Node Importance Evaluation of Cyber-Physical System under Cyber-Attacks Spreading

The study of cyber-attacks, and in particular the spread of attack on the power cyber-physical system, has recently attracted considerable attention. Identifying and evaluating the important nodes under the cyber-attack propagation scenario are of great signiﬁcance for improving the reliability and survivability of the power system. In this paper, we improve the closeness centrality algorithm and propose a compound centrality algorithm based on adaptive coeﬃcient to evaluate the importance of single-layer network nodes. Moreover, we quantitatively calculated the decouple degree of cascading failures caused by exposed nodes formed by attack propagation. At last, experiments based on the IEEE 57 test system show that the proposed compound centrality algorithm can match the cyber-attack propagation scenario well, and we give the importance values of the nodes in a speciﬁc attack scenario.


Introduction
In recent years, electric power systems are facing unprecedented threat from cyber-attacks due to the rapid development of the information network and the higher integration of critical infrastructure and IED (intelligent electronic device) equipment in power CPS (cyber-physical system) [1][2][3]. e widely deployed ICT (information and communications technology) system makes the interaction more complex among multiple systems, especially more vulnerable under cyber-attacks. e failure of a single-layer system after being attacked by a cyber-attack will spread through the interdependent network, causing fragmentation and cascading failures [4,5] and induce a large-scale power flow abnormal transferring. e abovementioned cascading failure process and cyber-attacks will eventually lead to a blackout that led to the collapse of the power system such as large blackouts which occurred in North America in 2003 [6], Rome in 2004 [7], and Ukraine in 2015 [8].
A large number of studies have shown that the power grid has small-world effect and scale-free property [9]. It shows strong robustness under random attacks but very fragile to deliberate attacks. Wang et al. in [10,11] proposed methods to improve the stability of the power system. Albert et al. in [12] found that the power grid can maintain stable under most disturbances, but when the key power nodes are attacked, the synchronization ability of the grid will be greatly reduced. erefore, identifying and assessing important nodes in the power grid and performing prevention and control are of great significance for improving the reliability and survivability of the power system. e current node importance evaluation methods include evaluation methods based on local information such as K-shell decomposition method [13], based on node path such as closeness centrality [14], based on feature vectors such as PageRank algorithm [15], and based on node removal [16] and contraction [17]. e authors in [17] applied the node contraction method to the power grid and verified the feasibility of identifying important nodes based on the topological structure of the power grid. A comprehensive evaluation index that takes into account both electrical characteristics and topological structure characteristics is proposed to identify important nodes in the power grid [18]. Based on the node link strength defined by power flow tracking, the author in [19] identifies important nodes in the power system from the perspective of global energy transmission. In [20], the authors analyze the benefits, losses, costs, and other factors of network attacks and use dynamic Bayesian networks to comprehensively evaluate the attack effects of network nodes. In [21], the improved threat propagation tree is used to evaluate the situation and a CPPS security situation assessment model that considers threat propagation is proposed. e above node importance evaluation method only focuses on the characteristics of a single-layer network and does not consider the method of identifying key nodes of the power system under the interdependent network.
About interdependent networks, Buldyrev first analyzed the cascading failure in 2010 and proposed a cascading failure model based on network topology [22]. e author in [23] proposed electrical distance and node electrical coupling connectivity metric to identify key nodes in complex power grids. e average load balance of adjacent nodes and the parameter of network load rate are combined to measure the impact of the disabled node on the network and judge the importance of nodes in the interdependent network [24]. e above node importance evaluation considers the impact of disabled nodes on the interdependent network from different aspects but does not effectively analyze the composite value of nodes in the power CPS under the cyberattack propagation scenario.
Whether the above node importance evaluation is based on a single-layer network or an interdependent network, the importance value is only a fixed value calculated based on a certain characteristic of the system. Without considering the potential dangers brought by the spread of cyber-attacks, such fixed indexes cannot meet the system's need to distinguish important nodes under the attack spread scenarios. In this paper, the analysis of potential dangers caused by the spread of cyber-attacks is shown in Figure 1. Suppose that at a certain time during the interval between two detections, a certain device in the information network is attacked by a cyber-attack (such as worms, and Trojan Horse).
(1) First, before the attacked device is successfully detected by the power CPS and the countermeasures are executed, the spread of the cyber-attack is in the first stage. In this stage, the attack may have spread from the initially attacked device to the remaining devices that have topological connections or information interactions with it. Take the information layer network as an example: the data detection frequency cannot match the information exchange rate, which will cause the cyber-attack to be spread to the new information equipment due to the information exchange before the next detection. If the attack makes the transmitted device in exposed state (the device has been successfully attacked, but the attacker did not perform any attack operations), then the power system cannot successfully detect such exposed device in the next detection. (2) Subsequently, the power system detects the initial attacked device and executes countermeasures. Although the current detection failure rate can meet the expectations of the dispatch center, it cannot be reduced to zero. erefore, the response strategy made by the dispatch center can only reduce and block the harm caused by cyber-attacks to a certain extent. And, this strategy does not consider the cyber-attack propagation described in (1). In fact, after the first propagation stage, there are most likely exposed nodes in the power system.
(3) e period from the execution of the strategy to the next detection, the spread of cyber-attacks has reached the second stage. Although the previous strategies dealt with the initially attacked device, the exposed nodes formed in the first propagation stage will continue deepen the scope of cyber-attacks over time.
(4) After the above two propagation stages, most devices have the potential to be attacked. is potential risk may expose the power system to great danger during the interval between two detections.
In order to improve the proposed node importance evaluation method of power CPS and effectively reduce the potential risks caused by the cyber-attack propagation between the detection gap, in this paper, from the information network and cyber-physical interdependent network two aspects, we propose a node importance evaluation method suitable for cyber-attack scenarios. e main contributions of this paper are as follows: (1) At the information network level, considering the propagation of cyber-attacks among information devices, a compound centrality index and its calculation method of nodes based on adaptive coefficients are proposed. is index improves the onesidedness of the existing centrality indexes, and the time-varying calculation result better matches the importance of the power CPS node under the cyberattack propagation scenario. (2) Establish a cyber-physical interdependent network model to analyze the cascading failure behavior characteristics of the system and give a quantitative analysis of the degree of power grid decoupling under different attack scenarios. Calculate the degree of decoupling caused by cascading failures which caused by exposed nodes under the spread of cyberattacks and comprehensively reflect the importance of different nodes in power CPS.
In the second section, we proposed the node risk and established a network attack propagation model. e third section improves closeness centrality and proposes a compound centrality algorithm based on adaptive coefficients. In the fourth section, the power system cyber-physical interdependent network is established to quantitatively calculate the degree of cascading failure that the exposed node formed by the spread of cyber-attacks may cause. In the fifth section, a case study is given to prove the advantages of our proposed algorithm and report the conclusion.

Cyber-Attack Propagation Model
Cyber-attacks occur more commonly in power communication networks due to the deep integration of communication and measurement devices such as phasor measurement units (PMUs). Attackers use new viruses and worms with autonomous propagation capabilities to falsify or control the resources of the information layer to endanger the security and reliability of the power grid. erefore, in this section, establish a cyber-attack propagation model for power CPS information layer devices which can apply to all equipped information devices with communication capabilities, such as information acquisition system SCADA (Supervisory Control and Data Acquisition), energy management system EMS (Energy Management System), WAMS (Wide Area Measurement System), and so on. Since SCADA, EMS, and WAMS have a certain time interval in collecting, monitoring, processing information, and transmitting instructions, while considering the characteristics of information systems based on discrete events and the propagation mechanism of new viruses such as worms, the unit propagation time of the attack t is defined as the data interaction interval of power CPS. According to the propagation stage of the cyber-attack, the information equipment is divided into 5 states. A single device can only be in one state within a unit of propagation time t. Under certain conditions, the current state can be transformed into other states. e situation transformation process is shown in Figure 2.
(1) Infected. e device has been successfully infected by a cyber-attack and has been manipulated by the attacker to perform some actions (for example, tampering with operating data and modifying switch status). It has the ability to infect other devices. e detection system can detect the device. (2) Exposed. e device successfully infected by a cyberattack, but the attacker has not performed any attack operations. It has the ability to infect other devices. e detection system cannot find the device.
e device directly connected to the infected or exposed device in the communication topology. ere are security vulnerabilities that can be infected by malicious code such as worms but have not been infected yet and do not have the ability to infect other devices. (4) Isolated. e device that has been attacked is automatically isolated by the detection software or manually by the system operator. No longer have hardware connections or data interactions with other devices. No longer has the ability to infect other devices. (5) Normal. Devices are in a normal state of untouched cyber-attacks.

Probability of Propagation.
In this section, we calculate the cyber-attack propagation probability between pairs of individuals who have a connection in the communication topology. Consider a pair of devices which are connected, one of which i is infective or exposed and the other j susceptible. Attack spreads through them by contact from i to j. en, the rate that j not being attacked in the continuous time system is as follows [25]: where r ij is the probability that the cyber-attack successfully spreads from infective or exposed device-i to susceptible device j under the self-protection mechanism of the device and information system. e infective device i remains infective for a time τ i that i has not been detected and disabled by the detection system.
Due to the cyber systems based on discrete events, use discrete time-steps rather than continuous time, in which case instead of taking the limit in equation (1) we simply set δt � 1, giving where τ i is the average detection time of the online detection system that is measured in data transmission time-steps.

Propagation Model.
For modeling the attack propagation clearly, we abstract different types of communication devices in the information layer as nodes. According to the Cyber-attack spreading

Detect and respond Attack
In two stages of propagation, the detection system cannot effectively guarantee the safety of the power system Existing detection process The first stage of propagation The second stage of propagation Complexity communication topology of the information network, the connection matrix C � c ij is defined. e matrix elements c ij are binary variables which equals 1 if i is kept connected to j in communication and 0 otherwise. We define the probability that a node may be attacked and turn into exposed state as the node risk P(·). Let us assume at the initial time t 0 between two detection gaps, one or several nodes in the CPS information layer are compromised by cyber-attacks and turn into infected while the remaining nodes are uncompromised. In the following period of time, the remaining nodes will turn into exposed with a certain probability, accompanied by a time-varying node risk. We define ψ � 1, 2, . . . , M { } as the set of information nodes; η � . . .
{ } is the set of infected nodes; and T � nt is the time when the attack spreads through n units of propagation time t. e attack spreads in stages, and the risk of each node changes with time as follows [26]: (1) At the initial time t 0 , the risk of infected and other nodes are as follows: where α t i is a binary variable which equals 1 (α t i � 1) if the node i has the possibility of being attacked at (2) By time t 0 + t, cyber-attacks may spread from infected nodes to susceptible nodes via routers and communication connections, turning susceptible nodes into exposed nodes, and the detection software has not detected them yet. e risk of each node is given by the following equation: where c ji is the probability that the attack propagates from node i to node j during the time t, and it is given in equation (2). (3) By time t 0 + 2t, the range and volume of cyber-attacks further expand over time, and the risk of exposed nodes deepens. e risk of each node is an iterative process over time. According to equations (4) and (5), the node risk by time t 0 + 2t is given by the following equation:  Complexity is the probability that the node is not attacked at time t 0 + 2t but is attacked at time t 0 + t. In equation (7), only P(α is unknown during the iteration process. is variable is discussed as follows: Substituting equation (8) into equation (7) to obtain the risk of some nodes at time t 0 + 2t: (4) By time t 0 + nt (n > 2), the node risk is given as follows: (5) During the above propagation process, if the initially infected node is detected and processed by the power system at time t � t 0 + xt, then in the time after that, the risk of the node is Notice. One of the ways the power system responds to cyberattacks is as follows. After successfully detecting the cyberattack, the power system will disable infected nodes automatically by the detection software or manually by the system operator. ese nodes are no longer connected to the information network (no more data interaction with other nodes), while the system no longer trusts its uploaded data. Namely, this type of node turns into the isolated state. en, they may be recovered to normal by the system and reconnect to the network, but in the propagation discussed in this paper, such nodes no longer participate in the propagation of cyber-attacks, that is, they cannot be reinfected by cyber-attacks.

Node Centrality Algorithm Based on Adaptive Coefficient
e connection form of the node and its position in the topological structure have a vital influence on the promotion or interruption of the spread of cyber-attacks [4]. At present, a variety of centrality algorithms have been applied to node importance evaluation. In this section, we propose a node importance evaluation algorithm that considers cyber-attacks propagation and the potential threats it may cause in the detection gap, which is more flexible and more suitable for attack scenarios.

Centrality Analysis.
According to the connection form of the node and its position in the topology, common node centrality algorithms include degree centrality [27], closeness centrality [28], betweenness centrality [28], and so on, all describe the importance of nodes in the network from different respects, and they are given as follows: where N is the number of nodes in the network, c ij is a binary decision variable that judges the topological structure or information interaction between nodes i and j, dis ij is the shortest path between nodes i and j; in this paper, we use the minimum number of nodes in the path from i to j as the value of the shortest path.σ st is the number of shortest paths from s to t; σ st (i) is the number of shortest paths from s to t which passing by node i. Degree centrality indicates the sum of the number of nodes directly connected to the designated node. Closeness centrality is the reciprocal of the average shortest path from the designated node to all other reachable nodes. In general, Complexity the closer a node is to other nodes, the greater its closeness centrality. Conversely, the smaller the node closeness centrality, the more the node is at the edge of the network. Betweenness centrality is the number of times that the designated node is located on the shortest path between any two other nodes. e three algorithms describe the importance of nodes from the perspectives of local characteristics, global characteristics, and propagation characteristics, while they also have certain limitations. Degree centrality can only onesidedly reflect the closeness between the designated node and its surrounding nodes. For example, the connection node between two partitioned networks has a smaller degree of centrality but a higher degree of importance. Or for some nodes with high degree centrality, the clustering network it embeds may be at the edge of the system. At this time, the degree centrality is relatively high but the degree of importance is average. However, as the nodes in a complex network, especially in large-node systems such as power systems, the position of the node in the system and some of its functions are far more important than the number of nodes around it. e descending order curve of the normalized values of DC, CC, and BC of each node in the IEEE14 system is shown in Figure 3. e comparative analysis is as follows: (1) e relative DC values of all nodes are arranged in descending order as shown in. It descends in steps, and there are 3 steps and some steps are larger in width. It descends in steps, and there are 3 steps and some steps are larger in width. For example, the DC of 6 nodes in the graph are all 0.4. e importance of these nodes in the same step cannot be distinguished. (2) e descending arrangement curve of relative CC is relatively smooth, but there is little difference among the values. e variable interval of the value is 0.585-1, which is too narrow.
(3) e relative BC descending order curve is also a smoother curve with values distributed in the interval 0-1. However, there is a platform segment with a value of 0, which accounts for 28.57% of the total system nodes, at its end. e node in this segment cannot effectively distinguish the importance.

Centrality Algorithm Based on Adaptive Coefficient.
According to the analysis results of the three centrality algorithms in 3.1, we can get the following. e three algorithms have their respective advantages and disadvantages. If only one centrality algorithm is selected as the basis for judging the importance of nodes, the sorting result is not appropriate and accurate. ese centrality algorithms make it impossible to effectively distinguish the importance of each node in the system under a specific attack scenario based on the fixed value calculated by the topology structure. Moreover, if the importance of nodes is only distinguished based on the node risk P that proposed in 2.2, the position of the node in the system is ignored, and the mutual influence between nodes in the process of attack propagation is discarded. erefore, after comprehensively considering the global attributes of CC and the propagation attributes of BC, this section improves the CC algorithm according to the propagation characteristics of cyber-attacks and proposes a compound centrality algorithm that considers both improved CC and BC to weaken the differences and shortcomings of existing centrality algorithms. Improved closeness centrality algorithm: where dis ji is the shortest path from j to i, j is the node initially infected by the cyber-attack, and i is the remaining nodes in the system. e compound centrality algorithm proposed in this paper performs a weighted summation of the two indexes of improved CC and BC, but the two are not completely independent indexes. For example, nodes with a high improved CC will have a higher BC under a certain probability. Summing the two indexes with a weight of 0.5, reasons such as duplication of information and redundant factors will cause the calculated composite index to be inaccurate. To solve this problem, this section proposes an adaptive coefficient as the weight of the two centralities.
In the propagation of the power CPS cyber-attack, the propagation probability between nodes c ij , as a key factor, has always been defined as a fixed value in previous studies. Considering the differences in the importance of each node in the network, a correction equation is proposed to modify c ij to a certain extent: where X is the correction coefficient and C j is the centrality index of node j. e c ij ′ of node j changes with the centrality index C j . e higher the C j , the lower the c ij ′ . at is, when C j increases, the probability of a cyber-attack spreading from node i to node j decreases. e iterative solution process of the adaptive coefficient z is given by equations (17)- (23). Equation (22) is the termination condition of the iteration, and equation (23) is the objective function. e appropriate initial values of z 1 and z 2 are selected and substituted into formula (17) to start the iteration. In equations (18) and (19), the composite centrality index C of the node and the propagation probability c ij are updated with the update of z. According to the risk model proposed in 2.2, use the iteratively updated c ij ′ to calculate the risk of each node and the average of the overall node risk, which is shown in equation (21). Substituting the average of the overall node risk in the current and previous iterations into equation (17) again will start a new round of iterative correction process. Until z satisfies the iteration termination condition z k − z k−1 ≤ 10 − 5 , the iteration process stops and jumps out of the iteration. Take the minimum the average of the overall node risk in all rounds of iterations as the objective function and find the optimal solution that satisfies the objective function in the iteration process. at is, at the target time t � T (T is an integer multiple of t ), after correcting with the optimal z, the average of the overall node 6 Complexity risk in the system is the smallest. is optimal solution is the adaptive coefficient of this paper. It can be seen from the above algorithm flow that if we want to start the iterative process of z, we need to give the first two initial values z 1 and z 2 of z. e rationality of the initial value selection and its influence on the number of iterations and the judgment of the optimal solution are discussed in the case study in Section 5.
where z k is the adaptive coefficient of the kth iteration, C k i is the compound centrality of node i when z � z k , c k ij is the probability of successful propagation of the attack from i to j modified according to C k i , P T i |k is when c ij � c k ij , the risk of node i at time T, P T k is when c ij � c k ij , the average risk of all nodes in the system at time T, and f is the decision function of z. A certain z k in the iterative process minimizes the average risk P T i |k of nodes in the system at the target time T.

Interdependent Network Model.
Electric power CPS is a multidimensional heterogeneous system that deeply embeds perception, information processing, and control platforms into the power system to meet real-time monitoring and achieve command-driven of the power system. e power network provides power for the information network, and the control and analysis module in information network reversely drives the power network. e interdependence between the two networks enables the power system to be modeled as a power cyber-physical interdependent network. Based on the "undirected" and "disordered" characteristics of general types of cyber-attacks (nondirected attacks) spreading in information systems, both the power network and the information network are equivalent to nonweighted undirected networks. Combining the actual situation of China's power system [5], only considering the characteristics of interconnection between nodes, using complex network theory to simplify the power and information network is as follows: (1) Ignore the functional differences among the plants and stations, and regard the power generation nodes and substation nodes, dispatching nodes and routing nodes in the information network as equivalent nodes, regardless the difference in the types, Complexity quantities, and deployment modes of devices in various sites (2) Ignoring the differences in information protocols and hierarchical structures among information nodes at all levels, it is considered that the lines between nodes can transmit bidirectional information, and multiple information lines in the same direction are combined to eliminate multiple edges and self-loops.
Use G P � (E P , V P ) and G C � (E C , V C ) to represent a power network with n nodes and k branches and an information network with m nodes and g branches, where E � e ij is the set of edges and v � v 1 , v 2 , . . . , v n is the set of nodes in the network, respectively. Each node in the power network G P is connected to an information node in G C . e power node provides electrical energy support to the information node, and the information node receives the status information sent by the power node and feeds back control instructions. Naturally, each node in G P connects and depends on the corresponding node in G C , and vice versa. In addition, according to the important status of the scheduling nodes, it is set as an autonomous node independent of the power grid. It deploys a complete backup power supply and power generation equipment, which is not affected by power grid energy fluctuations.
China's power line information network is a dedicated resource for the power system, and most of the communication lines are laid along with high-voltage transmission lines. e geographical similarity of the two layouts makes the topological structure between the information network and the power network highly similar. On the other hand, in order to meet the needs of control and dispatch, the information network also has dispatching nodes. So, the information network has more stations than the power network. At the same time, the optical information network needs to be formed into a ring to protect its self-healing ability, and the structure of the information network is more complicated [29]. erefore, the dependent network model selects the "part-to-one correspondence" coupling mode, and the established power cyber-physical dependent network model is shown in Figure 4.
Different from the single-layer network with only connectivity link, there are two types of edges in the interdependent network: the connectivity link and the dependency link. e nodes in the single-layer network rely on the internal connectivity link (the black solid lines in Figure 4) to achieve corresponding functions. For example, the power generation nodes, substation nodes, and load nodes in the power network realize the generation, transmission, and consumption of electric energy through the transmission line. e topological structure of the information network is more complicated than that of the power network. In Figure 5, there are connecting links that do not exist in the power network between the information node 2 and the information node 8. e dependency link between the two networks (the red dotted line in Figure 4) is used as a medium for energy or information exchange to realize the mutual influence between the two-layer networks. e dependency matrix D P−C , D C−P is defined according to the connection relationship of the power cyber-physical dependent network, and the matrix element d ij uses logic elements of "1" and "0" to indicate whether there is a dependency edge between the power and information nodes. In summary, establish a power cyber-physical interdependence network that includes power grids, information networks, and the interdependency links . . , v n is the set of nodes in a singlelayer network, E � e ij is the set of connectivity links in a single-layer network, and D P−C , D C−P is the set of the dependency links between the power cyber-physical dependent network.

Cascading Failure Behavior.
According to the operating principle of the dependent network, the failure of the power node or information node will lead to the failure of the dependent node in the other network. e power network or information network will be broken into several fragmented networks, and the scope of the attack will expand with the expansion of the network fragmentation and eventually cause cascading failures in the dependent network [29]. Describe the cascading failure behavior caused by the attack as follows: (1) When one or some information nodes (power nodes) in the information network G C (or power network G P ) are attacked and fail, the connectivity links and the dependency links on these nodes fail too; (2) Corresponding nodes in the power network G P fail due to the interdependence with the failure node in G C . Corresponding, the connectivity links and the dependency links on the nodes also fail. After removing all the abovementioned faulty nodes, the connectivity links, and the dependency links, the power and information network is decomposed into several fragmented networks. (3) (On the basis of 2), identify the connected subgraph in G P and G C , and judge the nodes that do not belong to the connected subgraph as failed nodes. Remove the newly determined failed node and its connectivity links and dependency links. Based on this process, the system will reach stability after a certain number of propagations of the failure in the dependent network. (4) Identify the set of nodes in the maximal connected subgraph in the stable network, and finally determine the stable state of the decoupled network.
Notice. According to the main research content of this paper, the information layer network attack and its propagation mechanism demand for network connectivity use "the set of nodes in the maximal connected subgraph" [29] to judge the stable state of the dependent network. e set element is the power-cyber node group v P − v C , and the dependency links between v P and v C , where v P belongs to the maximal 8 Complexity connected subgraph in the power network and v C also belongs to the maximal connected subgraph in the information network. In order to ensure the effectiveness of connectivity, after the fragmentation of the network, only the nodes in the set of nodes in the maximal connected subgraph are available, and the remaining nodes fail.
According to the cascading failure behavior, taking the IEEE14 node as an example, the failure decoupling process of the dependent network is shown in Figure 6 when the initial attack node is 4 and 11. e upper network in the figure is the power system G P , and the lower network is the information system G C . Figure 6(a) shows that the   Complexity connectivity of G C is similar to that of G P , but compared with G P , G C has one more independent green "scheduling node" and green connectivity links between the scheduling nodes and each information node, and three more green connectivity links between 4-14, 3-11, and 5-12. In Figure 6(b), the nodes 4 and 11 failed due to cyber-attacks and turned to red. Correspondingly, the connectivity link connected to it fails and turns to a dashed line, and the dependency link fails and turns to a red line, and the corresponding dependent nodes and connectivity links in G P are treated in the same way. In Figure 6(c), we delete the failed node and the failed edge in Figure 6(b). e remaining nodes that do not belong to the connected subgraph are turned into blue, and the connecting edges on these nodes turn to blue dashed lines. At this time, it can be seen that both networks are fragmented since 5-12 connecting edge in G C , and the number of nodes in the connected subgraph is greater than that in G P , and the degree of fragmentation is not as serious as G P . Figure 7(d) filters out the set of nodes in the maximal connected subgraph from Figure 7(c). At this time, the power interdependent network finally reaches a stable state.

Decoupling Degree Based on Cascading Failure.
According to the behavior of cascading failures, it can be seen that the cascading failure propagation process in this paper is suitable for random cyber-attacks and deliberate cyber-attacks of power CPS. e attacker can choose one or some nodes as the attack target to form different combinations of cyber-attacks. Different combinations of attacks will cause different decoupling processes. e exposed nodes formed in the process of cyber-attack propagation will not only cause the attack propagation between the information layer devices during the detection gap but also cause the cascading failure of the power cyber-physical dependent network. e node survival rate S is established to describe the degree of decoupling of power CPS when the system reaches a steady state after the cascading failure. e larger the value of S, the more the number of nodes remaining in the stable state of the system and the lower the degree of system decoupling.
S � N C ′ + N P ′ N C + N P , (24) where N P and N P ′ are the number of effective nodes in the power network before and after the cascade failure andN C and N C ′ are the number of effective nodes in the information network before and after the cascade failure.

Experimental Results
We use the connection relationship of the IEEE57-bus test system to simulate the information layer network connection relationship, ignoring the weight of each link; it is shown in Figure 5.

Compound Centrality Algorithm
Notice. In the information layer cyber-attack propagation model described in Section 1, the initial time t 0 should be the time when the cyber-attack occurred. However, at present, the power system cannot accurately analyze which time the cyber-attack occurred between the two detection gaps. erefore, in the experiment, the moment when the cyberattack is detected is regarded as the initial moment in the risk P(·) calculation. And, set the power system to make a response strategy to disable the attacked device at time t + t.
Establish the attack scenario with attack the information device equipped on node 18. e BC and improved CC  10 Complexity indexes of the remaining nodes calculated according to formulas (13) and (14) are shown in Table 1, and the two indexes are ranked according to importance. It can be seen from the table: (1) e improved CC index mainly serves the attack scenario. e closer the node to the initial infected node, the lower the node's improved CC value. At the same time, the indexes have a certain degree of repeatability; for example, the value of the improved CC index for 7 nodes is equal to 4. (2) e importance ranking results of BC and improved CC are obviously different. Some nodes have higher improved CC and lower BC, such as node 9. Some nodes have lower improved CC and higher BC, such as node 37.
Perform log normalization processing (x ⌢ � log 10 (x)/log 10 (max)) on the BC and improved CC indexes in Table 1, and use them as the input data to execute the compound centrality algorithm proposed in this paper. e iterative results z and iteration times N of the adaptive coefficients under different correction coefficients X and different target times T are shown in Table 2.
According to the iterative results in Table 2, it can be seen that in the initial stage of attack propagation, there is a certain proportion of improved CC in the compound centrality. at is, in the initial stage of propagation, mainly modifying c ij of node j which is near the infected node has a better effect on reducing the overall risk. However, as the attack spreads, the proportion of BC in the compound centrality gradually increases.
at is, the propagation characteristics possessed by nodes in the topological structure in the later stage of propagation have a more obvious effect on reducing risk which caused by the spread of the attack. In addition, it can be seen that the iteration times of this algorithm are less than 10, and the convergence speed of the algorithm is fast, which can meet the demand for timeliness of power system scheduling. And, we verified that the selection of the initial value of z has no effect on the convergence value of the iteration and the optimal solution. It has a slight impact on the iteration times, but the number of iterations can also be guaranteed within 10 times.
In the case of X � 0.03, T � 15t and X � 0.03, T � 30t, using compound centrality, improved CC, BC, and DC to modify c, the risk of the remaining nodes of the system is shown in Figures 7 and 8. Figure 7 shows the following: (1) In the initial stage of attack propagation, the risk of several nodes that are topologically close to the initial infection node 18 rises fastest (for example, node 4, 19, 5, 6, 20) (2) In the initial stage of attack propagation, in view of the strong correlation between the improved CC and Notice. According to the improved CC, the lower the CC, the closer the node is to the attacked node and the higher the node importance.    the cyber-attack scenario, the minimum risk after the use of the improved CC indicator to modify c is slightly better than the effect of using the composite centrality indicator to modify. (1) Node 4 is located in the direct connection position of the infected node 18, and node 6 is in a special position in the connection relationship (with a high BC and DC index). When the conventional centrality is used to modify c, because the index does not consider the characteristics of each attack scenario, the risk of node 4 and node 6 rises faster, which cannot effectively reduce the risk in the system. Note that the correction effect of the BC is better than that of the DC; in other words, during the attack propagation process, the propagation attribute of the node is more important than the local attribute. (2) When using the improved CC and compound centrality to modify, since the characteristics of the attack scenario is considered in the index, the attack spread in the system is effectively curbed and the risk of node 4 and node 6 is reduced. Note that the improved CC only considers the actual situation of the attack, which is really effective in reducing the risk of node 4 and node 19 which are close to infected node 18, but does not consider the role of nodes in the subsequent attack propagation. erefore, the effect of risk reduction for other nodes is worse than that of the compound centrality index. (1) As the attack spreads, the compound centrality is used to modify c, which effectively reduces the impact of the attack on the 19th node with a higher initial risk. (2) Although in the initial stage of attack propagation, the effect of using the improved CC to modify c is slightly better than that of the compound centrality modification; considering the overall attack propagation, the effect of compound centrality correction c is better.
In summary, the compound centrality considers both the characteristics of attack scenarios and the role of nodes in