Secure Dynamic State Estimation for Cyber Security of AC Microgrids

A timely, accurate, and secure dynamic state estimation is needed for reliable monitoring and efficient control of microgrids. The synchrophasor technology enables system operators to obtain synchronized measurements in real-time and to develop dynamic state estimators for monitoring and control of microgrids. However, in practice, sensor measurements can be corrupted or attacked. In this study, we consider an AC microgrid comprising several synchronous generators and inverter-interface power supplies, and focus on securely estimating the dynamic states of the microgrid from a set of corrupted data. We propose a secure dynamic state estimator which allows the microgrid operator to reconstruct the dynamic states of the microgrid from a set of attacked or corrupted data without any assumption on attacks or corruptions. Finally, we consider an AC microgrid with the same topology as the IEEE 33-bus distribution system, and show that the proposed secure estimation algorithm can accurately reconstruct the attack signals.


INTRODUCTION
Future distribution systems will include interconnected microgrids (Lasseter, 2002)- (Hatziagyriou et al., 2007). Such systems are designed to operate in a distributed fashion dealing with various dynamic phenomena with different time scales (Ilić and Liu, 1996)- (Kundur et al., 2004). The functionality of control systems in microgrids is highly dependent on state estimation schemes used to observe the system over time. Traditional energy management systems are using static state estimation schemes designed from steady-state models (Schweppe and Wildes, 1970) (Abur and Expósito, 2004). With the high penetration of distributed energy resources (DER) on the generation side, and flexible loads and new demand-response technologies on the demand side, static state estimation schemes will not be able to capture power systems' dynamics accurately (Zhao et al., 2019). Dynamic state estimation schemes will be needed to accurately capture the system dynamics. Such state estimation schemes, designed based on dynamical models, will play a significant role in microgrid monitoring and control (Modir and Schlueter, 1981)- (Meliopoulos, 2017). In this paper, we focus on the design of dynamic state estimation schemes which are secure to cyber-physical attacks.
Large-scale integration of inverter-interfaced power supplies and distributed controls requires a widespread deployment of the synchrophasor technology and communication networks in future distribution systems. This will lead to high-volume data exchange between different controllers which will make microgrids vulnerable to cyber-physical attacks. Corrupted data in controllers can disrupt power generators' synchrony and result in a network-wide instability. Several attack detection schemes have been proposed in recent years (Pasqualetti et al., 2012) (Liu et al., 2014a). With false-data injection attacks, disturbances are injected to sensors and actuators to disrupt the measurements and computed control inputs. While it is possible to identify misbehaving agents (Pasqualetti et al., 2012) (Pasqualetti et al., 2013), such solutions require full knowledge of the cyber layer and are hard to scale. In (Mo et al., 2014), the authors propose a computationally-efficient scheme to detect deception attacks on sensors. While such solutions enable us to detect cyber attacks efficiently, these solutions do not mitigate all possible adverse effects. Robust game-theoretic schemes can lead to conservative results (Alpcan and Basar, 2003) (Srikantha and Kundur, 2016).
Cyber attacks can be modeled as noise or disturbance to the system. Basseville et al. (Basseville and Nikiforov, 1993) use noise filtration techniques to detect and remove malicious attacks, and the authors in Jiao et al. (2016) develop disturbance attenuation methods for cyber attack detection. Notice that noise filtration or disturbance attenuation techniques operate under certain statistical properties, e.g., white Gaussian noise signal. However, in practice, cyber attacks can be deliberately designed by a malicious attacker. In Abhinav et al. (2018), the authors propose attack-resilient controls for synchronization of islanded microgrids. The authors study the effect of attacks on sensors and actuators, and numerically demonstrate the effectiveness of their distributed controls on a modified IEEE 34-bus system.
In recent years, several researchers have focused on state estimation with security guarantees for both linear and nonlinear dynamical systems (Fawzi et al., 2014)  . The current literature on linear dynamical systems can be classified into two classes: noiseless measurements, and noisy measurements. For systems with noiseless measurements, the studies in (Fawzi et al., 2014)   show that the state of the system can be accurately reconstructed under certain conditions. For systems with noisy measurements, sparse attack vectors can be distinguished from the measurement noise under certain conditions (Shoukry et al., 2014) (Farahmand et al., 2011). In Hu et al. (2018), the authors focus on secure state estimation for two classes of nonlinear systems without any assumption on the sensor attacks. They assume that the set of attacked sensors or actuators can potentially change with time, and propose a secure state estimator for those nonlinear systems. Finally, they consider a power system comprising a set of synchronous generators and storage units connected to each other via a set of electrical lines. The authors assume that the storage units use feedback linearization controls, and then design a secure estimator that enables the system operator to securely estimate the dynamic states of the power grid, i.e., the states of the synchronous generators, under cyber-physical attacks and communication failures.
Several dynamic state estimators have been proposed in the literature. However, the existing dynamic state estimators have the following drawbacks: 1. Loads are considered to be quasi-static, i.e., load dynamics are neglected. Unlike large power systems, microgrids are small footprint power systems comprising distribution assets, DERs, and loads. DERs are typically of inverter-interfaced power supplies with no inertia. These resources respond to disturbances as fast as their controls, and hence dynamics of flexible loads and DERs are strongly coupled in microgrids. More precisely, load dynamics have significant transient impacts in microgrids (Zhang et al., 2016) (Haddadi et al., 2013). 2. Controllers are considered to have specific structure. For example, storage units are assumed to use feedback linearization controls in Hu et al. (2018). DERs can use several types of distributed and centralized control schemes (Yazdanian and Mehrizi-Sani, 2014) (Hooshyar and Iravani, 2017).
In summary, load dynamics cannot be neglected in securely estimating dynamic states, and controllers cannot be limited to any specific structure. To overcome these drawbacks, we addressed two drawbacks of existing dynamic state estimators; first we design a secure dynamic state estimator for AC microgrids without using any linearization techniques or reducing the microgrid into a network of oscillators. Second, we do not have any specific structure assumptions in controller.
In this study, we focus on secure dynamic state estimation in AC microgrids under cyber attacks or communication failures. We consider an AC microgrid comprising several synchronous generators, inverter-interfaced power supplies, and electric loads controlled via a central controller (i.e., the microgrid operator) and several local controllers. The controllers use phasor measurement units (PMU) to maintain the system's reliability. Each bus is equipped with a controller, transceiver, and measurement unit so that the controller can exchange its information with other controllers. The transceivers send the feedback information to the microgrid operator via a communication network. We make the following assumptions: Note that typically, central controllers are protected against cyber attacks strongly, and that local controllers are more vulnerable to cyber attacks (CIP Standards, 2020). Thus, assumption 1 is reasonable. Here we consider cyber attacks which corrupts the communication paths and affects measurement units.
A practical example of cyber attacks in which the set of attacked sensors can change with time is provided in Liu et al. (2014b).
The contributions of this study are summarized as follows: 1. We extend our previous work  to AC microgrids and propose a secure state estimator for reconstructing the dynamic states of an AC microgrid using a set of measurements that can be corrupted. The proposed estimators are computationally efficient and enable microgrid operators to reconstruct dynamic states without any assumptions on attacks or corruptions. 2. We then consider an AC microgrid with the same topology as the IEEE 33-bus distribution system, and demonstrate the effectiveness of our estimators in accurately reconstructing the attack or corruption signals with realistic attack scenarios.
The paper is organized as follows: In Section 2, we review the secure state estimation for linear dynamical systems and in Section 3, we introduce the microgrid model adopted in this work. In Section 4, we formulate the dynamic state estimation problem for AC microgrids, and propose a dynamic state estimator for recovering dynamic states. Finally, in Section 5, we demonstrate the effectiveness of the proposed estimator using the IEEE 33-bus distribution system.

PRELIMINARIES
We first introduce the error correction problem and compressed sensing. We then describe secure state estimation for linear dynamical systems.

Compressed Sensing
Let A ∈ R m×n (m ≪ n) and b ∈ R m be a sensing matrix and measurement vector. Consider the following optimization problem: (1) Notice that ||x|| 0 equals the number of non-zero entries of x. Lemma 1 provides a sufficient condition for obtaining a unique solution to Eq. 1.
Lemma 1. (Candes et al., 2006) If the sparsest solution to Eq. 1 has ||x|| 0 q and m ≥ 2q and all subsets of 2q columns of A are full rank, then the solution is unique.

The Error Correction Problem
Consider a full rank coding matrix C ∈ R ℓ×n (ℓ > n) and a set of attacked measurements y Cx + e where e is an arbitrary and unknown sparse error vector. The classical error correction problem aims at recovering the vector x ∈ R n from the attacked measurements y. To achieve this goal, we need to compute the error vector e since given y Cx + e and e, we can compute Cx. Then, x can be computed using the full rank matrix C (Candes et al., 2006). Candes et al. (Candes et al., 2006) construct a matrix F such that FCx 0 for all x. Then, by applying F to y, they obtain Hence, the classical error correction techniques can be transformed into reconstructing a sparse error vector e from the measurement vectorȲ Fe . According to Lemma 1, any error vector e that satisfies e 0 ≤ q, can be reconstructed if all the subsets of 2q columns of matrix F have full rank.

Secure State Estimation for Linear Dynamical Systems
Consider a discrete-time linear system as follows: where x[k] ∈ R n and y[k] ∈ R p denote the states and outputs of the system at time slot k, respectively. e[k] ∈ R p denotes attack signals.
Let Y ∈ R p · K be the collection of the measurements over K time slots, and let E q,K denote the set of error vectors where Φ ∈ R p·K×n is the K-step observability matrix of the system at hand. Note that (A, C) represents the system dynamics matrix and if the system is observable, then this can be easily achievable. If the system is not observable, in order to guarantee full rank of Φ, we need to add/allocate measurement units to achieve full rank condition. We assume that rank(Φ) n; otherwise, we cannot determine x [0] even if there was no attack E q,K 0. For instance, if the system is not observable, there is no way to infer any attack signal. By following a two-step procedure Candes et al. (2006) and Hayden et al. (2016) we can now reconstruct the initial state x [0] from y [k]'s, where k 0, . . . , K−1 First, we compute the error vector E q,K , and then solve for , and R 1 ∈ R n×n is a rank-n upper triangular matrix by using QR decomposition of F and then we obtain: Using the second block row, we have: where Q u 2 ∈ R (p · K−n)×p · K . Using Lemma 1, the above optimization has a unique, s-sparse solution (where s ≤ q · K) if all subsets of 2s columns (at most 2q · K columns) of Q u 2 are full rank. Using this observation, we consider solving the following l 1 -minimization problem: Here, we approximate the l 0 -minimization problem with an l 1minimization problem to obtain a convex decoder (Candes and Tao, 2005) (Tropp, 2004).
Using the first block row of Eq. 5, we can now compute x [0] as follows: Frontiers in Control Engineering | www.frontiersin.org August 2021 | Volume 2 | Article 734220 The following result provides the conditions under which exists a unique solution to Eq. 8. The proof follows by using Lemma 1 and the fact that the null space of Q u 2 is equal to the column space of Φ.
Lemma 2. Chang et al. (2018). There exists a unique solution x [0] if all subsets of 2s columns of Q u 2 are linearly independent and Φ is full column rank.
The role of Lemma 2 guarantees accurate decoding when the assumption holds.

SYSTEM MODEL
We first introduce the physical layer model of an AC microgrid with generators and loads. We then describe the cyber layer over which the microgrid operator relies to control its DERs, and introduce the cyber attacks that we are considering in this study.

Physical Layer
Consider a microgrid with m + n + l buses. m of the m + n + l buses, indexed by N (S) {1, . . . , m}, have synchronous generators connected to them, and n of the microgrid buses, indexed by N (I) {m + 1, . . . , m + n}, have inverter-interfaced power supplies attached to them. The remaining buses, indexed by N (L) {m + n + 1, . . . , m + n + l}, have electric loads and no generation3. We further assume that the network interconnecting the buses is linear, i.e., the network can be represented by the nodal admittance matrix Y G + −1 √ B where G and B denote the conductance and susceptance matrices, respectively.
We use the standard structure-preserving model to describe the microgrid's dynamics (Bergen and Hill, 1981). This model that incorporates the dynamics of generators' rotor angle and response of load power output to frequency deviations, allows us to preserve the structure of the grid, i.e., no load bus elimination is made. We introduce fictitious buses representing the internal generation voltages for synchronous generators and inverterinterfaced power supplies. Each of these buses is connected to either a synchronous generator or inverter-interfaced power supply bus via reactances that account for transient reactances and connecting lines. These reactances can be considered as transmission lines (Sauer and Pai, 1998). Therefore, in the augmented network, the number of buses is 2(m + n) + l. We further denote the set of fictitious buses for synchronous generators and inverter-interfaced power supplies by N (S) f and N (I) f , respectively. The augmented network can be modeled by graph, (I) f ; and where each element in the edge set E corresponds to an electrical line between a pair of buses in the augmented network. We assume that the network topology is fixed and known to the microgrid operator.
Let V i and θ i denote the voltage magnitude and phase angle of bus i ∈ N , respectively. We use a structure-preserving model with constant complex voltage behind reactance [34, Sec. 7.9.2], to represent the dynamics of each synchronous generator. For a synchronous generator at fictitious bus i ∈ N (S) f , let θ i denote the angle of its voltage as measured with respect to a synchronous reference rotating at the nominal system electrical frequency ω 0 . Further, let ω i denote its rotor electrical angular speed, and let P m i be the turbine's mechanical power. For each synchronous where y ij g ij + −1 √ b ij with g ij and b ij being the elements of the conductance and susceptance matrices, respectively, and ϕ ij equals arctan (g ij /b ij ). N i is the set of neighbors of node i in graph G(N , E), D i (in s/rad) is the generator damping coefficient, and M i (in s 2 /rad) is the scaled inertia parameter. Further, R i is the frequency-power speed-droop characteristic constant, τ i is the generator governor time constant, and P s i denotes the generator's power set-point. Notice that ω i,meas is the measured value of state ω i for all i ∈ N (S) f . The dynamics of inverter-based power supplies can similarly be represented by a constant voltage behind reactance model, augmented to include a frequency-droop controller. For an inverter-based power supply at fictitious bus i ∈ N (I) f , let θi denote the angle of the bus voltage measured with respect to the nominal system electrical frequency ω 0 , and let P s i denote the generation set-point. For each inverter-based power supply where D i (in s/rad) is the speed-droop characteristic slope of the power supply. In general, the relationship between the real power drawn at load bus i ∈ N (S) ∪ N (I) ∪ N (L) and the bus voltage and frequency is nonlinear. However, for constant voltages and small frequency deviations around the nominal frequency ω0 , it is reasonable to assume that the real power drawn by the load equals P d i + D i θ i where D i > 0 and P d i > 0 are the constant frequency coefficient of load and the nominal load at bus i ∈ N (S) ∪ N (I) ∪ N (L) , respectively. Therefore, for constant voltages and small frequency deviations, the dynamics of the phase angle at load bus i ∈ N (S) ∪ N (I) ∪ N (L) can be modeled by Here, we ignore reactive powers for generators and loads. Notice that reactive power analysis is unnecessary in this study.

Cyber Layer
Each bus i is equipped with a controller, transceiver, and measurement unit that allow bus i to communicate with the Frontiers in Control Engineering | www.frontiersin.org August 2021 | Volume 2 | Article 734220 central controller (i.e., the microgrid operator) as well as other bus controllers. As mentioned earlier, fictitious buses represent the internal generation voltages for synchronous generators and inverter-interfaced power supplies. Each inverter-interfaced power supply is equipped with a controller, transceiver, and measurement unit so that the inverter-interfaced power supply at fictitious bus i can measure and communicate its internal voltage phase angle. The rotor angle of synchronous generators has an electromechanic nature, and hence it cannot be measured via electric measurement units. However, we can estimate rotor angle by using other electric parameters of synchronous generators. In the literature, several studies are addressing the problem of estimating the rotor angle of synchronous generators (Tripathy et al., 2010) (Venkatasubramanian and Kavasseri, 2004). Each synchronous generator is equipped with a controller, transceiver, and measurement unit, and that the measurement unit at bus i is using a rotor angle estimator to compute the internal voltage phase angle for the synchronous generator at bus i.
A communication network connects the local controllers and the microgrid operator. This network allows the local controllers to send their feedback information, including rotors' speeds and voltage phase angles, to the central controller. It also allows the microgrid operator to send different control commands to the local controllers. In this study, we assume that the communication paths from the microgrid operator to the local controllers are secure while other paths are not secure. Note that typically, central controllers are protected against cyber attacks strongly, and that local controllers are more vulnerable to cyber attacks (CIP Standards, 2020). In particular, we consider the following attack types: • Attack 1: an attack that corrupts the communication paths from the transceivers to the central controller. • Attack 2: an attack that affects measurement units.
We further assume that the set of attacked measurements can change with time. To illustrate different attack types, we refer the reader to Figure 1.
Next, we propose a secure dynamic state estimator for AC microgrids.

SECURE STATE ESTIMATION FOR AC MICROGRIDS
Let us assume that the time is slotted in time slot of size δ. At each time slot k, the central controller receives the measured values of voltage phase angles, generators' internal angles, and rotors' speed. Let y i [k] denote the measurement vector received from bus i ∈ N . Each measurement y i [k] is subject to cyber attacks and corruptions. Therefore, we have: assumption is the number of attacked measurements, i.e., a corruption or an attack signal is sparse. Our goal is to reconstruct θ i [k] for all i ∈ N and ω i [k] for all i ∈ N (S) f using the measurements. To achieve this goal, we first obtain a discrete-time approximation of the microgrid dynamics, and then propose a secure dynamic state estimator.

Discrete-Time System Model
We obtain a discrete-time approximation of the microgrid dynamics using the forward Euler discretization scheme. Let us begin with the synchronous generators, and use the same approach for inverter-interfaced power supplies and loads.
Synchronous Generators: For each synchronous generator at Here we define some auxiliary variables for presentation purposes. There is no meaning to these parameters/variables. We defined the main variables and parameter in system model.
Notice that ω i,meas [k] equals 0, 1 y i [k] which is equal to (ω i [k] + 0, 1 e i [k]). Using Eq. 14-15, we have Notice that the coefficients of c c ij [k] and c s ij [k] can be calculated using the measurement received from the local controllers. Now, the state space model of the synchronous generator at fictitious bus i ∈ N (S) f can be represented by where the state vector Notice that n(i) denotes the number of neighbors of node i in graph G (N , E), i.e., n(i) |N i |, and that nodes j 1 , . . . , j n(i) represent the neighbors of node i in G (N , E). More precisely, we have H i [k] ∈ R 1×2n(i) and ϵ i [k] ∈ R 2n(i) . Next, by using the same approach, we obtain the state space model of inverterinterfaced power supplies and loads.
Inverter-interfaced Power Supplies: The state space model of the inverter-interfaced power supply at fictitious bus i ∈ N (I) f can be described by where Loads: The state space model of the load at bus i ∈ N (S) ∪ N (I) ∪ N (L) can be described by

Secure Dynamic State Estimator
Consider an enlarged system composed of all the system dynamics: where Frontiers in Control Engineering | www.frontiersin.org August 2021 | Volume 2 | Article 734220 6 Notice that we have c ij [k] c ji [k] and ϕ ij ϕ ji . Hence, the dimension of Ψ 2 and Ēcan also be reduced as follows: We now choose Ω ∈ R (K|N |−2|N |)×K(|N |+m) which annihilates Φ, i.e., ΩΦ 0. We then have: whereΨ andẼ are the reduced Ψ andĒ . In error correction, accurate decoding is guaranteed when the coding matrix (i.e., ΩΦ ) satisfies the Restricted Isometric Properties (RIP). Notice that RIP can be obtained by randomly selecting a coding matrix a priori.
In , Theorem 1 provides a sufficient condition for perfect reconstruction of the states against sensor attacks and describes estimator design by using a state feedback controller. However, in the current setting, since there is a limitation to manipulate the coding matrix, we combine our secure estimation scheme with a Kalman Filter (KF) to enhance its performance in practice.

NUMERICAL RESULTS
Consider an AC microgrid comprising m 3 synchronous generators, n 25 inverter-interfaced power supplies, and l 5 load buses. The microgrid topology is shown in Figure 2. This microgrid topology is a modified IEEE 33-bus distribution system from Baran and Wu (1989). Notice that in the augmented network, the number of buses is 61. we consider the fictitious buses for the synchronous generators to be buses 34, 35, and 36, and the fictitious buses for the inverter-interfaced power supplies to be buses 37-61. The microgrid is connected to the grid via the tie-line connected to bus one. We select the turbine time constants to be τi 5 s, the generator damping coefficients to be D i 2, the inertia constants to be M i 10, and the droop coefficients to be Ri 9.5 for all i ∈ N (S) .
We further select the inverter-interfaced power supply droop coefficients to be D i 0.7 for all i ∈ N (I) , and the constant frequency coefficients of the loads to be D i 0.1 for all i ∈ N (L) .
The system is simulated for t 20 s with a discretization step of δ 1/60 seconds. We select the nominal loads P d i 's randomly from the interval [0, 0.5] pu, and select the generation set-points P s i 's such that the system is balanced. Notice that computing the active power set-points P s i 's is not the subject of this study. Therefore, we only need to select the values of P s i 's such that the demand and supply are balanced. Without loss of generality, we assume that voltage magnitudes V i [k]'s are equal to 1 pu for all k and i 1, . . . , 33.  The rows and columns correspond to measurements and time steps, respectively. In the subfigures, the color indicates the attack signal: red is an attack with positive value, green is an attack with negative value, and black is no attack. Only measurements of the synchronous generators buses and their corresponding fictitious buses are corrupted by the attack. Notice that measurements 1-6 correspond to rotor angle and speed measurements from the fictitious synchronous generator buses, and measurements 34, 37 and 40 correspond to phase angle measurements from the synchronous generator buses. In subfigure "Estimation Error", the black color indicates there is zero estimation error for all measurements at all times.
Frontiers in Control Engineering | www.frontiersin.org August 2021 | Volume 2 | Article 734220 8 We demonstrate the effectiveness of our secure state estimation method through simulations of the two types of attacks: 1. Type A: attacks targeted at synchronous generators, i.e., measurements yi [k]'s, where i ∈ N (S) ∪ N (S) f , are corrupted.  The rows and columns correspond to measurements and time steps, respectively. In the subfigures, the color indicates the attack signal: red is an attack with positive value, green is an attack with negative value, and black is no attack. Only measurements of the inverter-interfaced power supply buses and their corresponding fictitious buses are corrupted by the attack. In subfigure "Estimation Error", the black color indicates there is zero estimation error for all measurements at all times.
For each of these attack types, we simulate three scenarios: 1. Scenario 1: There is no cyber attack on the microgrid. 2. Scenario 2: Measurements are attacked, and they are not protected by any secure state estimator. 3. Scenario 3: Measurements are attacked, and they are protected by the proposed dynamic state estimator.

Attack Type A: Synchronous Generator Attacks
The microgrid operator measures rotor angle from the three synchronous generator buses, and rotor angle and speed from the three fictitious synchronous generator buses. Hence, the operator has access to nine measurements that are subject to cyber attacks. We assume that from t 1.1 s onwards, the attacker randomly chooses a set of five measurements out of the nine measurements and corrupts them with random signals at each time step. Figure 3 shows the simulation results for the three scenarios: 1) there is no attack (No Attack), 2) the measurements are attacked and they are not protected with any secure estimator (SE), and 3) the measurements are attacked and the microgrid operator uses the proposed SE. Notice that in Figure 3, we only show phase angles and rotor speeds of the three fictitious synchronous generator buses.
In the microgrid without cyber attacks, the rotor speeds converge to 60 Hz after an initial transient period. As mentioned earlier, no secure estimation is used in Scenario 2 while the micorgrid operator uses the proposed secure state estimation to recover the system states in Scenario 3. Therefore, both rotor angles and speeds cannot be estimated correctly in Scenario 2, as shown in Figure 3. However, the operator can perfectly estimate both rotor angles and speeds in Scenario 3. Figure 4 shows the attack signal, secure estimator's estimated attack signal, and the estimation error. The results show that the proposed dynamic state estimator accurately estimates the system state. Hence, the system's dynamics are identical to the system without any attacks.

Attack Type B: Inverter-Interfaced Power Supply Attacks
The microgrid operator measures phase angles from the inverter-interfaced power supply buses. Hence, the operator has access to 50 measurements that are subject to cyber attack: 25 correspond to phase angle measurements of the inverter-interfaced power supply buses and 25 correspond to the phase angle measurements of the corresponding fictitious buses. We assume that from t 1.1 s onwards, the attacker randomly chooses a set of five measurements out of the 50 measurements and corrupts them with random signals at each time step. The simulation results are shown in Figure 5 and Figure 6. The results show that both phase angles and rotor speeds are severely affected when the measurements are attacked and no secure estimator is used by the operator. However, the microgrid operator can perfectly recover the attack signals and restore the system's normal dynamics as if there was no attack when secure state estimation is used.

CONCLUSION
We propose a secure state estimator for dynamic state estimation in AC microgrids under cyber physical attacks. We show that the microgrid operator can perfectly reconstruct the dynamic states in its AC microgrid using our estimator. We envision that the proposed approach ensures microgrid resilience and enables secure microgrid operations.

DATA AVAILABILITY STATEMENT
The original contributions presented in the study are included in the article/supplementary material, further inquiries can be directed to the corresponding author.