1 Introduction

Secure electric power supply is facing great threats nowadays. Authorities and policy makers express their concerns and establish preventive measures in recent years. In 2014, the North American Energy Reliability Corporation staged a simulated attack on the power system to address the potential threats before they become reality [1]. In the same year, the ranking member of the U.S. House Committee on Energy and Commerce flagged the grid as “not adequately protected” from either cyber or physical attacks at a hearing [2]. In 2015, a group of eight US transmission operators established warehouses to speed up their response to major physical attacks [3]. Likewise, US Department of Energy also released a report detailing how Western Area Power Administration “had not always established adequate physical security measures and practices for its critical assets” [4]. Such concerns and actions were motivated by frequent occurrences of attacks in recent years. For instance, in 2005, the power delivery to 2 million customers was interrupted by malicious explosion occurred at a substation in Moscow [1]. Another example is that 17 transformers in Metcalf substation were damaged maliciously causing 15 million dollars loss [5]. Cyber-attacks on Ukraine power system occurred in 2015 and caused power interruption to 225000 customers [6].

To prevent excessive unserved customers under malicious attacks, exploring adequate backup energy sources is one of the key issues. In December 2017, a Tesla battery energy storage system (BESS) raced to save the Australia grid from coal plant crash by injecting megawatts of power in milliseconds [7]. This event reveals the advantage of BESS on supporting power system under contingencies by providing backup power supply. In recent years, several utility-scale batteries were installed in electric power systems. Until 2017, about 722 MW batteries have been installed on the U.S. electric grid [8]. China plans to put 120 GWh of BESS capacity into the power market by 2021 [9]. Some other advantages of batteries, including peak shaving [10], smoothing renewable generation [11], deferring infrastructure expansion [12], and profit maximization [13], have been investigated extensively in the existing literature. However, the advantage of BESS on enhancing power system robustness against attacks has not been properly addressed yet. Therefore, this paper aims to fill this gap by proposing a BESS sizing model for islanded microgrids to limit load shedding when energy sources are attacked.

To investigate the negative effects of attacks on power systems, many studies were conducted on the vulnerability analysis of power systems based on robust programming. Bilevel optimization is used to obtain the worst-case attack strategy that leads to the highest amount of load shedding under certain attack budget. Bilevel optimization model was earlier employed in [14, 15] to identify the most vulnerable components in power systems and find the unserved energy in the worst-case physical configuration. A bilevel optimization model was used in [16] to explore the power system vulnerability under redistribution attacks. Moreover, the effects of coordinated attacks, incorporating both physical and cyber-attacks, on the power system network were discussed [17]. Recognizing the extent of severe damage caused by malicious attacks on power systems, a number of publications have proposed power system defending models to hedge against deliberate attacks. Reference [18] evaluated various defending strategies for power networks against antagonistic attacks. A comprehensive game framework was proposed to explore the reliable defending strategies on power systems against attacks [19]. Tri-level optimization models were used in [20, 21] to determine optimal defending strategy which minimizes load shedding under attacks in the worst-case scenario. The uncertainty of offensive resources in the tri-level optimization model was formulated by a probability distribution function in [22] when determining the optimal defending strategy. Apart from defending strategy, power system planning for minimizing effects of attacks was also investigated. For instance, transmission lines intentional attacks were considered when deciding transmission expansion strategy using stochastic programming approach [23]. A five-level MILP model was proposed for transmission network planning considering transmission lines outages [24].

Few papers have studied the BESS for enhancement of the power system robustness against attacks. For instance, attacks on shipboard power systems were considered when optimizing energy storage sizing and siting [25]. However, it does not accurately model the post-attack scenario. Besides, the aforementioned literatures consider just one specific time-period of operation, which limits the scope of applications in real power systems. By contrast, this paper specifically takes multi-time operation into account.

This paper models a game among four players: planner, operator during normal operation, attacker, and the operator during restoration. For the planner, the investment on the BESS is justified by the reduced load shedding under worst-case attacks on energy sources that can be restrained below a threshold. The worst-case scenario here refers to highest amount of load shedding under attack. Therefore, the planner is seeking to reach this goal by deploying minimum capacity of BESS. The objective of operator during normal operation is simply minimizing operation cost by applying economic dispatch (ED) model. The objectives of attacker and operator during restoration are maximizing and minimizing load shedding during restoration, respectively. Objectives of planner and operator during normal operation are not related to the objectives of attacker and operator during restoration. Thus, using multi-level optimization to model described situation is infeasible. Therefore, an iterative algorithm is proposed. Further, we improve the conventional ED formulation into a robustness-oriented ED formulation and demonstrate its merits on enhancing microgrid robustness against attacking energy sources.

The contributions of this paper are mainly three-fold.

  1. 1)

    A new mathematical model is proposed to simulate the interactions among different players, namely the BESS planner, system operator, and attacker. In addition, this paper analyzes the storage sizing requirements under various AT cases in the multi-time-period operation, which is rarely addressed in existing attack-defend models.

  2. 2)

    Regarding solution technique, an iterative algorithm is proposed which can find the near-optimal solution for this problem.

  3. 3)

    This paper compared the basic ED model and proposed robustness-oriented ED model. The test cases demonstrate that when the proposed ED model is applied, the required BESS capacity is reduced, at the cost of higher operation cost.

The remainder of paper is organized as follows. Section 2 gives potential attack scenarios on power systems and its basic assumptions are given. Section 3 presents the problem formulation and the solution algorithm. Basic ED model, robustness-oriented ED model and bi-level AD model are shown. The proposed iterative solution algorithm is introduced as well. Section 4 analyzes a case study based on a remote microgrid system in Kasabonika Lake, Canada. Finally, Section 5 draws the conclusion.

2 Power system attacks and assumptions

The modern power system can be characterized as a complicated cyber-physical human-in-the-loop system [17]. The physical part, cyber part, and human part are all critical for secure power delivery to loads. The failure of any part could cause major negative consequences.

As a critical component in an islanded microgrid system, energy sources are targeted by war attackers, terrorists, and sabotage activities. Reference [17] summarizes potential physical, cyber, and human attacks, which can disable the energy sources. The proposed model deals with the situation after disabling energy sources, and the specific cause will not be explicated for the remainder of paper.

We assume that attackers can simultaneously attack multiple energy sources at any time in the 24-h horizon. In addition, when attacked energy sources are repaired, the system is assumed to return back to normal operation, thus no load shedding. The timeline is illustrated in Fig. 1. In addition, the proposed model aims to deal with attacks which would cause energy sources outages for several hours. The restoration durations used in the model can be adjusted according to specific applications. Attack strategies presented in [17] might be addressed by the proposed model. For instance, when the energy sources are tripped due to the cyber-attack on supervisory control and data acquisition (SCADA), once data manipulation is identified, energy sources are reconnected. Another example is that when the lines interconnecting the energy sources are short-circuited due to grounding or insulator damage, following the completion of repair by lineman crew on the attacked lines, disconnected energy sources return to work.

Fig. 1
figure 1

Timeline of system status throughout 24 h

Full size image

3 Problem formulation and solution techniques

The BESS sizing decisions strongly influence the microgrid dispatch outcomes. In other words, system operation will be different under different sizes of BESS. These conditions lead to various levels of system robustness against attacks. To evaluate the influence of BESS sizing on energy resources attacks and system operations, and to obtain the minimum BESS size to meet the requirement, the proposed framework incorporates two parts, an ED model and an AD model. The problem is solved iteratively by interfacing these two models.

3.1 ED model

The ED is used for centralized energy management during normal operation. The objective is to minimize the operation costs subject to physical constraints as shown from (1) to (10).

$$\mathop {\hbox{min} }\limits_{{p_{i,t} ,p_{t}^{\text{db}} ,p_{t}^{\text{cb}} ,L_{t}^{\text{sh}} ,C_{t}^{\text{B}} }} \;\sum\limits_{t = 1}^{T} {\sum\limits_{i = 1}^{I} {F_{i}^{\text{C}}\cdot li[f(p_{i,t} )]} + \sum\limits_{t = 1}^{T} {V^{\text{oll}} L_{t}^{\text{sh}} } }$$
(1)
$$\begin{array}{lll} {\text{s}} . {\text{t}}. \\ \hfill \sum\limits_{i = 1}^{I} {p_{i,t} + \left( {p_{t}^{\text{db}} \eta^{\text{b}} - \frac{{p_{t}^{\text{cb}} }}{{\eta^{\text{b}} }}} \right)} + P_{t}^{\text{s}} + P_{t}^{\text{w}} = p_{t}^{\text{l}} - L_{t}^{\text{sh}} \\ \qquad\qquad\qquad\qquad\qquad\qquad\qquad\forall t \in T \hfill \\ \end{array}$$
(2)
$$P_{i}^{\text{min} } \le p_{i,t} \le P_{i}^{\text{max} }\quad \forall t \in T,\;\forall i \in I$$
(3)
$$p_{i,t + 1} - p_{i,t} \le R_{i}^{{{\text{U,max}} }} \quad \forall t \in T,\;\forall i \in I$$
(4)
$$p_{i,t} - p_{i,t + 1} \le R_{i}^{\text{D,max}} \quad \forall t \in T,\;\forall i \in I$$
(5)
$$S^{\text{n,min}} E^{{{\text{B,max}} }} \le C_{t}^{\text{B}} \le S^{\text{n,max}} E^{{{\text{B,max}} }} \quad \forall t \in T$$
(6)
$$0 \le p_{t}^{\text{cb}} \le P^{\text{B,max}}\quad \forall t \in T$$
(7)
$$0 \le p_{t}^{{\rm db}} \le P^{\text{B,max}} \quad \forall t \in T$$
(8)
$$C_{t24}^{{\rm B}} = C_{t1}^{{\rm B}}$$
(9)
$$C_{t + 1}^{\text{B}} = C_{t}^{\text{B}} + \left( {p_{t + 1}^{\text{cb}} - p_{t + 1}^{\text{db}} } \right)T^{\text{i}} \quad \forall t \in T$$
(10)

The microgrid operator aims to minimize the total fuel costs of diesel generators and loss-of-load penalty costs. The fuel cost of each diesel generator f(pi,t) is obtained as product of marginal fuel cost \(F_{i}^{\text{C}}\) and input power pi,t. The efficiency curve of diesel generators which is used to derive the relation between the input power and output power is presented in [26]. To linearize operation cost functions, piecewise linearization technique is applied [27]. The presence of BESS provides bidirectional, controllable power into the system, which regulates the operation of diesel generators. As a result, the fuel cost reduction is expected [28]. The priority of ED model is to secure energy supply to loads, so the value of lost-loads Voll is set to be sufficiently high. Equation (2) implies the system power balance equation, indicating that power generated should be equal to power consumption. In specific, the generated power is obtained by summing the power outputs of diesel generators pi,t, discharging power of BESS \(p_{t}^{\text{db}}\), and power generations of the photovoltaic (PV) panel \(P_{t}^{\text{s}}\) and the wind turbine \(P_{t}^{\text{w}}\). The power consumptions are composed by load demand \(p_{t}^{\text{l}}\) and charging power of BESS \(p_{t}^{\text{cb}}\). Constraint (3) imposes the upper bound P max i and the lower bound P min i of output powers of diesel generators. Constraints (4) and (5) represent the ramping up \(R_{i}^{\text{U,max}}\) and ramping down \(R_{i}^{\text{D,max}}\) limits of the diesel generators. Constraint (6) imposes the upper bound \(E^{{{\text{B}},{ \text{max}}}} S^{{{\text{n}},{ \text{max} }}}\) and the lower bound \(E^{{{\text{B}},{ \text{max} }}} S^{{{\text{n}},{ \text{min} }}}\) of stored energy of the BESS \(C_{t}^{\text{B}}\). Constraints (7) and (8) enforce the BESS charging and discharging power constraints. Constraint (9) indicates that stored energy in BESS at the end of the operation horizon should return to the level at the beginning of the day to reach an energy neutral position. Energy balance equation of the BESS is formulated in (10). In the equations, li(·) is piecewise linearization function; ηb is efficiency of the battery; PB,max is power rating of the battery and Ti is time interval.

3.2 Robustness-oriented ED model

In the ED model presented above, the objective function only aims to reduce the fuel cost and loss-of-load penalty. This section introduces an enhanced operation strategy to improve the system robustness against energy deficiency due to energy sources attacks.

Not only reducing fuel cost and loss-of-load cost, increasing the stored energy in BESS to hedge against attack is also included in the objective function. Equation (11) shows the objective function of the proposed model where the coefficient w is the weighting factor for increasing stored energy in BESS. Higher value of w indicates higher weight imposed on robustness enhancement. This coefficient indicates trade-offs between economic benefits and robustness.

Besides, to improve ability of intact energy sources to save loads, each dispatchable energy source cannot be restrained by ramping up limit during restoration process. Constraint (12) ensures output power of diesel generators will not be limited by ramping limits. The proposed model is formulated as:

$$\mathop {\hbox{min} }\limits_{{p_{i,t} ,p_{t}^{\text{db}} ,p_{t}^{\text{cb}} ,L_{t}^{\text{sh}} ,C_{t}^{\text{B}} }} \sum\limits_{t = 1}^{T} {\sum\limits_{i = 1}^{I} {F_{i}^{\text{C}}\cdot li[f(p_{i,t} )]} } - w\sum\limits_{t = 1}^{T} {C_{t}^{\text{B}} } + \,\sum\limits_{t = 1}^{T} {V^{\text{oll}} L_{t}^{\text{sh}} }$$
(11)
$$\begin{aligned} & {\text{s}} . {\text{t}} .\hfill \\ & p_{i,t} \ge P_{i}^{\text{max} } - R_{i}^{\text{U,max}} \hfill \\& (2){-}(10) \hfill \\ \end{aligned}$$
(12)

To demonstrate the proposed robustness-oriented operation strategy, it will replace the basic ED model in the solution algorithm proposed in the following for comparison.

3.3 Attacker-defender (AD) model

To derive the worst-case of energy sources attacks in terms of caused load shedding, this paper uses the AD model. The attacker intends to maximize the load curtailment \(L_{t}^{\text{sh}}\) by simultaneously and strategically disabling energy sources within the attack budget. During restoration process, the operator re-dispatch the system to save more loads. Figure 2 illustrates AD model which is formulated from (13) to (27).

Fig. 2
figure 2

Diagram of AD model

Full size image
$$\mathop {\hbox{max} }\limits_{{x_{i} ,y,z}} \;\sum\limits_{{t = A^{\text{T}} }}^{{A^{\text{T}} + A^{\text{DC}} - 1}} {L_{t}^{\text{shc}} }$$
(13)
$$\begin{aligned} {\text{s}} . {\text{t}}. \;\;\;\;\sum\limits_{i = 1}^{I} {x_{i} + y + z \le d^{\text{e,max}} } \\ \end{aligned}$$
(14)
$$\;\;(x_{i} ,y,z) \in \{ 0,1\}$$
(15)
$$\mathop {\hbox{min} }\limits_{{p_{i,t}^{\text{c}} ,p_{t}^{\text{dbc}} ,p_{t}^{\text{cbc}} ,L_{t}^{\text{shc}} ,C_{t}^{\text{Bc}} }} \;\sum\limits_{{t = A^{\text{T}} }}^{{A^{\text{T}} + A^{\text{DC}} - 1}} {L_{t}^{\text{shc}} }$$
(16)
$$\begin{aligned} {\text{s}} . {\text{t}} . \;\;\;\;&\sum\limits_{i = 1}^{I} {p_{i,t}^{\text{c}} } + \left( {p_{t}^{\text{dbc}} \eta^{\text{b}} + \frac{{p_{t}^{\text{cbc}} }}{{\eta^{\text{b}} }}} \right) + P_{i}^{\text{s}} (1 - y) + \\ \qquad \qquad \qquad & \quad P_{i}^{\text{w}} (1 - z) = p_{t}^{\text{l}} - L_{t}^{\text{shc}} \\ &\qquad\qquad\quad\quad \forall t \in (A^{\text{T}} ,A^{\text{T}} + A^{\text{DC}} - 1),(\partial_{t} ) \\ \end{aligned}$$
(17)
$$\begin{aligned} & S^{\text{c,min}} E^{\text{B,max}} \le C_{{_{t} }}^{\text{Bc}} \le S^{\text{c,max}} E^{\text{B,max}} \\ & \;\;\;\;\forall t \in \left( {A^{\text{T}} ,A^{\text{T}} + A^{\text{DC}} - 1} \right),\left( {\beta_{t}^{\text{max} } ,\beta_{t}^{\text{min} } } \right) \\ \end{aligned}$$
(18)
$$\begin{aligned} & C_{{_{t + 1} }}^{\text{Bc}} = C_{t}^{\text{Bc}} + \left( {p_{{_{t + 1} }}^{\text{cbc}} - p_{{_{t + 1} }}^{\text{dbc}} } \right)T^{\text{i}} \\ & \;\;\;\;\forall t \in \left( {A^{\text{T}} ,A^{\text{T}} + A^{\text{DC}} - 2} \right),(\delta_{t}) \\ \end{aligned}$$
(19)
$$C_{AT - 1}^{\text{Bc}} = C_{AT - 1}^{\text{B}} ,\;(\varepsilon_{t})$$
(20)
$$p_{i,AT - 1}^{\text{c}} = p_{i,AT - 1} ,\; (\pi_{i,t})$$
(21)
$$\begin{aligned} & 0 \le p_{t}^{\text{cbc}} \le P^{\text{B,max}}\quad\quad\quad\quad\forall t \in (A^{\text{T}} ,A^{\text{T}} + A^{\text{DC}} - 1), \\ & \;\;\;\;(\theta_{t}^{\text{max} } ,\theta_{t}^{\text{min} } ) \\ \end{aligned}$$
(22)
$$\begin{aligned} & 0 \le p_{t}^{\text{dbc}} \le P^{\text{B,max}} \quad\quad\quad\quad\forall t \in (A^{\text{T}} ,A^{\text{T}} + A^{\text{DC}} - 1), \\ & \;\;\;\;(\mu_{t}^{\text{max} } ,\mu_{t}^{\text{min} } ) \\ \end{aligned}$$
(23)
$$\begin{aligned} & P_{i}^{\text{min} } (1 - x_{i} ) \le p_{i,t}^{\text{c}} \le P_{i}^{\text{max} } (1 - x_{i} ) \\ & \;\;\;\;\forall t \in (A^{\text{T}} ,A^{\text{T}} + A^{\text{DC}} - 1),\;\forall i \in I,(\zeta_{i,t}^{\text{max} } ,\zeta_{i,t}^{\text{min} } ) \\ \end{aligned}$$
(24)
$$\begin{aligned} & p_{{_{i,t + 1} }}^{\text{c}} - p_{{_{i,t} }}^{\text{c}} \le R_{i}^{\text{U,max}} + x_{i} \overline{N} \\ & \quad \forall t \in (A^{\text{T}} - 1,A^{\text{T}} + A^{\text{DC}} - 2),\;\forall i \in I,(\tau_{i,t}^{\text{max} }) \\ \end{aligned}$$
(25)
$$\begin{aligned} & p_{{_{i,t} }}^{\text{c}} - p_{{_{i,t + 1} }}^{\text{c}} \le R_{i}^{\text{D,max}} + x_{i} \overline{N} \\ & \;\;\;\;\forall t \in (A^{\text{T}} - 1,A^{\text{T}} + A^{\text{DC}} - 2),\;\forall i \in I,(\tau_{i,t}^{\text{min} }) \\ \end{aligned}$$
(26)
$$0 \le L_{t}^{\text{shc}} \le p^l_{t} \quad \forall t \in (A^{\text{T}} ,A^{\text{T}} + A^{\text{DC}} - 1),(\lambda_{t})$$
(27)

In the equations above, AT is the attack time; ADC is duration of restoration process; \(\beta_{t}^{\text{max}}\) and \(\beta_{t}^{\text{min}}\) are maximum and minimum stored energy of battery constraint at time t; \(\partial_{t}\) is power balance constraint at time t during restoration; \(\delta_{t}\) is energy balance equation of battery at time t during restoration; \(\varepsilon_{t}\) is initial stored energy of battery at time t during restoration; πi,t is initial power output of diesel generator i at time t during restoration; \(\theta_{t}^{\text{max}}\) and \(\theta_{t}^{\text{min}}\) are the maximum and minimum charging power of battery constraint at time t during restoration; \(\mu_{t}^{\text{max}}\) and \(\mu_{t}^{\text{min}}\) are the maximum and minimum discharging power of battery constraint at time t during restoration; \(\zeta_{i,\,t}^{\text{max}}\) and \(\zeta_{i,\,t}^{\text{min}}\) are maximum/minimum output power of diesel generator i at time t during restoration; \(\tau_{i,\,t}^{\text{max}}\) and \(\tau_{i,\,t}^{\text{min}}\) are ramping up and down limit of diesel generator i at time t during restoration; λt is load shedding constraint at time t during restoration; \(\overline{N}\) is a sufficient large number; \(p^l_{t}\) is demand level at time t. AD model is formulated with bilevel programming to model the interactions of an attacker and the operator during the restoration process. Upper level stands from the perspective of attacker to maximize load curtailment during the restoration process after the attack, as shown in (13). Constraint (14) enforces limits on maximum number de,max of simultaneously attacked energy sources. The attack statuses of diesel generators xi, photovoltaic generation y and wind turbine z are binary as shown in (15), where 1 means the energy source is disabled and 0 means the energy source is well-functioning. At lower level, the actions of operator are modeled to minimize load shedding during restoration \(L_{t}^{\text{shc}}\) as shown in (16). Constraint (17) represents the power balance of the system during restoration. In specific, the generated power during restoration is obtained by summing the power outputs of diesel generators \(p_{i,t}^{\text{c}}\), discharging power of BESS \(p_{t}^{\text{dbc}}\), and power generations of the PV panel \(P_{t}^{\text{s}} ( 1- y)\) and the wind turbine \(P_{t}^{\text{w}} ( 1- z)\) during restoration. The power consumptions are obtained by adding load demand, and charging power of BESS \(p_{t}^{\text{cbc}}\). Constraint (18) denotes limits on stored energy of BESS during restoration \(C_{t}^{\text{Bc}}\). It is worth mentioning that minimal state-of-charge (SoC) Sc,min of battery is lower during restoration process since the priority is to recover more loads. Energy balance equation of BESS during restoration process is indicated in (19). Constraints (20) and (21) show initial values of output power of diesel generators and stored energy in the battery for restoration process which are passed from the ED model. Constraints (22) and (23) enforce limits on charging and discharging power of BESS during restoration. Output power, ramping up and ramping down constraints of diesel generators during restoration are shown in (24), (25) and (26), which depend on the decision of the attacker. When the energy source is attacked, corresponding output power is enforced to zero and ramping limits no longer hold. Load shedding cannot be higher than the demand level during restoration period as shown in (27).

The link between AD model and ED model can be observed in constraints (20) and (21). Specifically, the output of diesel generators and stored energy in battery at the hour before the attack are determined by ED model which will affect the load shedding during restoration. Constraints (17), (24), (25) and (26) reveal the links between lower-level problem and upper-level problem of AD model. Attack strategies are known for the operator, thus they are constants in the lower-level problem. Therefore, the lower-level problem is a linear programming (LP).

To solve this bilevel problem, strong duality theorem or Karush-Kuhn-Tucker (KKT) optimality conditions [29] are applied to recast it into a single-level equivalent. Equations (28) to (48) present the AD model after reformulation in which the lower-level problem is replaced by its primal constraints, dual constraints, and complementarity conditions:

$$\mathop {\hbox{max} }\limits_{{x_{i} ,y,z,p_{i,t}^{\text{c}} ,p_{t}^{\text{dbc}} ,p_{t}^{\text{cbc}} ,L_{t}^{\text{shc}} ,C_{{_{t} }}^{\text{Bc}} ,D}} \;\sum\limits_{{t = A^{\text{T}} }}^{{A^{\text{T}} + A^{\text{DC}} - 1}} {L_{t}^{\text{shc}} }$$
(28)

s.t. (1415), (17)–(27)

$$\beta_{t}^{\text{max} } - \beta_{t}^{\text{min} } - \delta_{t} + \delta_{t - 1} = 0\quad \forall t \in (A^{\text{T}} ,A^{\text{T}} + A^{\text{DC}} - 2)$$
(29)
$$\beta_{{A^{\text{T}} - 1}}^{\text{max} } - \beta_{{A^{\text{T}} - 1}}^{\text{min} } - \delta_{{A^{\text{T}} - 1}} + \varepsilon_{{A^{\text{T}} - 1}} = 0 $$
(30)
$$\beta_{{A^{\text{T}} + A^{\text{DC}} - 1}}^{\text{max} } - \beta_{{A^{\text{T}} + A^{\text{DC}} - 1}}^{\text{min} } + \delta_{{A^{\text{T}} + A^{\text{DC}} - 2}} = 0$$
(31)
$$\begin{aligned} & \partial_{t} + \zeta_{i,t}^{\text{max} } - \zeta_{i,t}^{\text{min} } + \tau_{i,t - 1}^{\text{max} } - \tau_{i,t}^{\text{max} } + \tau_{i,t}^{\text{min} } - \tau_{i,t - 1}^{\text{min} } = 0 \\ & \;\;\;\;\forall t \in (A^{\text{T}} + A^{\text{DC}} - 2),\;\forall i \in I \\ \end{aligned}$$
(32)
$$\partial_{{A^{\text{T}} - 1}} - \tau_{{i,A^{\text{T}} - 1}}^{\text{max} } + \tau_{{i,A^{\text{T}} - 1}}^{\text{min} } + \pi_{{i,A^{\text{T}} - 1}} = 0\quad \forall i \in I$$
(33)
$$\begin{aligned} & \partial_{{A^{\text{T}} + A^{\text{DC}} - 1}} + \zeta_{{i,A^{\text{T}} + A^{\text{DC}} - 1}}^{\text{max} } - \zeta_{{i,A^{\text{T}} + A^{\text{DC}} - 1}}^{\text{min} } + \tau_{{i,A^{\text{T}} + A^{\text{DC}} - 2}}^{\text{max} } \\ & - \tau_{{i,A^{\text{T}} + A^{\text{DC}} - 2}}^{\text{min} } = 0\quad \forall i \in I \\ \end{aligned}$$
(34)
$$\begin{aligned} & \partial_{t} \eta^{\text{b}} + T^{\text{i}} \delta_{t - 1} + \mu_{t}^{\text{max} } - \mu_{t}^{\text{min} } = 0 \\ & \;\;\;\;\forall t \in (A^{\text{T}} ,A^{\text{T}} + A^{\text{DC}} - 1),\;\forall i \in I \\ \end{aligned}$$
(35)
$$\begin{aligned} & \frac{{ - \partial_{t} }}{{\eta^{\text{b}} }} - T^{\text{i}} \delta_{t - 1} + \theta_{t}^{\text{max} } - \theta_{t}^{\text{min} } = 0 \\ & \;\;\;\;\forall t \in (A^{\text{T}} ,A^{\text{T}} + A^{\text{DC}} - 1),\;\forall i \in I \\ \end{aligned}$$
(36)
$$1 + \partial_{t} + \lambda_{t} = 0\;\;\;\;\forall t \in (A^{\text{T}} ,A^{\text{T}} + A^{\text{DC}} - 1)$$
(37)
$$\begin{aligned} & 0 \le \beta_{t}^{\text{max} } \bot E^{\text{B,max}} - C_{{_{t} }}^{{^{\text{Bc}} }} \ge 0 \\ & \;\;\;\;\forall t \in (A^{\text{T}} ,A^{\text{T}} + A^{\text{DC}} - 1) \\ \end{aligned}$$
(38)
$$\begin{aligned} & 0 \le \beta_{t}^{\text{min} } \bot C_{t}^{\text{Bc}} - E^{\text{B,max}} \ge 0 \\ & \;\;\;\;\forall t \in (A^{\text{T}} ,A^{\text{T}} + A^{\text{DC}} - 1) \\ \end{aligned}$$
(39)
$$\begin{aligned} & 0 \le \theta_{t}^{\text{max} } \bot P^{\text{B,max}} - p_{t}^{\text{cbc}} \ge 0 \\ & \;\;\;\;\forall t \in (A^{\text{T}} ,A^{\text{T}} + A^{\text{DC}} - 1) \\ \end{aligned}$$
(40)
$$0 \le \theta_{t}^{\text{min} } \bot p_{t}^{\text{cbc}} \ge 0\;\;\;\;\forall t \in (A^{\text{T}} ,A^{\text{T}} + A^{\text{DC}} - 1)$$
(41)
$$0 \le \mu_{t}^{\text{max} } \bot P^{\text{B,max}} - p_{t}^{\text{dbc}} \ge 0\;\;\;\;\forall t \in (A^{\text{T}} ,A^{\text{T}} + A^{\text{DC}} - 1)$$
(42)
$$0 \le \mu_{t}^{\text{min} } \bot p_{t}^{\text{dbc}} \ge 0\;\;\;\;\forall t \in (A^{\text{T}} ,A^{\text{T}} + A^{\text{DC}} - 1)$$
(43)
$$\begin{aligned} & 0 \le \xi_{i,t}^{\text{max} } \bot P_{i}^{\text{max} } (1 - x_{i} ) - p_{i,t}^{\text{c}} \ge 0 \\ & \;\;\;\;\forall t \in (A^{\text{T}} ,A^{\text{T}} + A^{\text{DC}} - 1) \\ \end{aligned}$$
(44)
$$\begin{aligned} & 0 \le \tau_{i,t}^{\text{max} } \bot R_{i}^{\text{U,max}} + x_{i} \bar{N} - (p_{i,t + 1}^{\text{c}} - p_{i,t}^{\text{c}} ) \ge 0 \\ & \;\;\;\;\forall t \in (A^{\text{T}} ,A^{\text{T}} + A^{\text{DC}} - 2),\;\forall i \in I \\ \end{aligned}$$
(45)
$$\begin{aligned} & 0 \le \zeta_{i,t}^{\text{min} } \bot p_{{_{i,t} }}^{\text{c}} - P_{i}^{\text{min} } (1 - x_{i} ) \ge 0 \\ & \;\;\;\;\forall t \in (A^{\text{T}} ,A^{\text{T}} + A^{\text{DC}} - 1) \\ \end{aligned}$$
(46)
$$\begin{aligned} & 0 \le \tau_{i,t}^{\text{min} } \bot R_{i}^{\text{D,max}} + x_{i} \bar{N} - (p_{{_{i,t} }}^{\text{c}} - p_{{_{i,t + 1} }}^{\text{c}} ) \ge 0 \\ & \;\;\;\;\forall t \in (A^{\text{T}} ,A^{\text{T}} + A^{\text{DC}} - 2),\;\forall i \in I \\ \end{aligned}$$
(47)
$$\begin{aligned} & 0 \le \lambda_{t} \bot p_{t}^{\text{l}} - L_{t}^{\text{shc}} \ge 0 \\ & \;\;\;\;\forall t \in (A^{\text{T}} ,A^{\text{T}} + A^{\text{DC}} - 1) \\ \end{aligned}$$
(48)
$$0 \le E^{\text{B,max}} - C_{t}^{\text{B}} \le u\bar{N}\;\;\;\;\forall t \in (A^{\text{T}} ,A^{\text{T}} + A^{\text{DC}} - 1)$$
(49)
$$0 \le \beta_{t}^{\text{max} } \le (1 - u)\bar{N}\;\;\;\;\forall t \in (A^{\text{T}} ,A^{\text{T}} + A^{\text{DC}} - 1)$$
(50)

Constraints (29)–(37) are dual constraints and complementarity conditions are shown from (38) to (48). The linearization method of the complementarity constraint (38) is shown in (49) and (50) where u is a dummy variable. The linearization method for other complementarity conditions are similar.

Thus, the AD model is merged to a single-level mixed-integer linear programming (MILP) after linearization. Using commercial solvers such as CPLEX, the global optimal solution can be obtained.

3.4 Solution algorithm

The proposed algorithm deliberately size BESS to limit the load curtailment below a threshold when there are attacks on energy sources. To formulate the actions from the planner, operator and attacker, tri-level model has been applied in the existing literature, such as [20]. In these models, the objective functions of the planner and the operator are interconnected. For instance, in [20], minimizing load shedding is the common objective for both planner and operator. However, in the situation of this paper, players are not sharing the objectives. To find the minimal capacity of BESS to meet the requirement, this paper developed an iterative algorithm containing both ED and AD models.

Step 1: Initialization: set EB,max = PB,max = 0.

Step 2: Run ED model with current EB,max and PB,max.

Step 3: Run AD model with current EB,max, PB,max, and obtained values of \(C_{\text{t}}^{\text{B}}\), Pt from the ED model.

Step 4: Check if the requirement is met. If the requirement is met, the algorithm will stop. Otherwise, go to Step 5.

Step 5: Update EB,max and PB,max, then go to Step 2.

Figure 3 illustrates the proposed algorithm. BESS planners choose attack times (ATs) based on the specific conditions to avoid over-conservative solutions. In Fig. 3, PEr is power-to-energy ratio of the battery, and r is resolution.

Fig. 3
figure 3

Illustration of iteration process

Full size image

4 Case studies

The proposed BESS sizing strategy will be applied in a remote microgrid in Kasabonika Lake, Canada [30], as shown in Fig. 4. In the studied case, power-to-energy ratio PEr of the battery is assumed to be 2 which approximates the U.S. storage installation in the third quarter of 2015 [31]. Resolution r is set to 1 kWh, and initial SoC, maximum SoC, minimum SoC at normal hours and restoration are set to 0.9, 0.95, 0.2, and 0.1, respectively. The charging/discharging efficiency of BESS is 88% [32]. It assumes that the price of battery is $227/kWh and $150/kW [33]. The model is implemented in general algebraic modeling system (GAMS) using a laptop with an Intel Core i7 CPU and 16 GB RAM. IBM CPLEX is selected as the solver. In numerical studies, we will first analyze microgrid vulnerability under energy sources attack. After that, the obtained results on battery sizing using the basic ED model and robust-oriented ED model are compared, assuming w = 0.05. Finally, effects of the value of w, and constraint (12) on model performance will be evaluated. The heaviest net demand day is chosen to ensure the sizing is adequate for other less loaded conditions.

Fig. 4
figure 4

An islanded microgrid system diagram in Kasabonika Lake, Canada

Full size image

4.1 System description

Figure 4 depicts the system diagram for the studied case. The islanded microgrid system is based on a remote microgrid system in Kasabonika Lake, Canada. There are five energy sources, three diesel generators, one PV generation and one wind turbine. For the selected operation condition, Fig. 5 shows the 24-hour load profile and net demand. Meanwhile, output power from renewable energy resources are shown in Fig. 6 [34]. For the selected operating condition, the heaviest net demand day is chosen to ensure that the sizing is adequate for other less loaded conditions. Therefore, if the designed BESS capacity can meet the load shedding requirement of this particular operation condition, load shedding under attacks for other operation conditions would also get limited below the threshold. Table 1 listed parameters of diesel generators.

Fig. 5
figure 5

Load profile and net demand of the system

Full size image
Fig. 6
figure 6

Output power from renewable energy resources

Full size image
Table 1 Data of diesel generators
Full size table

4.2 Vulnerability analysis of microgrid under energy sources attacks

Before investigating effects of integrating BESS on limiting load curtailment, it is necessary to find out the attack strategy which leads to maximum load curtailment under different ATs.

Assume that 3 energy sources will be disabled. Using the AD model, the attacked energy sources in the worst case under different ATs are tabulated in Table 2. The results show that attack strategies are different with different attack starting times. For instance, when restoration process lasts for 1 h, attack strategies are not the same when attack begins at 05:00 or 06:00. Besides, when attack occurs at 05:00, the attack strategies are also different with durations of 1 h and 2 hours. This is due to the varying production level of renewable power.

Table 2 Attack plans under different ATs
Full size table

In terms of energy sources, Generator I1 is most frequently attacked since its capacity is the highest. On the other side, whether attack will be launched on renewables is time-dependent due to the renewable intermittency. For instance, if the attack occurs within 01:00 to 04:00, the wind turbine is attacked because the higher power production then causes a more severe system energy shortage. The PV generation is attacked if the attack starts from 13:00 to 17:00 for the same reason. Figure 7 depicts the load curtailment values at different ATs and restoration durations. It shows that if energy sources are attacked around the peak hours, more severe load shedding is expected. However, the worst case is not necessarily the peak load hour as restoration duration is also critical. Additionally, shorter restoration duration leads to less load shedding. Therefore, accelerating repair process will be helpful in reducing load shedding.

Fig. 7
figure 7

Load shedding caused by energy source failures under different attack starting times and durations

Full size image

4.3 BESS sizing using proposed model

This section will investigate obtained results of BESS capacity to limit load shedding. First, the obtained size of BESS to meet different requirements of maximum load curtailment Ls,max using basic ED model are discussed. As shown in Fig. 8, the required capacity of BESS installation is higher with harsher requirement, longer restoration duration, and more attacked energy sources de,max. Figure 9 depicts the required sizes of BESS with robustness-oriented ED model. The same conclusion can be drawn as Fig. 8. However, compared with Fig. 8, the required capacity of BESS is significantly reduced. This is because using the proposed robust ED model, abundant energy stored in BESS can save more loads when there is an energy deficiency. At the same time, the operation of intact diesel generators will not be restrained by ramping limits.

Fig. 8
figure 8

Battery capacity installed for different attack budgets, restoration durations and load shedding requirements

Full size image
Fig. 9
figure 9

Battery capacity installed for different attack budgets, restoration durations and load shedding requirements with robust-oriented ED model

Full size image

So far, the paper discussed required capacity of BESS when all the times are potential ATs. When the attacks on energy sources regularly occur, i.e. attack starting time is predictable, the sizing of BESS may change. Figure 10 shows the installed capacities of BESS for different ATs, and maximum load curtailment thresholds using two ED models assuming two energy sources are attacked for 2 h. The results show that BESS can be sized more strategically with the knowledge of ATs. In other words, required capacity of BESS is higher if the worst case, in terms of ATs, is considered. Additionally, using the proposed robust operation strategy, required capacity BESS is lower for all AT.

Fig. 10
figure 10

Battery capacity installed for different attack beginning times, load shedding requirements, and ED models

Full size image

Another observation is that the trend of required BESS capacity is more consistent with net demand if robustness-oriented ED model is applied. This is because SoC of the battery is always maintained at a high level and diesel generators can save loads at full capacity during the restoration process. Thus, the battery sizing mainly depends on net demand. However, using basic ED model, the operator is not considering potential energy deficiency due to energy sources attacks. Required size of BESS, therefore, is also related with the status of BESS and diesel generators, so net demand is not the only factor.

Previous simulations show that applying the proposed robust ED model reduces the required BESS capacities which saves investment and O&M costs of BESS. However, the operation cost during normal operation using robustness-oriented ED model is higher since fuel cost of diesel generators is higher without fully usage of BESS. When 1552 kWh BESS is installed, which is the required capacity for load curtailment for less than 600 kW when three energy sources are disabled for 2 hours, the SoC values during normal operation with different weight factors w are depicted in Fig. 11. If operation strategy imposes higher weight on robustness enhancement, more energy will be stored in BESS.

Fig. 11
figure 11

SOC through 24 hours using different w for stored energy in BESS

Full size image

However, more stored energy in BESS impair the advantage of BESS in reducing operation cost. Therefore, higher value of w leads to higher operation cost, as shown in Table 3. Additionally, the added constraint (12) will also influence the operation cost during normal operation. Table 3 reveals the increased cost by adding constraint (12). This is because with constraint (12), the diesel generator with higher marginal cost will produce more during normal operation time to ensure the operation of generators will not limited by ramping limits. Further, Table 4 tabulates the investment costs on BESS when Ls,max = 600 kW, de,max = 3 and ADC = 2 with various values of w. A larger size BESS is necessary to meet the requirements, if the system is more vulnerable to attacks. Thus, lower investment cost on BESS indicates that the system is more robust against energy deficiency caused by attacks. Table 4 shows that higher value of w leads to lower battery capacity. Therefore, we can conclude that higher weight on increasing stored energy of battery leads to higher robustness against energy deficiency due to attacks. This is because with more stored energy in BESS, its ability of supporting the microgrid under attack is enhanced, thus leads to higher robustness.

Table 3 Operation costs using different w
Full size table
Table 4 Investment costs using different w
Full size table

Based on results in Table 3 and Table 4, we can conclude that operation cost increases with higher value of w. However, robustness is enhanced with higher value of w which in turn reduces the investment cost on BESS. In addition, the influence of constraint (12) on investment cost of battery is revealed in Table 4. Lower investment cost on battery is observed with (12) which indicates higher robustness when the system is operated by the ED model with constraint (12).

Finally, the computation burden is analyzed. Table 5 lists total computation times and iteration numbers of different requirements and ED models where restoration duration is assumed to be 2 hours with 2 attacked energy sources. The computation times of all iterations are similar which are about 10 s, so the total computation effort mainly depends on the iteration number. Therefore, computation time for cases with lower required capacity of BESS is less.

Table 5 Computation time and iteration (iter) number for various requirements with ED models
Full size table

5 Conclusion

In this paper, an optimization model is proposed aiming at sizing BESS in an islanded microgrid to limit load shedding when several energy sources are attacked. A model is formulated to represent the game among four players without shared objective: planner, operator during normal operation period, attacker, and operator during restoration process. The model incorporates two parts: an ED model and an AD model. Besides, we propose a robustness-oriented ED model, which increases the stored energy in BESS and ensures diesel generators is capable of running at full capacity when there is energy insufficiency. The model lowers required BESS capacity investment at the expense of increased daily operation costs. AD model is a bilevel optimization problem whose upper level represents the actions of the attacker and lower level represents the behaviors of defender. The proposed algorithm applies AD model to determine the worst-case attacks.

By interfacing ED model and AD model iteratively, we obtain the minimum BESS capacity, which limits the load shedding below a certain threshold under the energy sources attacks. BESS planners can flexibly choose potential ATs to avoid an over-conservative solution. In addition, the impacts of ATs, restoration duration, weight for maintaining storage SoC and load shedding thresholds were also analyzed to demonstrate the advantages of the proposed model.