A comprehensive review of blockchain and machine learning integration for cybersecurity in microgrids

System architecture of blockchain

The structure of a blockchain consists of a sequence of blocks, as shown in Fig. 3. Each block contains two groups of information: (1) block header and (2) transaction records. The block header consists of six types of information: (1) Block version, (2) Merkle tree root hash, (3) Timestamps, (4) n-bits, (5) Nonce, and (6) Parent block hash, as shown in Fig. 4 (Haber & Stornetta, 1991).

In the blockchain, the first block is referred to as the genesis block. Within a block, the block header contains the hash of the previous block, and there is only one parent block, the genesis block is the only one that does not have a parent block hash. Table 3 listed the individual composition of the information stored in the block header of a single block (Zheng et al., 2017).

Transaction records are stored in the main part of the block, including a transaction counter and a list of transactions, whereby the number of transactions varies depending on the block and transaction size. The authenticity of each transaction is verified with a digital signature based on asymmetric cryptography in an untrusted environment (Gad et al., 2022). With the digital signature, each party has a private key for signing transactions, which must be kept secret, and a public key, which is distributed openly across the blockchain. The algorithm used for the digital signature in a blockchain is usually the Elliptic Curve Digital Signature Algorithm (ECDSA) (Johnson, Menezes & Vanstone, 2001). The encryption algorithm can differ depending on the cryptocurrency and its version. The current version of Bitcoin, for example, uses the SHA-256 (FIPS Pub, 2012) hashing algorithm for data encryption.

Types of blockchain

The study categorizes blockchain technology into five different types: firstly the public blockchain, secondly the private blockchain, thirdly the consortium blockchain, fourthly the permissioned (fully private) blockchain and fifthly the hybrid blockchain, which we explain comprehensively and in detail in Table 4 (Paul et al., 2021; IBM, 2021).

Components and features of blockchain

There are three main elements of the blockchain: (1) distributed ledger (AWS, 2023); (2) smart contract (Taherdoost, 2023), and (3) consensus (Lashkari & Musilek, 2021). The distributed ledger is of crucial importance for the blockchain, as it stores data publicly and for everyone to view and read, but is unchangeable once it has been written. Smart contracts can be thought of as tiny applications that can be stored in the blockchain (distributed ledger). There is a special programming language for this called Solidity (Wood, 2024). It is a rule-based agreement that, once written to the blockchain, is automatically executed and immutable, although updates are possible but difficult to implement. The consensus mechanism/algorithm is the security system of the blockchain that determines whether a new block can be safely added to the chain and protects against potential attackers and threats. There are two main categories of consensus mechanisms: (1) proof-based and (2) voting-based (Jain & Jat, 2022; Khan et al., 2020). In proof-based consensus algorithms, which are common in public blockchains, a proof of work is provided to compete for the addition of blocks. Private permissioned blockchains and consortium blockchains use voting-based consensus, where blocks collectively verify transactions before new ones are added. Table 5 summarizes the proof-based mechanisms and Table 6 summarizes the voting-based mechanisms. Table 7 (Viriyasitavat & Hoonsopon, 2019) summarizes the characteristics of blockchain in three categories: (1) decentralization, (2) immutability, and (3) consensus.

Machine learning techniques

A common method for developing adaptive algorithms is to combine ML (Obulesu, Mahendra & ThrilokReddy, 2018) with reinforcement learning (RL). ML and RL can improve real-world problem solving by identifying the best solutions to specific problems. In the following sections, the features of this algorithm and the changes made to improve the cybersecurity of MG are explained. The ML, RL and hybrid models used in this study have been explained in detail as shown in Fig. 5.

Supervised learning

In supervised learning (Muhammad & Yan, 2015), learning models are created by labeling data to solve classification and regression problems. Regression methods including linear, polynomial and exponential techniques - extract attributes for independent and dependent variables. Among these, techniques based on Gaussian Process Regression (GPR) are becoming increasingly popular. Unlike parametric schemes, which define the shape of samples based on their mean and variance functions, GPR adheres to a Gaussian random process distribution, as shown in Eqs. (1) to (3).

(1) $$f\left(x\right)=G_p\left(m\left(x\right),k\left(x,x^{\prime }\right)\right)$$where,

(2) $$m\left(x\right)=E\left\{f\left(x\right)\right\}$$and

(3) $$k\left(x,x^{\prime }\right)=G_p\left[{\{⟨f\left(x\right)-m\left(x\right)⟩⟨f\left(x\right)-m\left(x\right)⟩\}}^T\right].$$

The input vectors in Eqs. (1) to (3) are denoted by $x$ and $x^{\prime }$, the mean function is specified by $m\left(x\right)$ and the covariance function by $k\left(x,x^{\prime }\right)$. Linear kernels, square exponential kernels, Matern kernels, periodic kernels or various types of complex qualified equations can be used as covariance functions (also called kernel functions). When training with the labeled sample dataset, the hyperparameters in Eq. (1) are optimized. The accuracy of GPR in dealing with nonlinear relationships is one of its advantages over LR methods.

One of the most commonly used kernel-based supervised learning methods is the Support Vector Machine (SVM). By using the SVM to separate the data from the input pattern vector (x) and the labeled target vector (y), the linearly separable dataset (x, y) can be clearly represented by two hyperplanes (edges). The form of the decision area for two parallel hyperplanes is explained by Eq. (4), where w stands for the weights and b for the vector of bias factors. If you use normalized or standardized datasets, the decision area and each hyperplane are $1/\Vert w\Vert$ away from each other. SVM reduces classification errors by applying a hinge loss algorithm to a hyperplane of classification targets on linearly indivisible datasets.

(4) $$w^{T}x+b=0.$$

The goal is to minimize the function L in Eq. (5), where L is the regularization parameter and n is the number of modes.

(5) $$L=\left[{\displaystyle \frac{1}{n}\sum _{i=1}^{n}max\left(0,1-y\left(w^T{x}_i+b\right)\right)}\right]+\lambda \Vert w{\Vert }^2.$$

By using kernel functions (such as those in Table 8 (Patle & Chouhan, 2013)) to convert input states into wide-dimensional feature regions and then applying hyperplanes to delineate the input data, SVM can also be used to determine decision boundaries (decision boundaries are defined in Eqs. (6) and (7) where $\phi$ denotes the mapping function).

(6) $$w^T\phi \left(x\right)+b=0.$$

(7) $$k\left(x_i,x_j\right)=\phi {\left(x_i\right)}^T\phi \left(x_j\right).$$

Kernel functions (see Table 8) first transform the input state into a wide-dimensional feature space, and hyperplanes delimit the input data. Support Vector Machines (SVM) optimize the parameters for these hyperplanes using methods such as stochastic gradient descent (SGD), sequential minimal optimization (SMO) and interior point techniques (IPT), which makes them effective for regression tasks. Common SVM variants also include Bayesian SVM and Support Vector Clustering (SVC). From the point of view of sparse Bayesian learning theory, Relevance Vector Machines (RVM) (Tipping, 2001, 1999, 2003) are also known as kernel-based models. There are real-time intrusion detection systems using RVMs that are similar to SVMs in the cybersecurity domain, including MGs (Naveen, 2012).

Decision Trees (DT), another approach to supervised learning, begin by selecting a root node based on the feature with the highest information gain rate. While the main node has the greatest information gain, the sub-nodes rank the data according to the different attribute values of the main node. This process is repeated until there are no more attributes or additional information in the new sub-nodes. To maximize information gain, DT algorithms such as ID3, C4.5 and Classification and Regression Trees (CART) use information entropy. Random Forest, an ensemble learning method that combines multiple DT models, improves the flexibility of tree-based algorithms. After evaluating the predictions of all DT models, the RF algorithm selects the model with the highest majority vote.

Unsupervised learning

Unsupervised learning (Usama et al., 2019), which works with unlabeled data, is often used to solve clustering problems. Common techniques include k-means clustering algorithms (e.g., k-Nearest Neighbor), where k cluster centers are randomly initialized and then each data point is assigned to the nearest center. The algorithm iteratively adjusts these centers to minimize an objective function based on the distance between the clusters and the data points and stops when the cost function stabilizes or a maximum iteration limit is reached. Another approach is hierarchical clustering, which groups the data according to their similarity (measured by linkage methods or Euclidean distance) and stops once a predefined number of clusters has been formed. Density-based spatial clustering, introduced by Ester et al. (1996), identifies dense regions based on parameters such as scan radius ( $\epsilon$) and minimum points labeling outliers in low-density areas. It concludes by processing all data points. Alternative strategies include mean-shift or Gaussian mixture models, which adaptively refine cluster positions based on data density or probabilistic distributions.

Deep learning

Artificial neural networks (ANN) (Uhrig, 1995) form the backbone of DL systems and operate in both supervised and unsupervised modes. They use non-linear functions to model relationships between input and target variables while optimizing their parameters. Advances in big data mining and computer technologies are driving the growing popularity of DL. Figure 6 illustrates the architecture of deep neural networks (DNN). DNNs mainly contain several hidden layers.

Backpropagation is not only used for training DNNs, but is also considered as an optimization method that uses gradient descent to determine the weights and biases of the neural network (NN). The mathematical formulation is shown in Eq. (8). Another popular type of ANN is the deep belief network (DBN) (Hinton, Osindero & Teh, 2006).

(8) $$f\left(x\right)=f_a\left[W_i^T{f}_a\left(W_{i-1}^T\cdots f_a\left(W_0^{T}x+b_0\right)\right)+b_i\right].$$

CNNs (O’Shea & Nash, 2015) are advanced DL models that learn hierarchical representations and extract features and excel at tasks such as image and object recognition. Their convolutional layers achieve this by applying convolutional kernels to process the input tensor and the outputs of the previous layers. Fully connected layers and pooling layers are used to further identify features, as shown in Fig. 7. The format of the convolutional layers is shown in Eqs. (9) and (10) (Goodfellow, Bengio & Courville, 2016), where $Z^{l+1}\left(i,j\right)$ denotes the (i-th, j-th) output pixel from the ${\left(l+1\right)}^{th}$ feature map of the convolutional layer, $Z_k^l$ denotes the input to the ${\left(l+1\right)}^{th}$ convolutional layer (the k-th channel), K is the number of channels in the first convolution layer, $L_{l+1}$ is the size of $Z^{l+1}$, $w_k^{l+1}\left(x,y\right)$ is the weight of the (x-th, y-th) element in the convolution kernel in the ${\left(l+1\right)}^{th}$ convolution layer, b is the bias vector, f is the size of the convolution kernel, $s_0$ is the stride number and p is the padding number.

(9) $$Z^{l+1}\left(i,j\right)=\sum _{k=1}^K\sum _{x=1}^f\sum _{y=1}^f\left[Z_k^l\left(s_{0}i+x,s_{0}j+y\right)w_k^{l+1}\left(x,y\right)\right]+b,\left(i,j\right)\in \left\{0,1,\cdots L_{l+1}\right\}.$$

(10) $$L_{l+1}={\displaystyle \frac{L_l+2p-f}{s_0+1}.}$$

The process of selecting features and filtering information is called pooling and it usually takes the form of Eq. (11) (Estrach, Szlam & LeCun, 2014), where a is the parameter that defines the pooling strategy (a = 1 indicates the average pooling; $a\to \mathrm{\infty }$ indicates the maximum pooling), and $P_k^{l+1}\left(i,j\right)$ is the output. Maximum or average values are common pooling algorithms.

(11) $$P_k^{l+1}\left(i,j\right)={\left[\sum _{x=1}^f\sum _{y=1}^f{Z}_k^l{\left(s_{0}i+x,s_{0}j+y\right)}^a\right]}^{{\displaystyle \frac{1}{a}}}.$$

Combining the convolutional layer with the pooling layer usually improves the performance of data exploration. CNNs are usually trained with a backpropagation algorithm, similar to DNNs. The extracted functions are aggregated by the fully linked layer in (8) and then sent to the output layer and optimized for DNNs. To improve training performance and flexibility, some DNN and CNN models can benefit from ensemble learning (EL) and transfer learning (TL) methods. TL uses tiny training datasets to train complex NNs. Basically, the accuracy and flexibility of an NN increases when it contains multiple learning systems.

As shown in Fig. 8, recurrent neural networks (RNN) have become increasingly popular for processing time series data. Each RNN block receives an input variable $x\left(t\right)$ at each time $t$. The input variable $x\left(t\right)$ is the same as the input variable $x\left(t\right)$. The output of each block is $y\left(t\right)$ and its hidden state is $h\left(t\right)$. The output $y\left(t+1\right)$ is obtained by importing $h\left(t\right)$ and combining it with $x\left(t+1\right)$ to form $h\left(t+1\right)$. During this process, a time series memory is created. The trained RNN can predict the input time series variables. Hochreiter originally proposed the LSTM framework, which is a representative RNN framework (Hochreiter & Schmidhuber, 1997). By forgetting inputs that are irrelevant to the block and strengthening key inputs, the forgetting gates in LSTM solve the problems of gradient vanishing and explosion problems. It is well known that reservoir computing (RC) algorithms, Bidirectional RNNs and Stacked RNNs outperform traditional RNN algorithms in terms of training performance. One of the variants of the RNN architecture is the Gate Recurrent Unit (GRU). It is also considered an improved architecture of RNN and is a mutation form of LSTM (Cho et al., 2014).

Reinforcement learning

A unique branch within machine learning is RL. It is based on the principle of mimicking human learning and development through trial and error, which was originally proposed by Sutton & Barto (2018). In RL, agents interact with their environment by observing states, performing actions, and receiving rewards that include both positive incentives and negative punishments. Agents choose actions from a finite set of possibilities in their environment, and we measure their success by evaluating these rewards. To balance long-term goals, discounting factors adjust the weight of future incentives over immediate rewards, preventing an excessive focus on short-term gains. Agents primarily engage with their environment through this iterative process and refine their behavior based on reward-driven feedback. Rewards are given to the agent based on their behavior. A typical reinforcement learning process is shown in Fig. 9. Here, the states and actions are $S=\left\{1,...,n\right\}$ and $A=\left\{1,...,n\right\}$ Which of these value sets are continuous and which are discrete depends on the problem. This strategy was then defined for this function. The next goal for the reinforcement learning agent was to maximize the reward and obtain it by acting appropriately according to its current condition. Since this method is a closed loop, it requires an initial condition. To achieve the desired results, the RL must be set correctly. If the condition is simplified, the RL condition is not properly designed. The result is poor performance and an inability to respond positively to rewards.

When the agent interacts with its environment, RL is mainly used to identify the activities that will generate the highest cumulative rewards. The Markov Decision Process (MDP) principle is used for this. It usually consists of an agent and an environment. Depending on whether the environment needs to be explicitly modeled or not, RL can be divided into two categories: model-based and model-free, as Fig. 9 shows. Agents derive their behavior from their environment and this environment motivates them. Standard RL methods are used:

• •

  Q-learning (Watkins & Dayan, 1992): using the combination between Q-values $Q\left(s,a\right)$ and the Q-table to create the next action. This results in a new Q-value that is generated using Eq. (12), where R stands for rewards, $a$ and $s$ for the following steps $\alpha$ and $\gamma$ for learning rates. (12) $$Q\left(s,a\right)\leftarrow Q\left(s,a\right)+\alpha \left[R+\gamma ma{x}_{a^{\prime }}Q\left(s^{\prime },a^{\prime }\right)-Q\left(s,a\right)\right],s\leftarrow s^{\prime }.$$

• •

  Deep Q-networks (DQN) (Mnih et al., 2013): the goal is to use DL techniques (e.g., DNN, CNN, LSTM) to overcome the exponentially increasing computational cost of Q learning.

• •

  Policy gradient methods (Sutton et al., 1999): instead of using Q-values, build post-test steps using policy functions, which are measures of the state and operational behavior in the current step.

• •

  Actor-Critic (A2C) algorithms (Konda & Tsitsiklis, 1999): in order to modify its scoring policy based on the score of the critic, the actor creates the posterior-step action using the current-step state. The critic then assigns the actor a score at the current step.

Q-learning

Q-learning is a reinforcement learning technique that enables agents to learn optimal decision-making strategies by maximizing cumulative rewards through trial-and-error interactions with an environment. The agent can use Q-learning to learn the optimal policy that maximizes the long-term rewards and leads it to achieve its goal. Random variations and incentive alignment challenges can be effectively addressed without changing the existing framework of the environment. This technique identifies an optimal policy for a finite Markov decision process (FMDP) by maximizing the expected cumulative reward across all future time steps. Q-learning aims to identify the optimal policy for an FMDP by maximizing the cumulative expected future rewards from the current state, rather than focusing only on immediate or stage-specific gains. The Q-function evaluates the long-term utility of an action by iteratively updating its value estimates using reward feedback, thus reinforcing the learning process of the agent. The value-based model-free reinforcement learning approach uses approximation functions (e.g., NNs) to estimate action values. One-step Q-learning for training action-valued variables is based on iterative minimization of the loss function, which is how DNNs work. This off-policy learning technique uses current conditions to determine the best course of action. In Q-learning, decision making that deviates from the current policy, such as randomly exploring small actions, is classified as “off-policy” because the process does not rely on the existing policy at every step. In addition, Q-learning attempts to optimize its overall reward through execution. Through this feedback loop, the learning process becomes more accurate and the rewards are optimized. The input can be categorized by an agent that has time series analysis capability and the output is delivered in a timely manner. By training the DL LSTM agent, the memory component within the DNN layer can recognize the actions and states of the time series-based elements. With the developed deep Q-learning model, a variety of optimization tasks can be solved. Figure 10 shows an agent based on the architecture of the LSTM model. The input vectors consist of the prior action, the current state and the reward received. To mitigate overfitting and reduce the inaccuracy of the model in the current ensemble, the architecture includes additional LSTM layers paired with a batch normalization layer. Subsequently, the data was processed through the fully connected layer, a fundamental component of DL architectures. The entire layers and nodes of the architecture dynamically adapt to variations in input variables coming from real circuit signals or simulation data. The selection process can be efficiently performed by a straightforward grid search in combination with representative data samples, as shown in Fig. 11.

Perspective on the application of ML techniques in microgrids

The selection of an appropriate ML model is not arbitrary but must be tailored to the specific cybersecurity challenge within an MG. The choice depends critically on the requirements of the application, such as real-time performance, data availability, and the specific nature of the protected assets.

False data injection attacks

FDIAs occur in various forms, including deceptive tactics that compromise the reliability of control systems or manipulate measurement data (Pasqualetti, Dörfler & Bullo, 2013). The most well-known variants of FDIAs include random, pulse, ramp, scaling, and Additive White Gaussian Noise (AWGN) attacks (Prasad, 2020; Ali et al., 2024; Elsisi, Su & Ali, 2024). In this section, we review common FDIA types and analyze their intended targets and the resulting consequences. The attacks start at time $t_{atk}$ and interfere with the original transmission signal $S_{tx}$, resulting in the formation of mixed data $S_R$, a mixture of real and manipulated information at time $t$.

• 1.

  Random attack: the random attack aims to corrupt the measurement signal by injecting random data, which obscures the transmission signal as shown in Eq. (13). $S_{rnd}$ represents the vector of random values introduced by the attacker. (13) $$S_{tx}=\{\begin{array}{cc}{S}_R+S_{rnd},\hfill & t_{atk}\hfill \\ S_R,\hfill & otherwise\hfill \end{array}.$$

• 2.

  Pulse attack: the pulse attack interferes with and alters measurement signals by introducing a pulse signal into the normal signal. $S_{pul}$ refers to the pulse signal that is deliberately introduced by an attacker. As Eq. (14) shows. (14) $$S_{tx}=\{\begin{array}{cc}{S}_R+S_{pul},\hfill & t_{begin}<t<t_{end}\hfill \\ S_R,\hfill & otherwise\hfill \end{array}.$$

• 3.

  Ramp attack: the attacker alters the transmitted signal by integrating ramp signals and thus changes the true measurement by means of a ramp attack. $S_{ram}$ stands for the ramp signal that the attacker intentionally injects. As Eq. (15) shows. (15) $$S_{tx}=\{\begin{array}{cc}{S}_R+S_{ram},\hfill & t_{begin}<t<t_{end}\hfill \\ S_R,\hfill & otherwise\hfill \end{array}.$$

• 4.

  Scaling attack: the scaling attack manipulates the measurement signal via a scaling variable or function, resulting in unstable and inconsistent measurement data. As Eq. (16) shows. $S_{scal}$ stands for the scaling attack, while $e_s$ stands for the scaling factor. (16) $$S_{scal}=\{\begin{array}{cc}{S}_R,\hfill & \mathrm{\forall }t\notin t_{atk}\hfill \\ \left(1+e_s\right)S_R,\hfill & \mathrm{\forall }t\in t_{atk}\hfill \end{array}.$$

• 5.

  AWGN attack: the AWGN attack works subtly by injecting Gaussian noise into the signals and disguising the interference as natural disturbances to avoid detection. The name reflects the mechanics: additive combines the noise with the signal, white distributes it evenly across the frequencies, and Gaussian follows a normal distribution. As Eq. (17) shows. $S_{awgn}$ refers to a signal that has been compromised by an AWGN attack, where an attacker maliciously injects noise. (17) $$S_{tx}=\{\begin{array}{cc}{S}_R+S_{awgn},\hfill & t_{begin}<t<t_{end}\hfill \\ S_R,\hfill & otherwise\hfill \end{array}.$$

• 6.

  Load redistribution attack (LRA): Yuan, Li & Ren (2011) developed the LRA, a targeted FDIA that disrupts smart MGs by compromising the economic dispatch (ED) system, a system designed to minimize operational costs (e.g., generation expenses, load shedding penalties) through strategic adjustments to power generation. As Eq. (18) shows. Here, $\mathrm{\Delta }{P}_L$ represents the attack on power flow metering, $-S_F$ represents the shift factor matrix, $K_D$ represents the bus load incidence matrix, and $\mathrm{\Delta }D$ represents the attack on metering. (18) $$\mathrm{\Delta }{P}_L=-S_F\cdot K_D\cdot \mathrm{\Delta }D.$$

Denial of service

In a DoS attack, the attacker floods the system with excessive data packets, overwhelming communication channels between measuring devices and the control center for a predetermined timeframe. This disruption forces the system to drop any signals transmitted during the attack. As shown in Eq. (19).

(19) $$S_{tx}=\{\begin{array}{cc}0,\hfill & t_{begin}<t<t_{end}\hfill \\ S_R,\hfill & otherwise\hfill \end{array}.$$

In addition to flooding the system and overloading it with data packets, a DoS attack can also take the form of protocol manipulation, weak spots, jamming and routing attacks (Wenyuan et al., 2006; Jhaveri, Patel & Jinwala, 2012; Liang et al., 2017). Yi et al. (2014) characterize the Puppet attack, a novel DoS tactic, as an intrusion that transforms regular nodes in Advanced Metering Infrastructure (AMI) networks into puppet nodes. The attackers instruct these hijacked nodes to flood the network with attack packets, overloading communication capacity and draining energy reserves through excessive traffic. In contrast to conventional DoS attacks with a single source, Distributed Denial-of-Service (DDoS) attacks, a variation of DoS in MGs, are executed simultaneously from multiple geographically dispersed systems (Raja et al., 2022).

Adversarial attack

The primary goal of attacks is to compromise analytical models (Elsisi et al., 2024; Liu et al., 2019). The Fast Gradient Sign Method (FGSM) exploits the vulnerabilities of a pre-trained model by generating adversarial noise over the gradient of the input signal, thus intentionally maximizing the classification errors. As defined in Eq. (20) (Goodfellow, Shlens & Szegedy, 2014), the FGSM attack generates adversarial examples by modifying the original input data.

(20) $${\eta }_{ad{v}_x}=x+ϵsign\left({\mathrm{\nabla }}_x\mathcal{J}\left(\theta ,x,\mathcal{y}\right)\right)$$where ${\eta }_{ad{v}_x}$ is the perturbed image, $x$ is the original image, $\mathcal{y}$ is the target (victim) image, $\mathcal{J}$ denotes the loss function of the model, θ represents the parameters of the model, and $ϵ$ defines the perturbation magnitude.

The Projected Gradient Descent (PGD) attack derives from the single-step FGSM, originally proposed by Madry et al. (2017). The PGD attack is a method designed to fortify classifiers against first-order adversarial threats, as shown in Eq. (21) (Madry et al., 2017; Elsisi et al., 2024). The iterative method produces a sequence of adversarial examples: $\left\{x_{adv}^0,x_{adv}^1,\cdots x_{adv}^{N+1}\right\}$.

(21) $$\begin{array}{rl}{x}_0^{adv}& =x,\\ x_{N+1}^{adv}& =Cli{p}_{x,ϵ}\left\{x_N^{adv}+\alpha \cdot {\displaystyle \frac{{\mathrm{\nabla }}_{x}L\left(\theta ,x\right)}{\Vert {\mathrm{\nabla }}_{x}L\left(\theta ,x,\mathcal{y}\right){\Vert }_2}}\right\}\end{array}$$where, the hyperparameter $\alpha$, typically defined as $ϵ/N$ for a given $ϵ$, is applied iteratively. The $Cli{p}_{x,ϵ}$ operation ensures per-pixel constraints on the adversarial image.

Kurakin, Goodfellow & Bengio (2018) proposed the Basic Iterative Method (BIM), which extends the FGSM framework by iteratively refining adversarial perturbations. Unlike single-step noise application of the FGSM, BIM applies incremental adjustments through a multi-step process, generating small perturbations that cumulatively maximize errors, as formalized in Eq. (22).

(22) $$\begin{array}{rl}{x}_0^{adv}& =x,\\ x_{N+1}^{adv}& =Cli{p}_{x,ϵ}\left\{x_N^{adv}+\alpha \cdot sign\left({\mathrm{\nabla }}_x\mathcal{J}\left(x_N^{adv},\mathcal{y}\right)\right)\right\}.\end{array}$$

Time delay attack

The TDA influences the system by introducing random delays in both the transmission and reception of packets (Wu et al., 2019). Receiving the control signal at the right time is crucial for effective system management. This attack interrupts the transmission of signals from the remote terminal units (RTU) to the control center over the communication channel as described in Eq. (23).

(23) $$S_{tx}=S_R\left(t-\tau \left(t\right)\right)$$where $\tau \left(t\right)$ represents the time delay encountered in the reception of plant states at the control center location. Uncertainty in time delay attacks can result in varied patterns.

Replay attack

The RA strategy operates by capturing sensor data over a specific time window and substituting genuine measurements to corrupt control signals, or by maliciously passing operator-generated commands to actuators to disrupt normal operation (Zhu & Martínez, 2014).

Man in the middle

MiTM attacks threaten MGs by intercepting and manipulating communications between devices to secretly monitor data (eavesdropping) or impersonate devices (spoofing), all while mimicking the normal flow of data (Conti, Dragoni & Lesyk, 2016). Kulkarni et al. (2020) analyzed these attacks and pointed out the risks associated with the vulnerabilities of the Modbus TCP/IP protocol, while Fritz et al. (2019) demonstrated a prototype MiTM attack on an emulation platform and showed practical exploitation methods.

Switching attack

SAs destabilize MGs by targeting circuit breakers to disturb the phase angles and frequencies of generators and eventually force disconnection (Liberati, Garone & Giorgio, 2021). Liu et al. (2011a, 2011b) demonstrated this using a Single-Machine Infinite Bus (SMIB) model that simulates transmission systems with a generator and a load connected via a circuit breaker. Attackers execute SAs by disconnecting devices in substations such as transformers, transmission lines or busses via compromised local networks. These actions risk grid congestion, instability, and cascading failures such as blackouts (Yamashita et al., 2020). Researchers warn that attackers can exploit IP-connected substations by hijacking local computers with breaker access to breakers or digital relays with partial control, enabling cascading trips. Yamashita, Ten & Wang (2020) describe how attackers use IP-based intelligent electronic devices (IED), commonly used in MGs, to remotely open circuit breakers during SAs.

Malware attacks and malicious command injection

Malware attacks such as logic bombs, Trojan horses and botnets threaten systems in different ways. Logic bombs remain inactive until certain conditions trigger their payload, causing systems to crash, data to be corrupted or hard disks to be irrevocably erased (Dusane & Pavithra, 2020). Trojan horses disguise malicious code as legitimate software to trick users into running it (Namanya et al., 2018), while botnets use networks of compromised devices to spread malware, send spam or intercept communications (Liu et al., 2009). Malicious command injection attacks infiltrate systems to seize unauthorized control, as shown by Lin, Kalbarczyk & Iyer (2018), who simulate adversarial command sequences to study their destabilizing effects on MG dynamics.

Perspective on cyberattack landscape in microgrids

While the literature describes a wide array of cyberattacks, a critical analysis from the perspective of MG operations reveals why certain threats receive more attention and are considered more probable. The extensive focus on FDIAs in research is not arbitrary; it stems from their unique potential to compromise the cyber-physical nature of MGs stealthily. Unlike DoS attacks that overtly disrupt communication, FDIAs subtly alter sensor measurements and control signals. This allows them to directly manipulate critical MG functions like SE and economic dispatch, potentially causing physical damage or widespread instability before detection. The challenge of distinguishing malicious data from legitimate operational fluctuations makes FDIA a particularly insidious and academically compelling problem.

From a practical standpoint, the most plausible attacks on current and future MGs exploit the expanding digital footprint created by ICT and the IoT. Therefore, FDIAs, MiTM attacks, and RAs are highly probable threats. These attacks target the communication channels between DERs, smart inverters, and control centers, essential for smart grid functionality. Their feasibility is heightened because they often do not require overwhelming force but exploit common communication vulnerabilities of protocols. In contrast, attacks like coordinated large-scale SAs may be less probable as they often require more system knowledge and synchronized access to multiple physical devices. However, the increasing interconnection of substation automation systems means their potential impact cannot be overlooked. Thus, the focus of the literature reflects a risk matrix where both the likelihood and the potential impact of an attack are considered. FDIAs represent a critical intersection of high likelihood (due to ICT vulnerabilities) and severe impact (due to physical system manipulation).

Blockchain-based framework

Blockchain is mainly used in MGs to solve the problem of energy trading in energy sharing. Leveraging the decentralized nature of blockchain for peer-to-peer (P2P) energy transmission not only reduces energy loss, but also ensures secure energy transmission. Figure 12 illustrates the blockchain application between MGs and buyers.

Coordinating energy trading between multiple buyers is a complex challenge for MG operations. The authors of Košt’ál, Khilenko & Hunák (2024) introduce a two-level hierarchical blockchain framework to optimize P2P energy trading and demand management. The platform employs game algorithms to help participants make cost-efficient decisions while maintaining grid stability, and implements cryptographic protocols to block fraudulent transactions. The simulation results show that the integration of recommendation algorithms for buyers and sellers reduces the peak-to-average ratio (PAR), reduces network congestion and increases overall efficiency. A real world case study on P2P energy trading in the MG system is conducted by the authors of Khubrani & Alam (2023). In addition to P2P energy trading, they also proposed Renewable Energy Certificates (REC) management and secure billing. This ensures transparent, tamper-proof transactions, strengthens trust in energy trading and reduces security risks.

Despite the inherent security of the blockchain, the communication channels connecting the blockchain to MGs or buyers are still fraught with cybersecurity risks, prompting developers to deploy smart contracts as tailored communication protocols with predefined rules and functions to secure these connections. The authors of Faheem et al. (2024) propose an Advanced Solana Blockchain (ASB) framework that utilizes smart contracts to monitor and control DERs in real time. By minimizing communication overhead and increasing efficiency, the ASB framework ensures data integrity and authentication mechanisms, thus increasing the resilience of smart grids against cyberattacks. The authors (Zhang et al., 2024) propose a blockchain-based security architecture for scalable IoT-integrated microgrids that use multi-layer smart contracts to secure authentication and interactions between components. They introduce a Computing Balance-based Exchange (CBE) algorithm to optimize data exchange and reduce latency, while the framework ensures secure device communication and addresses trust/privacy concerns. Simulations show improved security and efficiency in large-scale smart grids.

The reliability of power distribution must be guaranteed, especially in medium voltage networks where power failures can lead to blackouts or serious operational disruptions. Using distributed ledger technology (DLT), the authors (Hahn et al., 2024) propose a Cyber Grid Guard (CGG) system that verifies and authenticates data received from electricity meters and protection relays. The system provides an additional layer of security for monitoring the power grid, detects faulty phases and immutably logs event data in the blockchain using IEC 61850 GOOSE messages. With the increasing penetration of solar energy in residential areas, smart inverters now play a crucial role in modern electricity grids. However, these IoT-enabled devices expose grids to cyber threats, jeopardizing stability. To address this issue, the authors (Akkaoui et al., 2024) introduce Resilient Authenticated Smart-inverter Secure Firmware via Auditable Blockchain (RASSIFAB), a blockchain framework that secures smart inverter firmware updates by increasing security, resilience, and auditability. By leveraging the immutability of blockchain, RASSIFAB guarantees authentic firmware over-the-air (FOTA) updates and prevents tampering, even against malicious insiders. Appasani et al. (2022) emphasize enhanced security, transparency, and decentralization in domains such as AMI, EVs, and synchrophasors. The discussion suggests that integrating blockchain with ML can strengthen MG cybersecurity by enabling secure data management and intelligent threat detection. Table 9 summarizes the blockchain-based framework for application of cybersecurity in MGs.

Machine learning-based framework

ML improves the cybersecurity of microgrids through real-time threat detection, adaptive anomaly monitoring and proactive risk mitigation. By analyzing IoT and sensor data to detect attacks such as FDIA and DoS, ML systems adapt to evolving threats, increase grid resilience and ensure reliable power distribution. Figure 13 shows the cyberattack path and critical targets that represent optimal locations for ML model deployment. FDIAs are the most widespread and effective cyberattack method, particularly targeting the transmission of signaling data. Numerous studies have dealt with the detection of FDIAs using different machine learning approaches. The authors of Yu, Hou & Li (2018) propose a real-time method for detecting FDIAs that integrates wavelet transforms (WTs) with DNNs and exploits temporal correlations in system states to overcome the one-point limitations of traditional approaches. Their DL model extracts hidden patterns from wavelet-transformed signals and can accurately distinguish cyberattacks from normal operations. One of the biggest challenges in identifying FDIA, besides detecting the attack itself, is to find the exact origin of the attack. To address this problem, researchers use a multilabel classification strategy (Wang, Bi & Zhang, 2020). They combine CNNs with traditional bad data detectors (BDD) to accurately identify compromised nodes in microgrids. Location detection is critical for real-time threat defense as it enables targeted countermeasures. AC smart islands, where DERs operate in isolated grid configurations, provide a unique environment for viewing FDIA (Dehghani et al., 2020). Their method uses wavelet singular values as feature inputs to a DL model and utilizes wavelet transforms to detect subtle anomalies in voltage and current signals and identify attacks early. The model has been trained on simulated attack scenarios and achieves exceptional accuracy in distinguishing between normal grid operation and compromised states. The researchers propose a federated learning (FL) system for detecting FDIAs in distribution networks that offsets the inefficiencies and privacy risks of centralized methods through an end-edge cloud collaboration that distributes the computational tasks (Li et al., 2024). Key innovations include temporal-spatial Graph Convolutional Networks (GCN) that analyze temporal-spatial data correlations, demonstrating the potential of FL to strengthen cybersecurity while preserving data privacy.

Increasing reliance on IoT and communication networks exposes smart grids to cyber threats such as DoS attacks and malware intrusions, prompting researchers to use ML and DL techniques for robust countermeasures (Hasan et al., 2024). However, challenges such as hyperparameter optimization, critical feature selection, privacy assurance, and real-time detection require special attention. Without proper feature selection techniques, the performance of ML models decreases and increases the attack effect. There are three main types of feature selection techniques: first, rule-based; second, signature-based; and third, anomaly-based (Mohammed et al., 2024). Using the right features can not only reduce the attack effect but also reduce the computational cost. Most studies using ML techniques are based on supervised learning. Supervised learning requires labeled datasets with high quality and large quantity, which are difficult to obtain in the real world. Therefore, unsupervised learning approaches that use clustering algorithms and data mining to detect anomalies without prior attack knowledge can be more effective compared to supervised learning approaches (Pinto, Siano & Parente, 2023). In practice, other constraints must be considered when adapting ML approaches for cybersecurity in MG environments, such as computational limitations, communication overhead, and false positive rates (FPR). To mitigate this, hybrid approaches that combine signature-based detection with adaptive learning models can provide more flexibility and robust mechanisms (Ramotsoela, Hancke & Abu-Mahfouz, 2023). Table 10 summarizes the ML-based framework for cybersecurity application in MGs.

Based on our review, the choice of an ML technique should be directly tied to the specific cybersecurity challenge it aims to solve within the MG context. We offer the following perspective:

• For Real-Time Attack Detection: DL models, particularly RNNs like LSTM and GRU, are exceptionally well-suited. MG operations are inherently time-series-based (e.g., voltage, current, frequency data). RNNs excel at learning temporal dependencies, allowing them to accurately model normal grid behavior and flag subtle deviations indicative of an attack. For attacks manifesting across multiple nodes, CNNs can be highly effective in learning spatial correlations from sensor data to pinpoint the attack location.

• For Autonomous Resilience and Defense: RL is the most promising approach for moving beyond passive detection to active defense. An RL agent can be trained to make optimal control decisions, such as isolating a compromised part of the grid or re-dispatching energy, to maintain stability during an attack. Its trial-and-error learning mechanism makes it adaptive to novel, zero-day threats without signatures.

• For Privacy-Preserving Collaborative Security: FL is the superior architecture in multi-stakeholder MG environments where data sharing is restricted. It allows multiple MGs to collaboratively train a robust detection model without sharing their sensitive raw data, sharing only anonymized model updates. This is crucial for building collective intelligence while respecting data privacy.

• For Environments with Limited Data: the challenge of obtaining large, labeled datasets of real-world attacks is significant. Unsupervised learning methods are invaluable for anomaly detection, as they do not require pre-labeled data. Furthermore, TL offers a practical solution by enabling the adaptation of models trained on extensive datasets from other domains to the MG context with minimal fine-tuning.