1. Smart Energy Cyber Security:
Threat and Defense in a Cyber-Physical System
Professor Shiyan Hu
Department of Electrical and Computer Engineering
Michigan Technological University

2. Smart Home: Industrial Perspective2

3. Smart Switch to Traditional Appliances3

4. Many Sensors To Maintain4

5. Smart Home: Academic Perspective5

6. The Power System
5% energy efficiency improvement in residential users leads to carbon emission reduction equivalent to removing 53 million cars in U.S. 6

7. Why we schedule? The Single User Smart Home 7 Power flow Internet
Control flow 7

8. Varying Energy Consumption
Typical summer energy load profile in State of Ontario, Canada. One can see the peak load around 7:00pm which usually involves a lot of human activities.
Source: Ontario Energy Board 8

9. Dynamic Electricity Pricing
Set high prices at peak energy hours to discourage the energy usage there for energy load balancing
Hourly Price from Ameren Illinois 9

10. Energy Scheduling for a Single Smart Home
Given the electricity pricing, to decide
when to launch a home appliance
at what power level
for how long
subject to scheduling constraints
Targets
Reduce monetary cost of each user
Reduce peak to average ratio of grid energy usage
The smart home scheduler computes the scheduling solutions for future, so it needs the future pricing. How? 10

11. Two Pricing Models: Guideline and Realtime Pricing
Guideline price: utility publishes it one day ahead to guide customers to schedule their appliances, through providing the predicted pricing in the next 24 hours.
Real time price: utility uses it to bill customers, e.g., it obtains the total energy consumption in the past hour, computes the total bill as a quadratic function of the total energy, and then distributes the bill to each customer proportionally. 11

12. Dynamic Pricing + Game Theory = U.S. Solution
Multiple Users?
Dynamic Pricing + Game Theory = U.S. Solution
Customer 1
Customer 2
Customer n
Game theory is used to handle the interactions among customers. 12

13. Decentralized Scheduling at Community level
Each user schedules their own appliances separately
Initialize
Customer 𝑛
All users share information with each other
Through the dynamic programming based algorithm
Maximize 𝑃 𝐱 𝑛 | 𝐱 −𝑛
Share information 𝑙 −𝑛,ℎ
Each user reschedules their own appliances separately No
Converge? No
Converge
Yes
Yes
End
Schedule 13

14. Case Study
5 communities in which each one contains 400 customers, and 2 utilities.
Simulation time horizon is 24 hours from the current time, which is divided into 15-minutes time slots. 14

15. Average Energy Consumption and Bill
Many issues beyond energy and bill
Impact to electricity market
Architecture
Community level, city level
Centralized, decentralized, hierarchical
Reliability
Privacy
Cybersecurity 15

16. What Will be Discussed?
Electricity Price
Hack the input of a smart meter (pricing cyberattack)
Hack the smart meter (hardware security)
Embedded Software
Purposes of hacking
Individual level: bill reduction
Local community level:
load increase/fluctuation
Larger area level: cascading effect
Energy Load
Hack the output of a smart meter (energy theft) 16

17. Vulnerability in Pricing Propagation in AMI
Utility
Utility Pricing
Fiber Cable
TI SoC Based Smart Meter w/ Remote Upgrade
WiMAX
Base Station
Access Point
Aggregator
In Advanced Metering Infrastructure (AMI), WiMAX is used for the communication with smart meters. The smart meter of the customers connect to the base station of aggregator through the access point. WiMAX is able to operate on different frequency bands, primarily 2.3, 2.5, 3.65 and 5GHz. It has a throughput of 25MBps (in practice). Each access point can serve 200 smart meters at the same time. 17

18. Hacking Google Nest (Backdoor)
Set high voltage and reboot from USB 18

19. Hacking Belkin Wemo (Accessible Programming Port)
Remote switch
How to hack?
Connecting a UART adapter with “57600,8N1”
Run the command “kill -9 $(ps | grep 'reboot'|sed -r -e 's/^ ([0-9]+) [0-9]+/\1/')”
Root shell can be accessed
Company Response
New firmware adds SSL encryption and validation to prevent a malicious firmware attack. 19

20. Advanced Hacking: Secure Key Localization
Input1
State1
Input2
State2
Input3
State3 . .
ASIC Chip
Encryption
Communications
Smart device communication is encrypted, but the secure key is typically in the flash but not ASIC. We can potentially locate the secure key. 20

21. Media Reports 21

22. Pricing Cyberattack For Reducing Hacker’s Bill
With Attack, $4.12 paid by each customer
Create a low price period. The attacker can schedule his energy consumption there with bill reduction by 34.3%, while the bill of other customers are increased by 7.9% on average.
Without Attack,
$3.82 paid by each customer
Hacker wants to schedule here but it is expensive
Fake Guideline Price
Authentic Guideline Price
Now it is much cheaper
Actual Price
Actual Energy Load 22

23. Pricing Cyberattack For Forming a Peak Load (Overloading)
Create a peak energy load and the peak to average ratio is increased by 35.7%. The real time electricity price from 7:00 pm to 9:00 pm is increased by 43.9%.
Without Attack
With Attack
Hacker wants to create a peak on the energy load here
Expected Energy Load
Fake Guideline Price
Peak Energy Load
Actual Energy Load 23

24. Cascading Impacts on a 5-Bus System
Line 1
Line 2
Bus 1
Bus 2
Bus 3
Pricing cyberattack can increase the load and power flow. If the power flow on a line exceeds the capacity, the line is tripped.
Line 4
Line 5
Line 3
Line 7
Line 6
Bus 4
Bus 5 24

25. Detection of Pricing Cyberattack
Initial Thought
Hacker manipulates the predictive pricing. How to detect anomaly there?
Electricity prices tend to be similar in a short term.
Customers can use statistical regression or machine learning to predict energy prices from recent historical data.
Compare the predicted price with the received predictive price.
Electricity Prices from 06/11/2014 to 06/13/2014 from Ameren Illinois 25

26. The First Idea: Anomaly Detection in Time Domain
How to set the threshold?
Set it to 0, then all deviations from prediction are regarded as hacking, too much false detection.
Set it to a large value, then few false alarm, but with few cyberattacks detected.
We should focus on impact, not difference in time domain.
If one can tolerate up to 2% bill increase due to cyberattack, what is the right threshold?
Cyberattack is detected if ||𝒂 𝑝 −𝑎|| ∞ >𝛿 26

27. The Second Idea: Alert if Impact is Significant
Predicted Price
Average Bill: 𝐵 𝑝
PAR: 𝑃 𝑝
Received Price
Average Bill: 𝐵
PAR: 𝑃
Δ𝐵= 𝐵− 𝐵 𝑝 𝐵 𝑝
Δ𝑃= 𝑃− 𝑃 𝑝 𝑃 𝑝 27

28. Simulation Result (Detection with 𝛿 𝐵 =5% and 𝛿 𝑝 =2%)
Predicted Guideline: Average Bill $38.3K, PAR 1.17
Unattacked Guideline: Average Bill $38.2K, PAR 1.153
Difference: Average Bill -0.26%, PAR -1.45%
Predicted Guideline: Average Bill $38.3K, PAR 1.17
Attacked Guideline: Average Bill $40.9K, PAR 1.203
Difference: Average Bill 6.79%, PAR 2.82% 28

29. Limitation?
A point solution, with no memory on the past and no prediction to the future.
If 𝛿 𝐵 =2% is used, then the hacker could simply manipulate guideline pricing with 1.9% bill increase at each time slot.
Minor impact for each time slot, but cumulative impact over a long time could be significant.
Need a long term monitoring and detection technique. 29

30. POMDP Based Long Term Detection
What is POMDP?
Partially Observable Markov Decision Process
Good for long term
Model the past, the present and predict the future (probabilistic long term reward)
Three layer architecture
Observation, State, Action
POMDP models the interactions among them 30

31. A Simple Example of POMDP
𝑠 0 , 𝑜 0 : No hacking,
𝑠 1 , 𝑜 1 : Smart meter 1 is hacked,
𝑠 2 , 𝑜 2 : Smart meter 2 is hacked.
𝑠 3 , 𝑜 3 : Both smart meters are hacked.
𝑆={ 𝑠 0 , 𝑠 1 , 𝑠 2 , 𝑠 3 }
𝑂={ 𝑜 0 , 𝑜 1 , 𝑜 2 , 𝑜 3 }
𝐴={ 𝑎 0 , 𝑎 1 }
𝑎 0 : No or negligible cyberattack,
𝑎 1 : Check and fix the hacked smart meters 31

32. Output of POMDP: Policy Transfer Graph
𝑎 0
𝑠 0
𝑜 0
𝑜 1 , 𝑜 2 , 𝑜 3
𝑎 1
𝑠 1
Policy: a set of actions where there is a corresponding action for each possible state 32

33. Modeling The Past: Probabilistic State Transition Diagram
0.5| 𝑎 0 , 1| 𝑎 1
𝑠 0
Learn from historical observation data
Calibrate mapping from observation to state
Apply conditional probability (Bayesian rule)
0| 𝑎 0 , 1| 𝑎 1
0| 𝑎 0 , 1| 𝑎 1
0| 𝑎 0 , 1| 𝑎 1
0.2| 𝑎 0 , 0| 𝑎 1
0.1| 𝑎 0 , 0| 𝑎 1
0.2| 𝑎 0 , 0| 𝑎 1
𝑠 3
0| 𝑎 0 , 0| 𝑎 1
0| 𝑎 0 , 0| 𝑎 1
0.5| 𝑎 0 , 0| 𝑎 1
0.5| 𝑎 0 , 0| 𝑎 1
0| 𝑎 0 , 0| 𝑎 1
1| 𝑎 0 , 0| 𝑎 1
0.1| 𝑎 0 , 0| 𝑎 1
𝑠 1
𝑠 2
0.5| 𝑎 0 , 0| 𝑎 1
0.5| 𝑎 0 , 0| 𝑎 1 33

34. Modeling The Present
We know the current state in a probabilistic sense
Belief state, the probabilistic distribution over states
[0.7, 0.15, 0.05, 0.1] is a belief state, meaning that 70% chance in s0, 15% in s1, 5% in s2 and 10% in s3. 34

35. Predict The Future 𝑅 0 𝑅 1 𝑅 2 𝑅 3
Associate a reward to each action and weight it differently at different time slot. Find a series of actions leading to the maximum reward for the future k time slots.
For each action, belief state is predicted by 𝑏 𝑠 ′ = 𝑠∈𝑆 𝑇 𝑠 ′ ,𝑎,𝑠 𝑏(𝑠) 𝑃(𝑎,𝑏)
𝑅 0
Discount Factor: 0.5
×1 for 2pm 𝑏
𝑎 0
𝑎 1
𝑅 1
×0.5 for 3pm
< 𝑏′ 𝑏′
𝑎 0
𝑎 1
𝑎 0
𝑎 1
𝑅 2
>
𝑏′′
𝑏′′
× 0.25
for 4pm
𝑏′′
<
𝑏′′
𝑎 0
𝑎 1
𝑎 0
𝑎 1
𝑎 0
𝑎 1
𝑎 0
𝑎 1
× 0.125
for 5pm
𝑏′′′
>
𝑏′′′
𝑏′′′
<
𝑏′′′
𝑏′′′
<
𝑏′′′
𝑏′′′
<
𝑏′′′
𝑅 3 35

36. The POMDP Formulation A POMDP problem is formulated as 𝑆,𝐴,𝑇,𝑅,Ω,𝑂
𝑆: The system state space.
𝐴: The action space.
𝑂: The observation of the system state.
𝑇( 𝑠 ′ ,𝑎,𝑠): The state transition function, defined as the probability that the system transits from state 𝑠 to 𝑠 ′ when action 𝑎 is taken.
Ω(𝑜,𝑎,𝑠): The observation function, defined as the probability that the observation is 𝑜 when the state and action are 𝑠 and 𝑎 respectively.
𝑅( 𝑠 ′ ,𝑎,𝑠): The reward function, defined as the reward achieved by the decision maker taking action 𝑎 and the state transits from 𝑠 to 𝑠′. 36

37. POMDP -> Belief-State MDP
Using the belief state, the POMDP problem is reduced to 𝐵,𝐴,𝜌,𝜏
𝐵: The space of belief state
Given a new observation, the belief state is updated as
𝑏 𝑠 ′ =𝑃( 𝑠 ′ |𝑜,𝑎,𝑠)= Ω(𝑜,𝑎, 𝑠 ′ ) 𝑠∈𝑆 𝑇 𝑠 ′ ,𝑎,𝑠 𝑏(𝑠) 𝑃(𝑜|𝑎,𝑏)
𝜌(𝑎,𝑏): The intermediate reward for taking action 𝑎 in the belief state 𝑏
𝜌 𝑎,𝑏 = 𝑠∈𝑆 𝑠 ′ ∈𝑆 𝑏(𝑠)𝑅( 𝑠 ′ ,𝑎,𝑠)𝑇( 𝑠 ′ ,𝑎,𝑠) (1)
𝜏( 𝑏 ′ ,𝑎,𝑏): The transition function between the belief states
𝜏 𝑏 ′ ,𝑎,𝑏 =𝑃 𝑏 ′ 𝑎,𝑏 = 𝑜∈𝑂 𝑃 𝑏 ′ |𝑏,𝑎,𝑜 𝑃 𝑜|𝑎,𝑏 (2)
𝑃 𝑏 ′ |𝑏,𝑎,𝑜 = 1, 𝑖𝑓 (𝑏,𝑎,𝑜)⇒𝑏′ 0,𝑜𝑡ℎ𝑒𝑟𝑤𝑖𝑠𝑒
Filtering to track belief states
Stochastic and statistical filtering, e.g., Kalman filter (optimal when belief states are Guanssian, transition function is linear, and MDP is still discrete time), Extended Kalman or Particle Filtering 37

38. Reward for Future
POMDP aims to maximize the expected long term reward 𝐸 𝑡=0 ∞ 𝑟 𝑡 𝛾 𝑡 (Bellman’s Optimality), where 𝛾 is a discount factor to reduce the importance of the future events, and 𝑟 𝑡 is the reward achieved in step 𝑡.
𝑉 ∗ 𝑏,𝑡 = max a∈𝐴 𝐸 𝑡=0 ∞ 𝑟 𝑡 𝛾 𝑡 = max 𝑠∈𝑆 𝑠 ′ ∈𝑆 𝑏(𝑠)𝑅( 𝑠 ′ ,𝑎,𝑠)𝑇( 𝑠 ′ ,𝑎,𝑠) +𝛾 𝑏 ′ ∈𝐵 𝑜∈𝑂 𝑃 𝑏 ′ |𝑏,𝑎,𝑜 𝑃 𝑜|𝑎,𝑏 𝑉 ∗ 𝑏 ′ ,𝑡+1 max 𝑠∈𝑆 𝑠 ′ ∈𝑆 𝑏(𝑠)𝑅( 𝑠 ′ ,𝑎,𝑠)𝑇( 𝑠 ′ ,𝑎,𝑠) +𝛾 𝑏 ′ ∈𝐵 𝑜∈𝑂 𝑃 𝑏 ′ |𝑏,𝑎,𝑜 𝑃 𝑜|𝑎,𝑏 𝑉 ∗ 𝑏 ′ ,𝑡+1
Reward for each action
𝑅 𝑠 𝑖 , 𝑎 0 , 𝑠 𝑗 = − 𝐶 𝐿 1 , 𝑖𝑓 𝑆 1 ∗ ≤𝑖< 𝑆 2 ∗ − 𝐶 𝐿 1 − 𝐶 𝐿 2 , 𝑖𝑓 𝑆 2 ∗ ≤𝑖 0, 𝑜𝑡ℎ𝑒𝑟𝑤𝑖𝑠𝑒 (7)
𝑅 𝑠 𝑖 , 𝑎 1 , 𝑠 𝑗 =− 𝐶 𝐼 −(𝑗−𝑖) 𝐶 𝑅 (8)
System loss when there is an undetected cyberattack
Labor cost due to detection 38

39. Discrete States? 𝑠 0 , 𝑜 0 : No hacking,
Discretizing impacts, potentially leading to detection errors.
Why not directly giving original information to POMDP and let it make the decision?
𝑠 0 , 𝑜 0 : No hacking,
𝑠 1 , 𝑜 1 : Smart meter 1 is hacked,
𝑠 2 , 𝑜 2 : Smart meter 2 is hacked.
𝑠 3 , 𝑜 3 : Both smart meters are hacked.
𝑆={ 𝑠 0 , 𝑠 1 , 𝑠 2 , 𝑠 3 }
𝑂={ 𝑜 0 , 𝑜 1 , 𝑜 2 , 𝑜 3 }
𝐴={ 𝑎 0 , 𝑎 1 }
𝑎 0 : No or negligible cyberattack,
𝑎 1 : Check and fix the hacked smart meters 39

40. Continuous-State POMDP (Differential Dynamical System)
𝑠 𝑡 =𝑓( 𝑠 𝑡−1 , 𝑎 𝑡−1 , 𝑢 𝑡−1 )
𝑜 𝑡 =𝑔( 𝑠 𝑡 , 𝑎 𝑡−1 , 𝑣 𝑡 )
𝑠 𝑡 is a continuous system state at time 𝑡
𝑜 𝑡 is a continuous observation
𝑎 𝑡 is an action
𝑢 and 𝑣 are random variations
𝑓 and 𝑔 are continues functions 40

41. Our Context
Assume that there are two smart meters. s={1.2,1.5} is a state where smart meter 1 (resp. smart meter 2) has a local PAR 1.2 (1.5). There are infinite number of possible states. They form a continuous state space.
𝑠 𝑡 , 𝑜 𝑡
PAR Increase Ratio
Fix Smart Meters {1,3,5,…}
Fix Smart Meters {2,5,9,…}
………….
𝑎 𝑡
𝑅 The system cost due to cyberattacks 41

42. Cross Entropy State Subspace Sampling……
𝑝 𝑠 ~𝑁( 𝑚 𝑠 , 𝛿 2 ) ……
𝑆 0
𝑆 1
𝑆 𝑁 ……
𝑆 0 ,𝐴, 𝑇 0 , 𝑅 0 , Ω 0 , 𝑂 0
𝑆 1 ,𝐴, 𝑇 1 , 𝑅 1 , Ω 1 , 𝑂 1
𝑆 𝑁 ,𝐴, 𝑇 𝑁 , 𝑅 𝑁 , Ω 𝑁 , 𝑂 𝑁
𝐵 0 ,𝐴, 𝜌 0 , 𝜏 0
𝐵 1 ,𝐴, 𝜌 1 , 𝜏 1
𝐵 𝑁 ,𝐴, 𝜌 𝑁 , 𝜏 𝑁
𝑚 𝑠 := 𝑚 𝑠 + 𝑛 𝑎 𝑉 𝑎 𝑏 𝑛 +𝛽 𝛼
< 𝑏 𝑛 ,𝑎> 42

43. Fourier Approximation for Belief States
Step 1: Initialize samples 𝑥 0 1 , …, 𝑥 0 𝑁 from the initial belief state 𝑓 𝑥,c, 𝑑 .
Step 2: Predict 𝑥 𝑘|𝑘−1 1 , …, 𝑥 𝑘|𝑘−1 𝑁 through propagating 𝑥 𝑘−1 1 , …, 𝑥 𝑘−1 𝑁 using action 𝑎 𝑘−1 and 𝑝 ⋅| 𝑥 𝑘−1 , 𝑎 𝑘−1
Step 3: 𝑤 𝑘 𝑖 = 𝑝 𝑦 𝑘 | 𝑥 𝑘|𝑘−1 𝑖 , 𝑎 𝑘−1 𝑖 𝑝 𝑦 𝑘 | 𝑥 𝑘|𝑘−1 𝑖 , 𝑎 𝑘−1
Step 4: 𝑏 𝑥 𝑘 = 𝑖 𝑤 𝑘 𝑖 𝛿 𝑥 𝑘 − 𝑥 𝑘|𝑘−1 𝑖 , where
𝛿 𝑥 𝑘 − 𝑥 𝑘|𝑘−1 𝑖 = 1, 𝑥 𝑘 = 𝑥 𝑘|𝑘−1 𝑖 0, 𝑜𝑡ℎ𝑒𝑟𝑤𝑖𝑠𝑒
Step 5: Compute the Fourier representation 𝑏 𝑥 = 𝑖 𝑐 𝑖 ′ sin 2𝜋𝑖𝑥 + 𝑖 𝑑 𝑖 ′ cos 2𝜋𝑖𝑥 and normalize 𝑐 𝑖 ′ and 𝑑 𝑖 ′.
Step 6: 𝑘=𝑘+1 and resampling.
Basic Idea: Approximate belief state 𝑏 using 𝑓 𝑥,𝜃 such that the updated belief state is 𝑓 𝑥,𝜃′ with an updated parameter 𝜃′. 43

44. Proposed Algorithms 44

45. Simulations
We conduct simulations on a few testcases such as the following.
Parameter
5-customer 4 5 50
200
500
0.9
500-customer
150
250
2000
25000
100000
Compare with
Heuristic method (repeatedly using support vector regression technique).
No defense technique. 45

46. Comparison on The 500-Customer Testcase
Method
No Defense
Heuristic Method
Proposed Method
PAR
Bill
Labor
Cost
31.3% 1
8.40%
0.313
3.42%
0.118
1.0813
We have developed a hieratical decomposition framework to handle a larger testcase for a smart community.
Comparing with the results without defense technique, the PAR increase and bill increase are reduced by 1− 3.42% 31.3% =89.1% and 1− =88.2%, respectively.
Comparing with the heuristic method, our proposed method can further reduce the PAR and bill increase by 1− 3.42% 8.40% =59.3% and 1− =62.3%, respectively at the expense of increasing the labor cost by −1 1 =8.13%. 46

47. CPS Security
We explore interdependance between the power system (energy load) and the communication system (the transmitted price values).
Guideline price changes
Actual price changes
Energy usage changes 47

48. Energy Theft: Detection w/ Machine Learning?
A smart meter is hacked such that it transmits the reading of 100kWh but actually 1000kWh is measured.
Detectable through the statistical data analysis technique such as bollinger band.
Energy consumption 2:00pm – 2:15pm over 100 days 48

49. Critical to distinguish tampered anomaly and non-tampered anomaly
Problem of This Idea
Critical to distinguish tampered anomaly and non-tampered anomaly
False positive
Anomaly data do not necessarily mean meter tampering
They could be due to occasional user behavior change

50. Use Machine Learning and Deploy Sensors Together
Feeder Remote Terminal Unit (FRTU)
A device installed in the primary distribution network
Monitor the power flow of the distribution system
Communicate with smart meters
Communicate with Distribution Dispatching Center (DDC)
Perform some basic operation such as opening the switch
We propose to use it for cybersecurity
FRTU

51. Using FRTU in Tampering Detection
Industrial Consumer
Node
Residential Consumer
Distribution Transformer
Feeder head
Level 4 1
Level 3 2 3 4
Primary Network 10
Level 2 5 6 7 8 9
Level 1 20 11 12 13 14 15 16 17 18 19 21
Secondary Network 22 23 24 25 26 27 28 29 30 31 32 33 34 35 51

52. Impact of Different FRTU Deployment
Insert FRTU everywhere?
Please limited number of FRTUs such that the system can well detect smart meter tampering
Industrial Consumer
Node
Residential Consumer
Distribution Transformer
Feeder head
Mismatch detected
Level 4 1
Level 3 2 3 4
Let’s go there to check…
Primary Network 10
Level 2 5 6 7 8 9
Level 1 20 11 12 13 14 15 16 17 18 19 21
Tampering
Secondary Network 22 23 24 25 26 27 28 29 30 31 32 33 34 35

53. Motivation 1 2 3 4 Primary Network 10 5 6 7 8 9 20 11 12 13 14 15 16
Probability that any of the 4 smart meters can have anomaly is 28.9%
Can narrow down to 4 smart meters with 100% probability
Probability that any of the 4 smart meters can have anomaly is 14.5% 2 3 4
Primary Network 10 5 6 7 8 9 20 11 12 13 14 15 16 17 18 19 21
These historical anomaly rates are changing
Secondary Network 22 23 24 25 26 27 28 29 30 31 32 33 34 53
10% 0% 0% 5% 0% 0% 5%
35% 7% 0%
15% 7%
10%

54. Stochastic Problem Formulation
Minimize FRTU usage
Can narrow down to ≤ k meters with ≥ w% chance
Considering future load growth
We propose a stochastic optimization technique based on cross entropy optimization technique and conditional random field method 54

55. Theoretical Foundation of Cross Entropy Optimization? 55

56. Estimating δ(a)
f(X) a a
Importance Sampling 56

57. Importance Sampling
Each node is associated with a PDF indicating the probability to insert an FRTU
Generate a set of samples using these PDFs
Choose a set of top performance samples
Update the corresponding PDF
Repeat the above process until convergence 57

58. Our FRTU Deployment

59. Ongoing International Collaboration
Our group is currently collaborating with 9 groups internationally, spanning both industry and academia, on the topic of smart home cybersecurity. 59

60. Collusive Energy Theft
Attack a group of smart meters.
For example, reduce mine by 1000kwh while increasing neighbors by 1000kwh.
Interferes the electricity billing system leading to overloading without being sensed by the detection techniques. 60

61. Renewable Energy and Net Metering
Due to the renewable energy, the grid energy demand changes which impacts the electricity pricing.
According to net metering, the customers are allowed to sell the generated renewable energy back to power grid.
What is the right pricing? Behavior modelling? 61

62. Hardware Security and Crosslayer Defense
Electricity Price
Embedded Software
Energy Load
Part of detection code is implemented at a smart meter, but the smart meter itself can be hacked.
We need the crosslayer defense. 62

63. Chain of Hack Just check Java code? What if VM is hacked?
Java Virtual Machine
What if VM is hacked?
What if OS is hacked? OS
What if firmware is hacked?
Firmware
Hardware 63

64. An Example Typically, the code jumps to the beginning of a routine.
A potential solution is to add some specific registers in the hardware architecture to monitor where a code jumps.
The detection algorithm needs to consider both the software security analysis and the runtime readings from those specific registers.
This is a crosslayer security solution, which aims to establish a chain of trust.
Typically, the code jumps to the beginning of a routine.
The hacker can manipulate the binary code to jump to the middle of a routine which contains malicious code. 64

65. Developing POMDP Based Crosslayer Defense
Hierarchical Decomposition of the State Space
Cross Entropy Based State Minimization
Kernelized Approximate Dynamic Programming

66. Privacy: Obfuscation by Proxy Mapping
Central Computer
Central Computer
Customer A
Customer B
Customer C
Proxy
Customer 1
Customer 2
Customer 3
Customer 1
Customer 2
Customer 3 66

67. Homomorphic Encryption
Arithmetic on Encrypted Data
𝐸 𝑚,𝑟 = 𝑔 𝑚 𝑟 𝑛 𝑚𝑜𝑑 𝑛 2
𝑚=𝐿( 𝑐 𝜆 𝑚𝑜𝑑 𝑛 2 )
𝐷 𝐸 𝑚, 𝑟 1 ∙𝐸 𝑚, 𝑟 2 𝑚𝑜𝑑 𝑛 2 = 𝑚 1 + 𝑚 2
Encryption
Encryption
Encryption
Encrypt both communication and computation 67

68. Conclusion 68 Distribution Dispatching Center
Primary Distribution Network
with Feeder Remote Terminal Units (FRTUs)
Secondary Distribution Network
with Smart Meters
Customer Billing Center Network 68

69. Thanks 69