in loading for the modified IEEE 37-bus distribution system for W1 in Fig. 7. Fig. 11. Trajectories of voltage and frequency deviation at DER A with large variations in loading for the modified IEEE 37-bus distribution system for W1 in Fig. 7.
To validate the practicality and rugged performance of the proposed method, experimental tests have been conducted according to the system in Fig. 1. The experimental setup is shown in Fig. 14. Two racks with three-phase 7-kW dc-ac converters are modeled as DER A and B. Finally, they are interconnected to each other through LC filters, circuit breakers, and transmission lines to a programmable PQ load. The key parameters are listed in the Appendix. Fig. 12. Trajectories of voltage and frequency deviation at DER A with V sec attack at DER A and LLLG fault between B11 and B33 for the modified IEEE 37-bus distribution system for W1 in Fig. 7. Fig. 13. Trajectories of voltage and frequency deviation at DER A with an SNR of 30 dB for the modified IEEE 37-bus distribution system for W1 in Fig. 7. It is worth notifying that the fault and cyber-attack disturbances in Fig. 15 were allowed to persist for a considerable time, such that the practicality can be understood easily. In RT conditions, the reaction time of relays/cybersecurity technologies and the sampling frequency of relay measurements will be faster. When the corresponding disturbance is initiated at t = 0.1 s, it can be seen in Fig. 15(a) that the voltage collapses to a small value following an attack. Similarly, the voltage of DER A collapses during a cyber-attack as per its magnitude in Fig. 15(b). As per the proposed strategy, the deviations in V d with respect to f of DER A are monitored in Fig. 15(c) to diagnose the anomalies. It should be noted that the proposed  trajectory monitor is run in parallel with the operation of DER A during the anomalies in Fig. 15(a) and (b). Based on the established anomaly diagnosis certificates, it duly matches the performance as per the results obtained in RT simulations with PQ loads in the system. Furthermore, as the decision is bypassed to the protection scheme for faults in Fig. 15(a), the circuit breaker A trips DER A out of the system. However, for the cyber-attack in Fig. 15(b), the decision is routed to the cyber-attack mitigation scheme [16], which allows the system to restore its operation to the normal voltage levels.
A comparative assessment of the proposed noninvasive cyber-physical anomaly diagnosis mechanism (CP-ADM) for IBRs is carried out in Table V as opposed to the existing schemes [14], [15], [16]. It is evident from Table V that the proposed scheme has the potential of becoming a commercial solution as it allows a noninvasive approach to detect and distinguish between cyber and physical anomalies within 5 ms without enforcing a high computational burden and additional resources for its design. Its capability of diagnosis within 5 ms also provides a qualitative advantage for the deployment into the existing infrastructures. Moreover, to realize its feasibility of operation in an industrial environment with noisy measurements, the proposed scheme also offers resiliency against such distorted measurements.

VI. CONCLUSION AND FUTURE SCOPE OF WORK
In this work, a noninvasive CP-ADM based on physicsinformed empirical laws has been proposed. It successfully distinguishes between various cyber and physical anomalies in a cyber-physical power electronic system. The proposed technique uses a sample-based trajectory, wherein for each cyber and physical anomaly, different identification regions have been formulated. This approach has an edge over the existing techniques as it distinguishes anomalies within 5 ms using local measurements at a sampling frequency of 1 kHz.
To our best knowledge, this is the fastest diagnosis time that has been reported to address this problem. Its testing has been carried out under various cyber-physical anomalies occurring on individual/multiple DERs simultaneously. The experiments have been carried out on an RT digital simulator OPAL-RT with HYPERSIM for customized two benchmark systems: CIGRE LV benchmark system and IEEE 37-bus distribution system and an experimental prototype of a two-bus system. Its capability of diagnosis within 5 ms also provides a qualitative advantage for the deployment into the existing infrastructures.
As a future scope of work, we aim to calibrate this algorithm into any system with nonlinear loads, which can provide a generalized trajectory region to distinguish between the considered cyber-physical anomalies.
APPENDIX Two three-phase grid-tied converters (DER A and B) of 7.5 kVA are connected to the programmable PQ load via interfacing LC filters, filters A and B. It should be noted that all the control parameters are consistent for both converters.