Privacy-Preserving Federated Cybersecurity Analytics for Smart-Grid SCADA: Maintaining Controllability and Observability Under Coordinated Attacks

1. Introduction

The enhancement of traditional electrical power systems into smart grids has enabled improved monitoring, automation, and communication, with real-time monitoring and control systems that support transmission, distribution, and power generation, thereby strongly improving system efficiency and reliability [1,2,3]. Smart grid (SG) systems link electrical infrastructure with communication networks, real-time monitoring devices, and control systems to enable transmission, distribution, power generation, and real-time monitoring processes [1,2,3]. These features improve situational awareness, operational flexibility, and support more efficient energy management in modern power systems [2].

As smart grid technologies continue to enhance, cybersecurity (CS) has become a major concern [1,2,4]. The increasing dependence on communication networks and digital control systems opens the attack surface of power system infrastructures, making it more vulnerable to cyber threats [2,3]. Communication protocols such as Secure Shell (SSH), Modbus/TCP, and ICMP are widely used in modern industrial environments [3,5]. They may be compromised by launching cyberattacks such as Denial-of-Service (DoS), unauthorized access, and traffic flooding [5,6]. These harmful attacks can affect communication between SCADA systems and field devices, leading to delayed control actions, inaccurate measurement data, and reduced system reliability [6,7]

The integration of physical power system elements with communication and control technologies forms a cyber-physical (CPS) [8]. In such systems, physical processes, including power generation, transmission, and load control, are tightly connected to cyber components such as communication networks, sensors, and control methods. While CPS integration enables real-time monitoring and automated control. It also presents weaknesses where cyberattacks can propagate into physical system behavior, disrupting system stability, controllability, and observability [7,9].

The integration of smart grid infrastructure, cybersecurity issues, and cyber-physical system behaviors creates a highly networked environment in which communication reliability, system monitoring, and control performance are co-dependent [1,2]. Faults in communication networks caused by cyberattacks can reduce system observability and controllability, limiting operators' ability to accurately monitor system conditions and respond effectively to attacks [8,9]. Ensuring secure and reliable communication is standard for maintaining stable operation in modern smart grid environments [3,10].

To address these problems. Federated learning has developed as a promising approach for improving cybersecurity in compromised cyber-physical systems [11,12]. Federated learning is a decentralized machine learning technique in which multiple nodes collectively train a shared global model without exchanging raw data [11]. Instead of sending sensitive data to a central server, each node performs local training on its own dataset and shares only model parameters or updates with a control center [11,12]. These updates are combined to form an improved global model, which is then redistributed to all active nodes.

This approach is highly effective for smart grid environments, where data privacy, communication limitations, and system security are critical concerns [12,13]. By keeping data localized at SCADA nodes and network monitoring devices. Federated learning reduces the risk of data exposure while enabling system-wide detection of cyber threats [12]. The inherently distributed nature of federated learning enables scalable and adaptive cybersecurity monitoring across widely distributed infrastructure [13].

In this research, a SCADA-based smart grid testbed is used to experimentally evaluate the impact of communication-based cyberattacks on system performance. This study analyzes communication behavior, SCADA response, and system stability under attack conditions. A mathematical framework based on controllability and observability is used to interpret how cyberattacks affect system monitoring and control capabilities [8,9]. A federated cybersecurity perspective is incorporated to demonstrate how distributed learning techniques can enhance the resilience of cyber-physical smart grid systems [12,13].

The main contributions of this study are summarized as follows:

• Development of a real-time cyber-physical smart grid testbed integrated with a SCADA monitoring system
• Implementation of protocol-based cyberattack scenarios using SSH
• Integration of Wireshark for packet-level network monitoring and analysis
• Evaluation of system performance using communication metrics and controllability/observability analysis
• Experimental analysis of the interaction between cyberattacks and power system stability

To show a broad overview of the designed framework. The integration of smart grid systems, SCADA-based cyber systems, and federated learning for cybersecurity is illustrated in Figure 1. The smart grid physical system is connected to the SCADA-based cyber layer through a communication network. Forming a cyber-physical system. An SSH-based cyberattack is modeled to highlight weaknesses within the SCADA environment. To address these challenges, a federated learning framework is deployed across distributed SCADA nodes, enabling decentralized anomaly detection while preserving data privacy.

2. Related Works

2.1. Smart Grid Cybersecurity

The advancement of power systems toward smart grids has enabled improved monitoring, automation, and operational efficiency through the integration of communication networks, intelligent sensing devices, and digital control platforms. Smart grids are widely characterized as cyber-physical systems (CPSs), in which physical infrastructure is tightly integrated with cyber components responsible for communication and control. Recent studies emphasize that while this incorporation strengthens system performance and flexibility, it also introduces meaningful cybersecurity challenges due to increased connectivity and interdependence between cyber and physical layers [14,15].

Current smart grid cybersecurity approaches expand beyond protecting individual components and instead require system-level protection strategies that account for SCADA systems, advanced metering infrastructure, distributed energy resources, and communication protocols. Guaranteeing reliability and real-time situational awareness under both normal and adversarial conditions remains a key focus in recent research [14].

2.2. SCADA System Vulnerabilities

SCADA systems play an important role in monitoring and controlling smart grid operations by enabling communication between field devices and centralized control centers. Recent studies identify SCADA systems as among the most exposed components in smart grid infrastructure due to their reliance on communication protocols and network connectivity [14,16].

Previously, SCADA systems were designed with a greater focus on reliability and availability than on security. This has led to vulnerabilities such as weak authentication mechanisms, a lack of encryption, and exposure to unauthorized access. These weaknesses can allow attackers to manipulate system behavior, disrupt communication, degrade monitoring capabilities, and overall impact physical system operations [16].

2.3. Cyberattacks on Smart Grid Communication Networks

Communication networks are fundamental to smart grid operations. They allow the exchange of real-time data and control commands between system components. Studies highlight that cyberattacks targeting communication layers, including denial-of-service (DoS), distributed denial-of-service (DDoS), spoofing, and false data injection (FDI), can significantly disrupt system operation and decrease situational awareness [17].

The study further shows that enhanced detection methods, particularly those based on artificial intelligence and machine learning, have been widely explored to identify and reduce these threats. Many of these approaches are primarily observed through simulations or datasets rather than real-world applications, limiting their practical testing in cyber-physical environments [17].

2.4. Protocol-Based Attacks and Federated Learning Approaches

Operational control systems and smart grid environments rely on different communication protocols for data exchange and remote access. Protocol-level exposures present a significant attack surface. Attackers can exploit weaknesses in communication behavior, authentication mechanisms, and packet transmission processes to disrupt system functionality [15].

Recent studies have introduced federated learning as a promising approach for improving cybersecurity in networked smart grid environments. Federated learning enables decentralized model training across multiple nodes without sharing raw data, by improving privacy and scalability while supporting mutual anomaly identification across scattered systems [18].

2.5. Impact of Cyberattacks on System Stability, Monitoring, and Control

Cyberattacks on smart grids not only affect communication networks but also directly impact power system stability, monitoring accuracy, and control performance. Disturbances in communication can reduce system monitoring by delaying or manipulating measurement data, while also impacting controllability by interfering with command operations and control response [14].

Recent experimental studies point out the importance of observing cyberattacks in realistic testbed environments. The interaction between cyber and physical components can be observed in real time. These testbeds provide meaningful findings into how attacks influence system performance, response time, and operational reliability under practical conditions [19,20].

2.6. Research Gap and Contribution of This Work

Despite significant advancements in smart grid cybersecurity research, much of the existing research focuses more on conceptual analyses, simulation-based evaluations, or detection algorithm performance. These studies are key findings in threat classification and defense mechanisms. Few studies have experimentally investigated the real-time impact of protocol-based cyberattacks on SCADA-connected smart grid systems while clearly considering controllability and observability [17,20].

To address this gap, this research introduces a real-time experimental observation of cyberattacks on a smart grid laboratory testbed connected with a SCADA monitoring system. This study focuses on communication behavior under SSH-based interaction and ICMP flooding conditions, analyzing their effects on network traffic, system monitoring, and operational performance. Unlike prior studies, this work directly observes both controllability and observability within a real-time cyber-physical smart grid environment, providing practical insights into system behavior under attack conditions. Table 1 compares this work with existing smart grid cybersecurity studies.

3. Methodology

3.1. Smart Grid Cyber-Physical Testbed

To analyze the impact of cyberattacks on smart grid operations, a real-time cyber-physical smart grid testbed was implemented using a SCADA monitoring platform. The testbed integrates electrical power system components with communication networks to emulate the behavior of a modern smart grid environment. The system includes multiple components such as an integrated network, transmission lines, consumer loads, and a wind power generation unit.

The SCADA interface provides real-time monitoring of system parameters, including power flow, voltage levels, and current measurements. Through this interface, system operators can observe system conditions and control various components within the smart grid infrastructure. Figure 2 illustrates the smart grid SCADA monitoring interface used in this study.

3.2. SCADA Server Monitoring Interface

In addition to the system overview interface, a cybersecurity monitoring interface was implemented to observe system measurements and control signals during cyberattack scenarios. The interface provides real-time measurements of system voltage and current values across different phases of the power system.

The SCADA server allows technicians to monitor system behavior and control the power system through switching operations. This interface plays an important role in observing the effects of cyberattacks on system monitoring capability and communication reliability. Figure 3 presents the cybersecurity server interface used to observe system measurements and control signals during the experiments.

3.3. Proposed Power System

Figure 4 shows a one-line diagram of the proposed power system. A three-bus smart-ring power system is proposed in this work and illustrated in Figure 5a. It comprises a primary generator and two loads. The main generator supplies the system with electrical power. Load 1 is powered and connected to renewable sources. A hybrid renewable energy system includes a wind turbine that serves as the on-site power source and is connected to the system via bus 3.

3.4. Physical Smart Grid Laboratory Testbed

The experimental platform used in this research consists of a physical smart grid laboratory setup that integrates power system modules, communication devices, and a SCADA monitoring workstation. The laboratory environment enables controlled experimentation on cyber-physical power system behavior under cybersecurity attack scenarios. Figure5 shows the physical smart grid laboratory setup used during the experimental evaluation.

The smart grid training system includes multiple electrical modules representing transmission lines, loads, and power generation components. These modules are interconnected via measurement units and communication interfaces, enabling real-time monitoring via the SCADA platform.

Network connectivity between the smart grid devices and the monitoring workstation is provided via a Siemens industrial router, enabling communication across the cyber-physical testbed. This communication infrastructure allows cyberattack experiments to be conducted while observing their impact on power system monitoring and control behavior. Figure 6 shows the architecture of the cyber-physical smart grid testbed used for cybersecurity experiments.

3.5. Communication Network and Cyberattack Implementation

To evaluate the effect of cybersecurity attacks on the smart grid system, a communication network was established between the smart grid laboratory testbed and the SCADA monitoring workstation. The communication infrastructure was enabled through a Siemens industrial router, which provides network connectivity between the smart grid components and the monitoring computer.

The router was accessed and configured through its assigned IP address using the laboratory workstation. Once the router was powered on and initialized, network connectivity was verified with Wireshark, a packet-analysis tool for monitoring network traffic. Wireshark was used to confirm that the system was actively transmitting and receiving network packets under normal operating conditions before cyberattack experiments were performed.

After verifying network connectivity, a virtual machine running Kali Linux was launched on the laboratory workstation. Kali Linux was used as the attack platform to generate protocol-based cybersecurity attacks against the smart grid communication network.

The PuTTY software tool was then used to initiate remote communication sessions and configure the system's communication protocol. In this study, only the Secure Shell (SSH) protocol was utilized to establish secure remote connections between the monitoring workstation and the smart grid components.

Using PuTTY as shown in Figure 7, SSH-based sessions were initiated to enable controlled interaction with the system. These sessions served as the basis for generating protocol-based cyberattack traffic directed at the smart grid communication network.

During the attack experiments, Wireshark was employed to capture and analyze network packets under both normal operating conditions and during the SSH-based cyberattack. Packet analysis enabled the identification of abnormal traffic patterns introduced by the attack and provided insight into how communication disruptions affected system monitoring and control performance.

3.6. Cyberattack Implementation

Within the configured environment, network security tools were used to simulate cyberattacks on the smart grid communication infrastructure. Communication sessions with the target devices were established using PuTTY, which enabled secure remote access via the Secure Shell (SSH) protocol during the experimental scenarios. In addition, the hping3 network testing tool available in the Kali Linux environment was used to generate Denial-of-Service (DoS) traffic against the target device, evaluating the system's response to abnormal network conditions.

3.7. System Monitoring and Data Collection

System behavior was monitored during both normal network operation and cybersecurity attacks to evaluate the impact of communication disruptions on smart grid operations. Network activity within the communication infrastructure was captured and analyzed using Wireshark, which provided real-time packet inspection and protocol analysis throughout the experiments.

Wireshark was used to observe packet transmission patterns, protocol activity, and communication traffic between the smart grid devices and the monitoring workstation. Captured network traffic allowed verification of normal communication behavior before initiating attack scenarios and provided visibility into network activity during the cybersecurity experiments. Figure 8 shows a Wireshark capture of normal Modbus/TCP communication between the SCADA monitoring workstation and the smart grid device under normal operating conditions.

In addition to monitoring network traffic, system control behavior was observed through the SCADA monitoring interface. The SCADA platform enabled switching operations on electrical loads connected to the smart grid testbed. A lighting load connected to the system was used as an operational indicator of system response.

During the experiments, switching commands were issued via the SCADA interface under both normal network conditions and simulated cyberattack scenarios. The system's response to these commands was monitored during data collection to assess how communication disruptions affect the system's control and monitoring capabilities.

3.8. Mathematical Modeling and Controllability/Observability Analysis

To evaluate the impact of cyberattacks on smart grid performance, the implemented system is modeled as a simplified 3-bus cyber-physical system (CPS). This model captures the interaction between system states, SCADA control actions, and measured outputs under both normal and compromised operating conditions. [20,21,22].

The system dynamics are represented in state-space form as:

$$x\left(k+1\right)=Ax\left(k\right)+Bu\left(k\right)+a_u\left(k\right)$$

(1)

$$y\left(k\right)=Cx\left(k\right)+a_y\left(k\right)$$

(2)

where $x\left(k\right)$is the state vector, $u\left(k\right)$is the control input vector, and $y\left(k\right)$is the measured output vector. The terms $a_u\left(k\right)$and $a_y\left(k\right)$represent actuator-side and sensor-side attack signals, respectively, modeling the effect of cyberattacks on control commands and measurement data. [19,20,21,22].

For the simplified 3-bus smart grid system, the state vector is defined as:

$$\left(k\right)=\left[\begin{array}{c}{v}_1\left(t\right)\\ v_2\left(t\right)\\ v_3\left(t\right)\\ I_1\left(t\right)\\ I_2\left(t\right)\\ I_3\left(t\right)\end{array}\right]$$

(3)

since the SCADA system provides real-time voltage and current measurements.

3.8.1. Controllability Analysis

The controllability of the system is evaluated using the controllability matrix:

$$C=\left[B AB A^{2}B\dots A^{N-1}B\right]$$

(4)

The system is considered controllable if:

$$rank\left(C\right)=n$$

(5)

where $n$ is the number of system states. [21].

3.8.2. Observability Analysis

Similarly, the observability of the system is evaluated using the observability matrix:

$$O=\left[\begin{array}{c}\begin{array}{c}C\\ CA\\ C{A}^2\end{array}\\ .\\ .\\ .\\ C{A}^{N-1}\end{array}\right]$$

(7)

The system is considered observable if:

$$rank\left(O\right)=n$$

(8)

Under normal operating conditions, the SCADA monitoring system can reliably transmit control commands and receive measurement data, ensuring full controllability and observability of the system. During cyberattacks, packet loss, delays, or manipulation of control signals may degrade system performance. As a result, the reliable controllability and monitoring of a system may be decreased under attack conditions [19,20,21,22].

3.9. Federated Cybersecurity Modeling

To enhance cyberattack detection and improve system resilience, a federated learning framework is integrated into the smart grid cybersecurity architecture. In this approach, distributed nodes, such as SCADA devices and network monitoring units, collaboratively train a global intrusion detection model without sharing raw data [7,8,9].

Let $K$denote the number of distributed nodes in the system. Each node $k$ maintains a local dataset $D_k$, defined as:

$$D_k=\left\{\left(x_i,y_i\right)\mid i=1,\dots ,n_k\right\}$$

(9)

where $x_i\in {ℝ}^d$represents feature vectors derived from network traffic, protocol behavior, and system measurements, and $y_i\in \left\{0,1\right\}$represents the classification label, where 0 corresponds to normal operation, and 1 corresponds to anomalous or malicious activity.

The total number of samples across all nodes is given by:

$$N={{\displaystyle \sum }}_{k=1}^K{n}_k$$

(10)

Each node trains a local model using its private dataset. The local objective function at the node $k$is defined as:

$$F_k\left(w\right)={\displaystyle \frac{1}{n_k}}{{\displaystyle \sum }}_{i\in D_k}l\left(w;x_i,y_i\right)$$

(11)

where $w$ represents the model parameters and $\mathcal{l}\left(\cdot \right)$is the loss function.

During each communication round $t$, the global model $w^t$ is transmitted to participating nodes. Each node updates its local model using gradient descent:

$$w_k^{t+1}=w^t-\eta \nabla F_k\left(w^t\right)$$

(12)

where $\eta$is the learning rate.

After local training, the updated models are sent to a central aggregator, where they are combined using the Federated Averaging (FedAvg) algorithm [7]:

$$F\left(w\right)={{\displaystyle \sum }}_{k=1}^K{\displaystyle \frac{n_k}{N}}{F}_k\left(w\right)$$

(13)

The corresponding global objective function is expressed as:

$$w^{t+1}={{\displaystyle \sum }}_{k=1}^K{\displaystyle \frac{n_k}{N}}{w}_k^{t+1}$$

(14)

This federated learning framework enables collaborative model training across distributed smart grid nodes while preserving data privacy, as raw cyber-physical system data remain local and are not transmitted. The resulting global model is deployed at each node to perform real-time intrusion detection and identify abnormal system behavior

4. Experimental Results and Analysis

4.1. Normal System Operation

Under normal operating conditions, the smart grid system exhibited stable, reliable performance. Network traffic analysis showed steady Modbus/TCP communication between the SCADA workstation and the smart grid device, with no abnormal packet delays or traffic anomalies observed. From an operational perspective, SCADA control commands were performed successfully. Switching actions resulted in immediate and correct responses from the connected lighting load, confirming proper system controllability and responsiveness. These results confirm that both communication and control functions were operating under normal conditions, establishing a baseline for comparison with the cyberattack scenarios.

4.2. SSH-Based Attack

Following baseline system operation, the network was observed during an SSH-based cyberattack. As shown in Figure 9, the Wireshark capture shows a noticeable increase in SSH packets exchanged between the monitoring workstation and the smart grid device during the attack period.

Despite the elevated traffic, the communication channel remained stable, and packet captures continued to load without excessive delay. This indicates that the network maintained operational integrity under increased traffic conditions.

In addition to the observed SSH traffic, further analysis of the Wireshark capture revealed ICMP packets during the attack period, as shown in Figure 10. These packets indicate that the attack introduced additional network activity beyond the expected SSH communication.

The increase in ICMP traffic indicates the presence of a flooding or probing mechanism, illustrating how cyberattacks can generate multiple types of network traffic simultaneously, increasing the demand on the network. System performance was further observed through control operations. Switching commands issued through the SCADA interface remained operational. Although communication was functional, noticeable delays were observed during control operations. In several instances, the system exhibited inverse behavior, in which issued commands did not correspond to the expected response. These inconsistencies indicated reduced control reliability under the attack conditions, even though the system maintained partial operational capability.

Overall, the SSH-based communication maintained partial system functionality under abnormal network traffic conditions, but performance declined noticeably. Communication delays and unstable control responses were observed, including instances of inverse behavior in command execution. While the encrypted, connection-based nature of SSH provided some resistance, the results indicated that system performance and control reliability were still affected under attack conditions.

4.3. Comparative Performance and Power Flow Analysis

To further observe the impact of the SSH-based cyberattack on both communication performance and physical system behavior, a combined analysis of network activity and smart meter measurements was conducted.

From a communication perspective, the SSH-based attack introduced increased network traffic and noticeable delays, as observed in the Wireshark analysis. Although SCADA commands remained functional, inconsistent control responses were observed, including instances of inverse behavior in command execution.

To assess the effect on the physical layer, electrical measurements were collected from two smart meters (Meter 1 and Meter 2), under both normal operating conditions and during the SSH-based attack. The recorded parameters include phase voltage(V_PH(V)), line voltage(V_Line(V)), current(I), active power(P(W)), reactive power(Q(var)), apparent power(S(VA)), system frequency (Hz), and power factor.

Table 2. Electrical measurements at Meter 1 and Meter 2 under normal operating conditions.

Parameter	Meter 1 (192.168.1.20)	Meter 2 (192.168.168.31)
V_PH(V)	114 – 114 – 114	114 – 114 – 114
V_Line(V)	198 – 198 – 198	198 – 198 – 198
I (A)	0.19	0.34
P (W)	14	-14
Q (var)	-1	-116
S (VA)	21	116
F (Hz)	60.00	60.00
Power Factor	0.68	0.12

Table 2. Electrical measurements at Meter 1 and Meter 2 under normal operating conditions.

Parameter	Meter 1 (192.168.1.20)	Meter 2 (192.168.168.31)
V_PH(V)	114 – 114 – 114	114 – 114 – 114
V_Line(V)	198 – 198 – 198	198 – 198 – 198
I (A)	0.19	0.34
P (W)	14	-14
Q (var)	-1	-116
S (VA)	21	116
F (Hz)	60.00	60.00
Power Factor	0.68	0.12

Table 3. Electrical measurements at Meter 1 and Meter 2 during SSH-based cyberattack conditions at M1.

Parameter	Meter 1 (192.168.1.20)	Meter 2 (192.168.168.31)
V_PH(V)	108-115-113	110-112-113
V_Line(V)	191-197-194	191-197-194
I (A)	0.19-0.00-0.00-0.19	0.34-0.35-0.35-0.00
P (W)	14	-14
Q (var)	-1	-115
S (VA)	21	116
F (Hz)	59.99	59.98
Power Factor	0.68	0.12

Table 3. Electrical measurements at Meter 1 and Meter 2 during SSH-based cyberattack conditions at M1.

Parameter	Meter 1 (192.168.1.20)	Meter 2 (192.168.168.31)
V_PH(V)	108-115-113	110-112-113
V_Line(V)	191-197-194	191-197-194
I (A)	0.19-0.00-0.00-0.19	0.34-0.35-0.35-0.00
P (W)	14	-14
Q (var)	-1	-115
S (VA)	21	116
F (Hz)	59.99	59.98
Power Factor	0.68	0.12

Table 4. Electrical measurements at Meter 1 and Meter 2 during SSH-based cyberattack conditions at M2.

Parameter	Meter 1 (192.168.1.20)	Meter 2 (192.168.168.31)
V_PH(V)	108-114-113	108-111-112
V_Line(V)	192-197-194	190-196-193
I (A)	0.2-0.00-0.00-0.19	0.34-0.34-0.34-0.00
P (W)	14	-14
Q (var)	-1	-115
S (VA)	21	116
F (Hz)	59.99	59.98
Power Factor	0.68	0.12

Table 4. Electrical measurements at Meter 1 and Meter 2 during SSH-based cyberattack conditions at M2.

Parameter	Meter 1 (192.168.1.20)	Meter 2 (192.168.168.31)
V_PH(V)	108-114-113	108-111-112
V_Line(V)	192-197-194	190-196-193
I (A)	0.2-0.00-0.00-0.19	0.34-0.34-0.34-0.00
P (W)	14	-14
Q (var)	-1	-115
S (VA)	21	116
F (Hz)	59.99	59.98
Power Factor	0.68	0.12

Table 5. Percentage deviation of electrical parameters under cyberattack conditions.

Parameter	Meter	Normal	Attack	Deviation (%)
Vph avg (V)	Meter 1	114	112	-1.75%
Vph avg (V)	Meter 2	114	111.67	-2.05%
Frequency (Hz)	Meter 1	60.00	59.99	-0.017%
Frequency (Hz)	Meter 2	60.00	59.98	-0.033%
Reactive Power (var)	Meter 2	-116	-115	+0.86%

Table 5. Percentage deviation of electrical parameters under cyberattack conditions.

Parameter	Meter	Normal	Attack	Deviation (%)
Vph avg (V)	Meter 1	114	112	-1.75%
Vph avg (V)	Meter 2	114	111.67	-2.05%
Frequency (Hz)	Meter 1	60.00	59.99	-0.017%
Frequency (Hz)	Meter 2	60.00	59.98	-0.033%
Reactive Power (var)	Meter 2	-116	-115	+0.86%

A comparison of the measurements indicates that the SSH-based cyberattack had minimal impact on the system's physical operation. Voltage levels at both meters remained stable, with only minor variations observed between normal and attack conditions. Current measurements show small changes, indicating that the load demand was not significantly affected.

Active and reactive power values at both Meter 1 and Meter 2 remained consistent, with only slight changes observed during the attack scenario. Apparent power values followed a similar pattern, confirming that overall power flow in the system was preserved.

System frequency remained stable at approximately 60 Hz for both meters, showing that grid synchronization was not disrupted. Power factor values also remained unchanged, demonstrating that the efficiency of power delivery was maintained.

These results confirm that the SSH-based cyberattack increased network activity and introduced moderate communication delays. Its impact on the physical power system was minor. The smart grid maintained stable electrical operation under the attack scenario. These results highlight the resilience of the smart grid system, in which attacks in the cyber layer do not significantly propagate to the physical power system.

4.4. Cyberattack Scenarios Definition

4.4.1. Scenarios

Four distinct operational states were defined to analyze the impact of cyberattacks on SCADA performance. Table 6 represents the first state, which represents normal operation with a packet rate of 120 pkt/s. In comparison, the remaining states represent various attack scenarios using SSH at 350 pkt/s and ICMP at 1200 pkt/s, as well as a coordinated attack that combines multiple protocols. The packet rate for each state was measured with Wireshark to enable a precise quantitative comparison across conditions.

4.4.2. Metrics

Table 7 illustrates the measurable impact of cyberattacks on the system’s performance. The average latency increased from 12 ms under normal conditions to 210 ms during a coordinated attack, a 1,650% increase. The packet loss rate increased from 0% to 15.5%, which directly impacted the system's responsiveness. The command execution error rate reaching 40% was recorded during the coordinated attack, indicating a clear deterioration in control reliability.

4.4.3. Controllability & Observability

Table 8 shows the status of the system's contributability and observability. Under normal conditions, the system was fully controllable and observable, as the ranks of both the controllability and observability matrices were 4. During a coordinated attack, these values dropped to 2, indicating a critical, partial loss of the system's control and observability capabilities, confirming the direct impact of cyberattacks on the system's dynamic properties.

4.4.4. Performance Under Cyberattacks

Figure 11 illustrates the gradual degradation in system performance under various cyberattacks. Specifically, the average latency increased from 12 ms under normal conditions to 210 ms during a coordinated attack, while the packet loss rate rose to 15.5%. Furthermore, the command execution error rate surged to 40%, reflecting the substantial impact of these attacks on the system's communication and control layers.

4.4.5. Voltage and Frequency Deviations

Although the changes in electrical values were limited (less than 2%), as shown in Table 9, the greatest impact was observed in the communication and control layer, indicating that the attack primarily targeted the cyber layer without directly affecting the physical layer.

4.4.6. Federated Learning

The results of federated learning show a high accuracy of 96.4%, as shown in Table 10. The results confirm the effectiveness of the distributed model in enhancing attack detection, with a precision 95.8%, a recall 95.2%, and an F1-score 95.5%.

5. Conclusions

This study shows the impact of SSH- and ICMP-based cyberattacks on a SCADA-integrated smart grid within a cyber-physical system. A controlled testbed was used to analyze how network attacks and communication performance affected system monitoring and control operations. A small division due to the attacks on the grid in voltage, current, and frequency. Less than 2%. The greatest impact was observed in the communication and control layer, showing that the attack primarily targeted the cyber layer without directly affecting the physical layer. The average latency increased under normal conditions during a coordinated attack, while the packet loss rate rose to 15.5%. The command execution error rate increased to 40%, reflecting the significant impact of these attacks on the system's communication and control layers. These results highlight the importance of secure communication in maintaining system stability and reliability. They also demonstrate how cyberattacks can weaken both system controllability and observability, emphasizing the need for stronger cybersecurity measures in smart grid environments.