arxiv: 2605.14502 · v1 · submitted 2026-05-14 · 📡 eess.SY · cs.AI· cs.SY

Recognition: no theorem link

Quantifying Cyber-Vulnerability in Power Electronics Systems via an Impedance-Based Attack Reachable Domain

Hongwei Zhen , Ze Yu , Xin Xiang , Wuhua Li , Mingyang Sun

Authors on Pith no claims yet

Pith reviewed 2026-05-15 01:53 UTC · model grok-4.3

classification 📡 eess.SY cs.AIcs.SY

keywords cyber-vulnerabilitypower electronicsimpedance-based attackattack reachable domainstability margingrid vulnerabilityeigenvalue migration

0 comments

The pith

An impedance-based Attack Reachable Domain quantifies how far limited-privilege attackers can drive power-electronics nodes past stability limits.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces an Attack Reachable Domain that traces the boundary of all destabilizing impedance changes an attacker can impose on a converter node given its available privileges. From this domain the authors derive an Attack Penetration Index that scores each node by how deeply the domain penetrates the nominal stability margin and how easily an attacker can reach the destabilizing region. A gray-box procedure lets the metric be computed from measured impedances and surrogate models when exact converter internals are unknown. Case studies on small and large test systems indicate that coordinated multi-layer impedance attacks reach instability farther and faster than any single-layer action, and that the new index identifies weak nodes that conventional short-circuit ratio measures miss.

Core claim

The Attack Reachable Domain is the set of all critical-eigenvalue locations reachable by admissible impedance-reshaping attacks; the Attack Penetration Index is the normalized distance from the nominal operating point to the closest point on the unstable boundary of that domain, thereby giving a scalar measure of node cyber-vulnerability.

What carries the argument

The Attack Reachable Domain (ARD), a region in the complex plane that collects all critical-eigenvalue migrations produced by feasible adversarial impedance reshaping operations within a privilege constraint.

If this is right

Coordinated cross-layer impedance manipulations produce strictly larger Attack Penetration Indices than any isolated single-layer attack.
Nodes with high Attack Penetration Indices remain vulnerable even when conventional grid-strength metrics classify them as strong.
The gray-box workflow enables vulnerability ranking on real systems whose internal controller parameters are unknown.
The same ARD construction can be recomputed after each topology change or controller retuning to track time-varying cyber-vulnerability.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The metric could be recomputed periodically from online impedance measurements to produce a live vulnerability map for operators.
Because the ARD is defined in the eigenvalue plane, the same construction may transfer directly to other small-signal stability problems that admit impedance or admittance models.
An attacker who can observe the computed ARD could in principle choose the minimal-effort destabilizing action; defensive counter-measures would therefore need to limit either the observable domain or the feasible reshaping actions.

Load-bearing premise

Adversarial actions can be faithfully represented as impedance reshaping and the resulting critical-eigenvalue shift reliably signals instability.

What would settle it

A controlled hardware test in which an attacker applies a sequence of impedance changes predicted by the ARD to lie inside the unstable region yet the measured eigenvalues remain inside the stable half-plane, or vice versa.

Figures

Figures reproduced from arXiv: 2605.14502 by Hongwei Zhen, Mingyang Sun, Wuhua Li, Xin Xiang, Ze Yu.

**Figure 1.** Figure 1: Overview of the framework. III. THE PROPOSED METRIC Under gray-box conditions, neither the parameter-toimpedance mapping FZ(·) nor the eigenvalue sensitivity gλ is directly available. This section develops a practical pipeline for ARD and API evaluation and a boundary-probing method for efficient computation. A. Approximation of the Parameter to Impedance Mapping The differentiable surrogate FˆZ is first … view at source ↗

**Figure 2.** Figure 2: Single-line diagram of the 4-bus system and modified IEEE-39Bus [PITH_FULL_IMAGE:figures/full_fig_p003_2.png] view at source ↗

**Figure 3.** Figure 3: Calculated ARDs of the 4-bus system for the two dominant modes [PITH_FULL_IMAGE:figures/full_fig_p003_3.png] view at source ↗

**Figure 5.** Figure 5: Time-domain validation of bus-level vulnerability ranking when [PITH_FULL_IMAGE:figures/full_fig_p004_5.png] view at source ↗

**Figure 4.** Figure 4: Time-domain responses under the worst-case feasible attacks for (a) [PITH_FULL_IMAGE:figures/full_fig_p004_4.png] view at source ↗

read the original abstract

Power electronics systems are increasingly exposed to cyber threats due to their integration with digital controllers and communication networks. However, an attacker-oriented metric is still lacking to quantify the extent to which a node can be pushed toward instability within a privilege-constrained action space. This letter proposes an impedance-based Attack Reachable Domain (ARD) framework that maps feasible adversarial actions to critical-eigenvalue migration through impedance reshaping. Based on the ARD, an Attack Penetration Index is defined to quantify node-level cyber-vulnerability by jointly characterizing the penetration of the nominal stability margin and the accessibility of successful destabilizing attacks within a privilege-constrained action space. To make the proposed assessment computable when inverter models are unavailable, a practical gray-box workflow is further established by integrating existing impedance identification and differentiable surrogate tools. Case studies on a 4-bus system and a modified IEEE 39-bus system show that coordinated cross-layer manipulations are markedly more damaging than isolated single-layer attacks, and that the proposed metric reveals vulnerability patterns that cannot be inferred from grid-strength indicators.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

The paper introduces an Attack Reachable Domain and Attack Penetration Index to quantify node vulnerability via impedance reshaping, with case studies showing coordinated attacks are more damaging, but the core modeling may miss non-impedance attack paths.

read the letter

The main takeaway is that this work defines an Attack Reachable Domain by mapping privilege-limited adversarial actions to critical eigenvalue shifts through impedance changes, then folds that into an Attack Penetration Index for node-level cyber-vulnerability scoring. The gray-box workflow that combines impedance identification with differentiable surrogates makes the method usable when full inverter models are missing, which is a realistic touch for power electronics settings. The 4-bus and modified IEEE 39-bus examples show that cross-layer manipulations push the system farther than isolated attacks and surface vulnerability patterns that standard grid-strength metrics miss. That combination of a concrete index with practical computation steps is the clearest addition relative to existing stability and attack literature. The case studies give the claims some grounding in numbers rather than pure theory. The modeling choice to treat feasible attacks as bounded impedance perturbations is the soft spot. If an attacker can alter internal gains, reference signals, or communication timing without producing a measurable terminal impedance change, the reachable-domain boundary and the derived index will understate the actual exposure. The stress-test note flags exactly this gap, and nothing in the abstract or workflow description shows how the framework handles those direct parameter manipulations. There is also the usual risk that the index ends up partly circular if the same stability data used to fit the surrogate is then used to compute penetration. The paper is aimed at researchers working on cyber-physical security for inverter-dominated grids. A reader who needs a workable attacker-oriented metric and is willing to accept the impedance-centric view will find usable ideas and workflow details. It deserves peer review because the construct is new enough and the case studies are concrete enough to repay referee time, even if the modeling assumptions need tightening.

Referee Report

2 major / 2 minor

Summary. The paper proposes an impedance-based Attack Reachable Domain (ARD) framework that represents privilege-constrained adversarial actions as bounded impedance perturbations driving critical eigenvalues across the stability boundary. From the ARD it defines an Attack Penetration Index that jointly quantifies the penetration depth into the nominal stability margin and the accessibility of destabilizing attacks. A gray-box surrogate workflow combining impedance identification with differentiable models is introduced to enable computation without white-box inverter models. Case studies on a 4-bus system and a modified IEEE 39-bus system conclude that coordinated cross-layer attacks are substantially more damaging than isolated single-layer attacks and that the index reveals vulnerability patterns invisible to conventional grid-strength metrics.

Significance. If the central mapping and index are shown to be complete and non-circular, the work supplies a concrete attacker-oriented metric for node-level cyber-vulnerability assessment in inverter-rich grids. The gray-box workflow is a practical contribution that addresses the common absence of detailed controller models. The case-study demonstration that multi-layer coordination increases reachable instability is a useful empirical observation for resilience planning.

major comments (2)

[§3.1] §3.1, the ARD construction and Eq. (7): the assumption that every privilege-constrained action (firmware writes, reference injections, timing changes) produces an equivalent small-signal impedance perturbation whose eigenvalue migration is necessary and sufficient for instability is load-bearing for the Attack Penetration Index. Attacks that alter internal controller gains or communication timing without measurably reshaping terminal impedance fall outside this representation, rendering the reachable-domain boundary and derived index incomplete for those privilege levels.
[§4.2] §4.2 and the gray-box workflow description: identification errors from the impedance surrogate are propagated directly into the ARD boundary and Attack Penetration Index without reported uncertainty quantification or sensitivity analysis. Because the index is computed from the same surrogate that approximates the stability margin, a quantitative bound on how identification error affects the index value is required to support the claim that the metric reliably ranks nodes.

minor comments (2)

[Figure 4] Figure 4 (39-bus results): the color scale for Attack Penetration Index values should be accompanied by an explicit statement of the normalization used so that cross-system comparisons are unambiguous.
Notation: the symbol for the nominal stability margin (used in the index definition) is introduced without a dedicated equation reference; adding a single defining equation would improve readability.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the insightful comments. We address each major comment below and indicate planned revisions.

read point-by-point responses

Referee: [§3.1] §3.1, the ARD construction and Eq. (7): the assumption that every privilege-constrained action (firmware writes, reference injections, timing changes) produces an equivalent small-signal impedance perturbation whose eigenvalue migration is necessary and sufficient for instability is load-bearing for the Attack Penetration Index. Attacks that alter internal controller gains or communication timing without measurably reshaping terminal impedance fall outside this representation, rendering the reachable-domain boundary and derived index incomplete for those privilege levels.

Authors: We note that the framework is explicitly impedance-based, focusing on adversarial actions that can be modeled as terminal impedance perturbations within the privilege-constrained space. Actions that do not produce measurable impedance changes at the terminals, such as certain internal controller modifications, are not included in the current ARD construction. We will revise the text in §3.1 to more clearly define the action space and state that the ARD and index apply to impedance-reshaping attacks. This addresses the completeness within the intended scope without claiming universality. revision: partial
Referee: [§4.2] §4.2 and the gray-box workflow description: identification errors from the impedance surrogate are propagated directly into the ARD boundary and Attack Penetration Index without reported uncertainty quantification or sensitivity analysis. Because the index is computed from the same surrogate that approximates the stability margin, a quantitative bound on how identification error affects the index value is required to support the claim that the metric reliably ranks nodes.

Authors: We concur that a sensitivity analysis is warranted. In the revised manuscript, we will add in §4.2 a quantitative assessment of how identification errors affect the ARD boundary and Attack Penetration Index. This will involve Monte Carlo sampling or bounded perturbation of the surrogate parameters and reporting the resulting index variations to support the ranking reliability. revision: yes

Circularity Check

0 steps flagged

No significant circularity; derivation is self-contained

full rationale

The paper constructs the Attack Reachable Domain (ARD) as a modeling framework that maps privilege-constrained adversarial actions to critical-eigenvalue migration via impedance reshaping, then defines the Attack Penetration Index directly from the ARD to jointly measure margin penetration and attack accessibility. No equations or steps in the abstract or described workflow reduce the index to a fitted parameter or self-citation by construction; the gray-box surrogate integrates external impedance identification tools without re-using the target vulnerability metric as input. The central claims rest on the proposed mapping and case-study validation rather than tautological re-labeling of inputs.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 2 invented entities

The central claim rests on two newly introduced entities (ARD and the index) whose definitions and mapping properties are postulated without external benchmarks or independent evidence supplied in the abstract.

invented entities (2)

Attack Reachable Domain (ARD) no independent evidence
purpose: Maps feasible adversarial actions to critical-eigenvalue migration through impedance reshaping
Core new framework introduced to quantify attack reachability
Attack Penetration Index no independent evidence
purpose: Quantifies node-level cyber-vulnerability by combining stability margin penetration and attack accessibility
Derived metric defined from the ARD

pith-pipeline@v0.9.0 · 5493 in / 1177 out tokens · 37909 ms · 2026-05-15T01:53:48.020268+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

13 extracted references · 13 canonical work pages

[1]

Multilayer resilience paradigm against cyber attacks in dc microgrids,

S. Sahoo, T. Dragi ˇcevi´c, and F. Blaabjerg, “Multilayer resilience paradigm against cyber attacks in dc microgrids,”IEEE Transactions on Power Electronics, vol. 36, no. 3, pp. 2522–2532, 2021

work page 2021
[2]

Public history of solar energy cyberattacks and vulnerabil- ities,

J. Johnson, “Public history of solar energy cyberattacks and vulnerabil- ities,”DER Security Corp, DERSEC-SOLAR-VULNS-2.0, 2025

work page 2025
[3]

Exploring smart grid vulnerability against intelligent inverter parameter tampering attack,

Z. Yu, M. Liu, and M. Sun, “Exploring smart grid vulnerability against intelligent inverter parameter tampering attack,”IEEE Transactions on Smart Grid, vol. 16, no. 6, pp. 5541–5555, 2025

work page 2025
[4]

Cybersecurity of smart inverters in the smart grid: A survey,

Y . Li and J. Yan, “Cybersecurity of smart inverters in the smart grid: A survey,”IEEE Transactions on Power Electronics, vol. 38, no. 2, pp. 2364–2383, 2022

work page 2022
[5]

An overview of cyber-resilient smart in- verters based on practical attack models,

B. Ahn, T. Kim, S. Ahmad, S. K. Mazumder, J. Johnson, H. A. Mantooth, and C. Farnell, “An overview of cyber-resilient smart in- verters based on practical attack models,”IEEE Transactions on Power Electronics, vol. 39, no. 4, pp. 4657–4673, 2023

work page 2023
[6]

Small signal stability analysis of multi-infeed power electronic systems based on grid strength assessment,

W. Dong, H. Xin, D. Wu, and L. Huang, “Small signal stability analysis of multi-infeed power electronic systems based on grid strength assessment,”IEEE Transactions on Power Systems, vol. 34, no. 2, pp. 1393–1403, 2019

work page 2019
[7]

Impedance margin ratio: a new metric for small-signal system strength,

Y . Zhu, T. C. Green, X. Zhou, Y . Li, D. Kong, and Y . Gu, “Impedance margin ratio: a new metric for small-signal system strength,”IEEE Transactions on Power Systems, vol. 39, no. 6, pp. 7291–7303, 2024

work page 2024
[8]

Mitre att&ck for industrial control systems: Design and philosophy,

O. Alexander, M. Belisle, and J. Steele, “Mitre att&ck for industrial control systems: Design and philosophy,” The MITRE Corporation, McLean, V A, USA, Tech. Rep. MP01055863, Mar. 2020, accessed: Mar. 20, 2026. [Online]. Available: https://attack.mitre.org/docs/ATTACK for ICS Philosophy March 2020.pdf

work page 2020
[9]

Time-domain measurement-baseddq-frame admit- tance model identification for inverter-based resources,

L. Fan and Z. Miao, “Time-domain measurement-baseddq-frame admit- tance model identification for inverter-based resources,”IEEE Transac- tions on Power Systems, vol. 36, no. 3, pp. 2211–2221, 2021

work page 2021
[10]

Few-shot data-driven model- ing of unified grid tied vscs for multioperation impedance identification based on pinn,

H. Li, H. Nian, L. Zhan, B. Hu, and M. Li, “Few-shot data-driven model- ing of unified grid tied vscs for multioperation impedance identification based on pinn,”IEEE Transactions on Industrial Electronics, vol. 72, no. 7, pp. 6957–6968, 2025

work page 2025
[11]

Participation analysis in impedance models: The grey-box approach for power system stability,

Y . Zhu, Y . Gu, Y . Li, and T. C. Green, “Participation analysis in impedance models: The grey-box approach for power system stability,” IEEE Transactions on Power Systems, vol. 37, no. 1, pp. 343–353, 2021

work page 2021
[12]

Impedance-based ard and api supplementary materials,

H. Zhen, “Impedance-based ard and api supplementary materials,” Mar

work page
[13]

Available: https://doi.org/10.5281/zenodo.19212635

[Online]. Available: https://doi.org/10.5281/zenodo.19212635

work page doi:10.5281/zenodo.19212635