/
Smart Home  Cybersecurity Smart Home  Cybersecurity

Smart Home Cybersecurity - PowerPoint Presentation

thesoysi
thesoysi . @thesoysi
Follow
342 views
Uploaded On 2020-06-25

Smart Home Cybersecurity - PPT Presentation

Threat and Defense in a CyberPhysical System Professor Shiyan Hu Department of Electrical and Computer Engineering Michigan Technological University Michigan Tech CPS Research Group 2 Currently consists of 11 faculty members and more than 50 graduate students across departments of ECE ID: 787670

energy smart bill state smart energy state bill price pricing customer load guideline hacked observation electricity meter level meters

Share:

Link:

Embed:

Download Presentation from below link

Download The PPT/PDF document "Smart Home Cybersecurity" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.


Presentation Transcript

Slide1

Smart Home Cybersecurity: Threat and Defense in a Cyber-Physical System

Professor Shiyan HuDepartment of Electrical and Computer EngineeringMichigan Technological University

Slide2

Michigan Tech CPS Research Group2

Currently consists of 11 faculty members and more than 50 graduate students across departments of ECE, CS, ME and School of Technology.

Slide3

International Advisory Board

3

Deputy Editor-In-Chief, IEEE Transactions on Computer Aided Design, IEEE Fellow

Former Editor-In-Chief, IEEE Transactions on Computer Aided Design, IEEE Fellow

Editor-In-Chief, IEEE Transactions on Computers, IEEE Fellow, IET Fellow, AAAS Fellow

Editor-In-Chief, IEEE Transactions VLSI, Editor-In-Chief, ACM Journal on Emerging Technologies in Computing Systems, and

Former Editor-In-Chief, IEEE Design & Test of Computers, IEEE Fellow, ACM Fellow

Editor-In-Chief, ACM Transactions on Design Automation of Electronic Systems, IEEE Fellow

Editor-In-Chief, IEEE Transactions on Circuits and Systems, IEEE Fellow

Founding Chair, IEEE Smart Cities Initiative

Member of U.S. National Academy of Engineering, IEEE Fellow, ACM Fellow

Slide4

Smart Home: Industrial Perspective

4

Slide5

Smart Switch to Traditional Appliances

5

Slide6

Many Sensors To Maintain

6

Slide7

Smart Home: Academic Perspective

7

Slide8

The Power System

5% energy efficiency improvement in residential users leads to carbon emission reduction equivalent to removing 53 million cars in U.S.

8

Slide9

The Single User Smart Home

Power flow

Internet

Control flow

Why we schedule?

9

Slide10

Varying Energy ConsumptionTypical summer energy load profile in State of Ontario, Canada. One can see the peak load around 7:00pm which usually involves a lot of human activities.

Source: Ontario Energy Board10

Slide11

Dynamic Electricity Pricing

Hourly Price from Ameren Illinois

Set high prices at peak energy hours to discourage the energy usage there for energy load balancing

11

Slide12

Energy Scheduling for a Single Smart Home

Given the electricity pricing, to decide

when to launch a home appliance

at what power level

for how long

subject to scheduling constraints

Targets

Reduce monetary cost of each user

Reduce peak to average ratio of grid energy usage

The smart home scheduler computes the scheduling solutions for future, so it needs the future pricing. How?

12

Slide13

Two Pricing Models: Guideline and Realtime Pricing

Guideline price: utility publishes it one day ahead to guide customers to schedule their appliances, through providing the predicted pricing in the next 24 hours. Real time price: utility uses it to bill customers, e.g., it obtains the total energy consumption in the past hour, computes the total bill as a quadratic function of the total energy, and then distributes the bill to each customer proportionally.

13

Slide14

Multiple Users?

Customer 1Customer 2

Customer n

.............

Game theory is used to handle the interactions among customers.

Dynamic Pricing + Game Theory = U.S. Solution

14

Slide15

Decentralized Scheduling at Community levelCustomer

 

Converge?

End

Initialize

Maximize

 

Share information

 

Yes

No

Through the dynamic programming based algorithm

15

Each user schedules their own appliances separately

All users share information with each other

Each user

reschedules

their own appliances separately

Schedule

Converge

Yes

No

Slide16

Case Study5 communities in which each one contains 400 customers, and 2 utilities.Simulation time horizon is 24 hours from the current time, which is divided into 15-minutes time slots.

16

Slide17

Average Energy Consumption and Bill

17

Many issues beyond energy and bill

Impact to electricity market

Architecture

Community level,

c

ity level

Centralized, decentralized,

h

ierarchical

Reliability

Privacy

Cybersecurity

Slide18

What Will be Discussed?

Electricity Price

Energy Load

Embedded Software

Purposes of hacking

Individual level: bill reduction

Local community level:

load increase/fluctuation

Larger area level: cascading effect

Hack the input of a smart meter (

pricing

cyberattack

)

Hack the smart meter (hardware security)

Hack the output of a smart meter (energy theft)

18

Slide19

Vulnerability in Pricing Propagation in AMI

WiMAX

Utility Pricing

Utility

Aggregator

TI

SoC

Based Smart Meter w/ Remote

U

pgrade

In Advanced Metering Infrastructure (AMI),

WiMAX

is used for the communication with smart meters. The smart meter of the customers connect to the base station of aggregator through the access point.

WiMAX

is able to operate on different frequency bands, primarily 2.3, 2.5, 3.65 and 5GHz. It has a throughput of 25MBps (in practice). Each access point can serve 200 smart meters at the same time.

Fiber Cable

Base Station

Access Point

19

Slide20

Hacking Google Nest (Backdoor)

Set high voltage and reboot from USB

20

Slide21

Hacking Belkin Wemo (Accessible Programming Port)Remote switchHow to hack?Connecting a UART adapter with “57600,8N1”

Run the command “kill -9 $(ps | grep 'reboot'|sed -r -e 's/^ ([0-9]+) [0-9]+/\1/')” Root shell can be accessedCompany ResponseNew firmware adds SSL encryption and validation to prevent a malicious firmware attack.

21

Slide22

Advanced Hacking: Secure Key Localization

ASIC Chip

Input1

Input2

Input3

.

.

.

State1

State

2

State

3

.

.

.

Encryption

Communications

22

Smart device communication is encrypted, but the secure key is typically in the flash but not ASIC. We can potentially locate the secure key.

Slide23

Media Reports

23

Slide24

Pricing Cyberattack For Reducing Hacker’s Bill

Fake Guideline Price

Actual Energy Load

Actual Price

Authentic Guideline Price

Hacker wants to schedule here but it is expensive

Now it is much cheaper

24

With Attack, $4.12 paid by each customer

Create a low price period. The attacker can schedule his energy consumption there with bill reduction by 34.3%, while the bill of other customers are increased by 7.9% on average.

Without Attack,

$3.82 paid by each customer

Slide25

Pricing Cyberattack For Forming a Peak Load (Overloading)

Expected Energy Load

Fake Guideline Price

Actual Energy Load

Hacker wants to create a peak on the energy load here

Peak Energy Load

25

Create a peak energy load and the peak to average ratio is increased by 35.7%. The real time electricity price from 7:00 pm to 9:00 pm is increased by 43.9%.

Without Attack

With Attack

Slide26

Cascading Impacts on a 5-Bus System

Bus 1

Bus 2

Bus 3

Bus 4

Bus 5

Line 1

Line 2

Line 3

Line 4

Line 5

Line 6

Line 7

26

Pricing

cyberattack

can increase the load and power flow. If

the power flow on a line exceeds the capacity, the line is

tripped.

Slide27

Detection Technology For Pricing CyberattackDetection of cyberattacksHacker changes the guideline pricing, so the key is to detect anomaly in guideline pricing.

The electricity price trends to be similar in short term. Customers can use machine learning technique to predict energy price from recent historical data. Compare the predicted guideline price with the received guideline price.Support Vector Regression is a good choice as it provides robust training result.

Electricity Price from 06/11 to 06/13 from Ameren Illinois

27

Slide28

The Guideline Electricity Price Prediction

The electricity price of the last T days. H is the number of time slots per day.

28

Kernel Function

Predicted guideline electricity price is computed as

Slide29

Anomaly Detection? The First Idea

Cyberattack is detected if

 

29

How to set the

threshold?

Set

it to 0, then all manipulation could be found but too much false

detection.

Set

it to a large value, then few false alarm with few

cyberattacks

detected.

If one

can tolerate up to

an impact (e.g., 2

% bill

increase)

due to cyberattack, then what is the right threshold?

Slide30

The Second Idea: Alert if Impact is Signifcant

Predicted Price

Average Bill:

PAR:

 

Received Price

Average

Bill:

PAR:

 

 

30

Slide31

Simulation Result (Detection with =5% and

=2%) 

Predicted Guideline: Average Bill $3.83, PAR 1.17

Unattacked

Guideline: Average Bill $3.82, PAR 1.153

Difference: Average Bill -0.26%, PAR -1.45%

Predicted Guideline: Average Bill $3.83, PAR 1.17

Attacked Guideline: Average Bill $4.09, PAR 1.203

Difference: Average Bill 6.79%, PAR 2.82%

31

Slide32

Limitation?

The above technique is a point solution, with no memory on the past and no prediction to the future.If =2% is used, then the hacker could simply manipulate guideline pricing with 1.9% bill increase at each time slot.Minor impact for each time slot, but cumulative impact over a long time could be significant.

Need long term monitoring and detection technique.

 

32

Slide33

Long Term DetectionLast hour a smart meter hacked, and this hour it is hacked again, so will it be hacked in the next hour?

Last hour 4 smart meters are hacked and this hour 7 smart meters hack, so what will be the next hour?

?

?

33

Slide34

POMDP Based Long Term DefenseWhat is POMDP?Partially Observable Markov Decision Process Why good for long term defense?Belief state, model training and probabilistic long term reward to account for the cumulative impactThree layer architecture

Observation, State, ActionPOMDP models the interactions among them

34

Slide35

A Simple Example of POMDP

 

35

,

: No hacking,

,

:

Smart meter 1 is hacked,

,

: S

mart meter 2 is

hacked

.

,

:

Both smart meters are hacked.

 

: No or negligible cyberattack,

: Check and fix the hacked smart meters

 

Slide36

Output of POMDP: Policy Transfer Graph

 

 

 

 

 

36

Slide37

Step 1: Probabilistic State Transition Diagram

 

 

 

0.5|

,

1

|

 

0.5|

,

0

|

 

0.5|

,

0

|

 

0.5|

,

0

|

 

0.5|

,

0

|

 

0|

,

1

|

 

0|

,

1

|

 

0.2|

,

0

|

 

0.2|

,

0

|

 

37

 

1|

,

0

|

 

0.1|

,

0

|

 

0|

,

0

|

 

0.1|

,

0

|

 

0|

,

1

|

 

0|

,

0

|

 

0|

,

0

|

 

Learn

from historical

observation data

Calibrate the mapping from observation to state

Apply conditional probability

(Bayesian rule

)

Slide38

Step 2: Probabilistic Transition to Policy Transfer Graph

 

 

 

 

 

We need to account for the future impact

38

Slide39

Model Future and Discount It

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Discount Factor: 0.5

0.5 for 3pm

 

0.25

for 4pm

 

0.125

for 5pm

 

>

<

<

<

>

<

<

 

 

 

 

1 for 2pm

 

Associate a reward to each action and weight it differently at different time slot. Find a series of actions leading to the maximum reward for the future k time slots.

39

Slide40

80%

 

20%

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Computing Long Term Expected Reward

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

40

Slide41

The POMDP FormulationA POMDP problem is formulated as

: The system state space.

: The action space.

: The observation of the system state.

: The state transition function, defined as the probability that the system transits from state

to

when action

is taken.

: The observation function, defined as the probability that the observation is

when the state and action are

and

respectively.

: The reward function, defined as the reward achieved by the decision maker taking action

and the state transits from

to

.

 

41

Slide42

Key 1: Observation, Action → StateUsing the belief state, the POMDP problem is reduced to

: The space of belief stateGiven a new observation, the belief state is updated as

: The intermediate reward for taking action

in the belief state

(1)

: The transition function between the belief states

(2)

, given the previous belief state, previous action and current

observation.

Thus,

Note

that even if we have exactly the same observations in two steps, we could have different belief states.

 

42

Slide43

Key 2: State Transition Probability ComputationWhen

(

3

)

(

4

)

 

43

Slide44

From

to

 

Compute

directly?

In general, we

cannot since we do not know the state.

The action

does not change the state,

so we

can obtain the state transition from the observation

transition.

Define

observation transition function

Training for

: In the past,

appears 10 times before

is taken. When

is taken, there are 8 times it transits to

and 2 times transits to

. Thus,

,

(5)

(6)

is approximated by

 

44

Slide45

Key 3: State → Action?POMDP aims to maximize the expected long term reward

(Bellman’s Optimality), where

is a discount factor to reduce the importance of the future events, and

is the reward

achieved in step

.

Reward for each action

(7)

(8)

 

45

System loss when there is an undetected cyberattack

Labor cost due to detection

Slide46

Compute Prob. Transition and Optimal Series of Actions Leading to Maximum Reward

46

Slide47

Obtain the Observation

 

Map the observation to belief state

 

Compute the belief state transition

according to Eqn. (

2

)

 

Compute the intermediate reward function

according to Eqn. (

1

)

 

Solve the optimization problem P to get the optimal action

 

Obtain the training data

Estimate the state transition probability

for action

using

according to Eqn. (

5

) and Eqn. (

6

)

 

Reset state transition probability

and observation probability

for

from Eqn. (3) and Eqn. (

4

) respectively.

 

Obtain the reward functions according to Eqn. (

7

) and Eqn. (

8

) respectively.

?

 

Apply single event defense technique on each smart meter to check the hacked smart meters and fix them.

I

Yes

No

47

Slide48

Simulation SetupWe conduct 2 simulations on a small testcase and a large testcase.

. Parameter

5-customer

4

5

$50

$50

$200

$500

0.9

500-customer

150

250

$50

$2000

$25000

$100000

0.9

Parameter

5-customer

4

5

$50

$50

$200

$500

0.9

500-customer

150

250

$50

$2000

$25000

$100000

0.9

48

Compare

with

Heuristic method (repeatedly using single event defense technique).

No defense technique.

We show

The

impact including PAR increase, bill increase and labor cost.

The observation accuracy defined as

, where

is the number of hacked smart meters and

is the observed number of hacked smart meters.

 

Slide49

Observation Accuracy for The 500-Customer Testcase

49

Slide50

Comparison on The 500-Customer TestcaseComparing with the results without defense technique, the PAR increase and bill

increase are reduced by and

,

respectively.

Comparing

with the

heuristic

method, our proposed method

can further

reduce the

PAR

and bill

increase by

and

, respectively

at the expense of increasing the labor cost

by

.

 

Method

No Defense

Heuristic Method

Proposed Method

PAR

Bill

PAR

Bill

Labor

PAR

Bill

Labor

Cost31.3%

1

8.40%

0.313

1

3.42%

0.118

1.0813

50

Slide51

First Pricing Cyberattacks in Smart Home CPS

Guideline price changes

Energy usage changes

Actual price changes

We explore

interdependance

between the power system (energy load) and the communication system (the transmitted price values).

51

Slide52

Energy Theft: Detection w/ Machine Learning?A smart meter is hacked such that it transmits the reading of 100kWh but actually 1000kWh is measured.

Detectable through the statistical data analysis technique such as bollinger band.

Energy consumption 2:00pm – 2:15pm over 100 days

52

Slide53

Problem of This IdeaFalse positive Anomaly data do not necessarily mean meter tampering

They could be due to occasional user behavior change53

Critical to distinguish tampered anomaly and non-tampered anomaly

Slide54

Feeder Remote Terminal Unit (FRTU)A device installed in the primary distribution networkMonitor the power flow of the distribution systemCommunicate with smart metersCommunicate with Distribution Dispatching Center (DDC)Perform some basic operation such as opening the switch

We propose to use it for cybersecurity54

FRTU

Use Machine Learning and Deploy Sensors Together

Slide55

Using FRTU in Tampering Detection

1

2

4

5

7

6

3

8

9

Node

Distribution Transformer

Residential Consumer

Industrial Consumer

FRTU

Level 4

Level 3

Level 2

Level 1

10

11

12

13

14

15

16

17

18

19

21

20

22

23

24

25

26

27

28

29

30

31

32

33

34

35

Feeder head

Primary Network

Secondary Network

55

Slide56

Impact of Different FRTU Deployment

56

1

2

4

5

7

6

3

8

9

Node

Distribution Transformer

Residential Consumer

Industrial Consumer

FRTU

Level 4

Level 3

Level 2

Level 1

10

11

12

13

14

15

16

17

18

19

21

20

22

23

24

25

26

27

28

29

30

31

32

33

34

35

Feeder head

Primary Network

Secondary Network

Let’s go there to check…

Mismatch detected

Tampering

Insert FRTU everywhere?

Please limited

number of FRTUs such that the system can well detect smart meter tampering

Slide57

Motivation57

571

2

4

5

7

6

3

8

9

10

11

12

13

14

15

16

17

18

19

21

20

22

23

24

25

26

27

28

29

30

31

32

33

34

Primary Network

Secondary Network

10%

0%

0%

5%

5%

35%

0%

15%

10%

0%

7%

0%

7%

Probability that any of the 4 smart meters can have anomaly

is 14.5

%

Can narrow down to 4 smart meters with 100% probability

Probability that any of the 4 smart meters can have anomaly is 28.9%

These historical anomaly rates are changing

Slide58

Stochastic Problem Formulation

Minimize FRTU usageCan narrow down to ≤ k meters with ≥ w% chanceConsidering future load growthWe propose a stochastic optimization technique based on cross entropy optimization technique and conditional random field method58

Slide59

Theoretical Foundation of Cross Entropy Optimization

?

59

Slide60

Estimating

δ(a)

a

a

f(X)

Importance Sampling

60

Slide61

Importance Sampling

61

Slide62

Our FRTU Deployment

62

Slide63

Ongoing International CollaborationOur group is currently collaborating with 9 groups internationally, spanning both industry and academia, on the topic of smart home cybersecurity.

63

Slide64

Collusive Energy TheftAttack a group of smart meters. For example, reduce mine by 1000kwh while increasing neighbors by 1000kwh.Interferes the electricity billing system leading to overloading without being sensed by the detection techniques.

64

Slide65

Challenge #1: EV EnergyIf some EVs move from a local community to the other community, since EV charging is a large load the community energy profile is significantly changed which impacts the electricity pricing.

65

Slide66

Challenge #2: Renewable Energy and Net Metering

According to net metering, the customers are allowed to sell the generated renewable energy back to power grid.What is the right pricing? Behavior modelling?

66

Due to the renewable energy, the grid energy demand changes which impacts the electricity pricing.

Slide67

Smart Building and HVAC

The accurate HVAC modeling in a building can provide better energy and pricing prediction. This can help improve the cyberattack detection accuracy.

67

Slide68

Hardware Security and Crosslayer DefensePart of detection code is implemented at a smart meter, but the smart meter itself can be hacked. We need the crosslayer defense.

Electricity Price

Energy Load

Embedded Software

68

Slide69

Chain of Hack

Java Virtual Machine

Java Code

OS

Just check Java code?

What if VM is hacked?

What if OS is hacked?

Firmware

What if firmware is hacked?

Hardware

69

Slide70

An ExampleTypically, the code jumps to the beginning of a routine.The hacker can manipulate the binary code to jump to the middle of a routine which contains malicious code.

A potential solution is to add some specific registers in the hardware architecture to monitor where a code jumps.

The detection algorithm needs to consider both the software security analysis and the runtime readings from those specific registers.

This is a

crosslayer

security solution, which aims to establish a chain of trust.

70

Slide71

Developing POMDP Based

Crosslayer DefenseHierarchical Decomposition of the State Space

Cross

Entropy Based State

Minimization

Kernelized

Approximate Dynamic Programming

Slide72

Privacy: Obfuscation by Proxy Mapping

Customer 1

Customer 2

Customer 3

Customer A

Customer B

Customer C

Customer 1

Customer 2

Customer 3

72

Central Computer

Central Computer

Proxy

Slide73

Homomorphic Encryption

Encryption

Encryption

Encryption

Encrypt both communication and computation

73

Arithmetic on Encrypted Data

 

Slide74

Conclusion

74

Slide75

Thanks75