Threat and Defense in a CyberPhysical System Professor Shiyan Hu Department of Electrical and Computer Engineering Michigan Technological University Michigan Tech CPS Research Group 2 Currently consists of 11 faculty members and more than 50 graduate students across departments of ECE ID: 787670
Download The PPT/PDF document "Smart Home Cybersecurity" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Smart Home Cybersecurity: Threat and Defense in a Cyber-Physical System
Professor Shiyan HuDepartment of Electrical and Computer EngineeringMichigan Technological University
Slide2Michigan Tech CPS Research Group2
Currently consists of 11 faculty members and more than 50 graduate students across departments of ECE, CS, ME and School of Technology.
Slide3International Advisory Board
3
Deputy Editor-In-Chief, IEEE Transactions on Computer Aided Design, IEEE Fellow
Former Editor-In-Chief, IEEE Transactions on Computer Aided Design, IEEE Fellow
Editor-In-Chief, IEEE Transactions on Computers, IEEE Fellow, IET Fellow, AAAS Fellow
Editor-In-Chief, IEEE Transactions VLSI, Editor-In-Chief, ACM Journal on Emerging Technologies in Computing Systems, and
Former Editor-In-Chief, IEEE Design & Test of Computers, IEEE Fellow, ACM Fellow
Editor-In-Chief, ACM Transactions on Design Automation of Electronic Systems, IEEE Fellow
Editor-In-Chief, IEEE Transactions on Circuits and Systems, IEEE Fellow
Founding Chair, IEEE Smart Cities Initiative
Member of U.S. National Academy of Engineering, IEEE Fellow, ACM Fellow
Slide4Smart Home: Industrial Perspective
4
Slide5Smart Switch to Traditional Appliances
5
Slide6Many Sensors To Maintain
6
Slide7Smart Home: Academic Perspective
7
Slide8The Power System
5% energy efficiency improvement in residential users leads to carbon emission reduction equivalent to removing 53 million cars in U.S.
8
Slide9The Single User Smart Home
Power flow
Internet
Control flow
Why we schedule?
9
Slide10Varying Energy ConsumptionTypical summer energy load profile in State of Ontario, Canada. One can see the peak load around 7:00pm which usually involves a lot of human activities.
Source: Ontario Energy Board10
Slide11Dynamic Electricity Pricing
Hourly Price from Ameren Illinois
Set high prices at peak energy hours to discourage the energy usage there for energy load balancing
11
Slide12Energy Scheduling for a Single Smart Home
Given the electricity pricing, to decide
when to launch a home appliance
at what power level
for how long
subject to scheduling constraints
Targets
Reduce monetary cost of each user
Reduce peak to average ratio of grid energy usage
The smart home scheduler computes the scheduling solutions for future, so it needs the future pricing. How?
12
Slide13Two Pricing Models: Guideline and Realtime Pricing
Guideline price: utility publishes it one day ahead to guide customers to schedule their appliances, through providing the predicted pricing in the next 24 hours. Real time price: utility uses it to bill customers, e.g., it obtains the total energy consumption in the past hour, computes the total bill as a quadratic function of the total energy, and then distributes the bill to each customer proportionally.
13
Slide14Multiple Users?
Customer 1Customer 2
Customer n
.............
Game theory is used to handle the interactions among customers.
Dynamic Pricing + Game Theory = U.S. Solution
14
Slide15Decentralized Scheduling at Community levelCustomer
Converge?
End
Initialize
Maximize
Share information
Yes
No
Through the dynamic programming based algorithm
15
Each user schedules their own appliances separately
All users share information with each other
Each user
reschedules
their own appliances separately
Schedule
Converge
Yes
No
Slide16Case Study5 communities in which each one contains 400 customers, and 2 utilities.Simulation time horizon is 24 hours from the current time, which is divided into 15-minutes time slots.
16
Slide17Average Energy Consumption and Bill
17
Many issues beyond energy and bill
Impact to electricity market
Architecture
Community level,
c
ity level
Centralized, decentralized,
h
ierarchical
Reliability
Privacy
Cybersecurity
Slide18What Will be Discussed?
Electricity Price
Energy Load
Embedded Software
Purposes of hacking
Individual level: bill reduction
Local community level:
load increase/fluctuation
Larger area level: cascading effect
Hack the input of a smart meter (
pricing
cyberattack
)
Hack the smart meter (hardware security)
Hack the output of a smart meter (energy theft)
18
Slide19Vulnerability in Pricing Propagation in AMI
WiMAX
Utility Pricing
Utility
Aggregator
TI
SoC
Based Smart Meter w/ Remote
U
pgrade
In Advanced Metering Infrastructure (AMI),
WiMAX
is used for the communication with smart meters. The smart meter of the customers connect to the base station of aggregator through the access point.
WiMAX
is able to operate on different frequency bands, primarily 2.3, 2.5, 3.65 and 5GHz. It has a throughput of 25MBps (in practice). Each access point can serve 200 smart meters at the same time.
Fiber Cable
Base Station
Access Point
19
Slide20Hacking Google Nest (Backdoor)
Set high voltage and reboot from USB
20
Slide21Hacking Belkin Wemo (Accessible Programming Port)Remote switchHow to hack?Connecting a UART adapter with “57600,8N1”
Run the command “kill -9 $(ps | grep 'reboot'|sed -r -e 's/^ ([0-9]+) [0-9]+/\1/')” Root shell can be accessedCompany ResponseNew firmware adds SSL encryption and validation to prevent a malicious firmware attack.
21
Slide22Advanced Hacking: Secure Key Localization
ASIC Chip
Input1
Input2
Input3
.
.
.
State1
State
2
State
3
.
.
.
Encryption
Communications
22
Smart device communication is encrypted, but the secure key is typically in the flash but not ASIC. We can potentially locate the secure key.
Slide23Media Reports
23
Slide24Pricing Cyberattack For Reducing Hacker’s Bill
Fake Guideline Price
Actual Energy Load
Actual Price
Authentic Guideline Price
Hacker wants to schedule here but it is expensive
Now it is much cheaper
24
With Attack, $4.12 paid by each customer
Create a low price period. The attacker can schedule his energy consumption there with bill reduction by 34.3%, while the bill of other customers are increased by 7.9% on average.
Without Attack,
$3.82 paid by each customer
Slide25Pricing Cyberattack For Forming a Peak Load (Overloading)
Expected Energy Load
Fake Guideline Price
Actual Energy Load
Hacker wants to create a peak on the energy load here
Peak Energy Load
25
Create a peak energy load and the peak to average ratio is increased by 35.7%. The real time electricity price from 7:00 pm to 9:00 pm is increased by 43.9%.
Without Attack
With Attack
Slide26Cascading Impacts on a 5-Bus System
Bus 1
Bus 2
Bus 3
Bus 4
Bus 5
Line 1
Line 2
Line 3
Line 4
Line 5
Line 6
Line 7
26
Pricing
cyberattack
can increase the load and power flow. If
the power flow on a line exceeds the capacity, the line is
tripped.
Slide27Detection Technology For Pricing CyberattackDetection of cyberattacksHacker changes the guideline pricing, so the key is to detect anomaly in guideline pricing.
The electricity price trends to be similar in short term. Customers can use machine learning technique to predict energy price from recent historical data. Compare the predicted guideline price with the received guideline price.Support Vector Regression is a good choice as it provides robust training result.
Electricity Price from 06/11 to 06/13 from Ameren Illinois
27
Slide28The Guideline Electricity Price Prediction
The electricity price of the last T days. H is the number of time slots per day.
28
Kernel Function
Predicted guideline electricity price is computed as
Slide29Anomaly Detection? The First Idea
Cyberattack is detected if
29
How to set the
threshold?
Set
it to 0, then all manipulation could be found but too much false
detection.
Set
it to a large value, then few false alarm with few
cyberattacks
detected.
If one
can tolerate up to
an impact (e.g., 2
% bill
increase)
due to cyberattack, then what is the right threshold?
Slide30The Second Idea: Alert if Impact is Signifcant
Predicted Price
Average Bill:
PAR:
Received Price
Average
Bill:
PAR:
30
Slide31Simulation Result (Detection with =5% and
=2%)
Predicted Guideline: Average Bill $3.83, PAR 1.17
Unattacked
Guideline: Average Bill $3.82, PAR 1.153
Difference: Average Bill -0.26%, PAR -1.45%
Predicted Guideline: Average Bill $3.83, PAR 1.17
Attacked Guideline: Average Bill $4.09, PAR 1.203
Difference: Average Bill 6.79%, PAR 2.82%
31
Slide32Limitation?
The above technique is a point solution, with no memory on the past and no prediction to the future.If =2% is used, then the hacker could simply manipulate guideline pricing with 1.9% bill increase at each time slot.Minor impact for each time slot, but cumulative impact over a long time could be significant.
Need long term monitoring and detection technique.
32
Slide33Long Term DetectionLast hour a smart meter hacked, and this hour it is hacked again, so will it be hacked in the next hour?
Last hour 4 smart meters are hacked and this hour 7 smart meters hack, so what will be the next hour?
?
?
33
Slide34POMDP Based Long Term DefenseWhat is POMDP?Partially Observable Markov Decision Process Why good for long term defense?Belief state, model training and probabilistic long term reward to account for the cumulative impactThree layer architecture
Observation, State, ActionPOMDP models the interactions among them
34
Slide35A Simple Example of POMDP
35
,
: No hacking,
,
:
Smart meter 1 is hacked,
,
: S
mart meter 2 is
hacked
.
,
:
Both smart meters are hacked.
: No or negligible cyberattack,
: Check and fix the hacked smart meters
Output of POMDP: Policy Transfer Graph
36
Slide37Step 1: Probabilistic State Transition Diagram
0.5|
,
1
|
0.5|
,
0
|
0.5|
,
0
|
0.5|
,
0
|
0.5|
,
0
|
0|
,
1
|
0|
,
1
|
0.2|
,
0
|
0.2|
,
0
|
37
1|
,
0
|
0.1|
,
0
|
0|
,
0
|
0.1|
,
0
|
0|
,
1
|
0|
,
0
|
0|
,
0
|
Learn
from historical
observation data
Calibrate the mapping from observation to state
Apply conditional probability
(Bayesian rule
)
Slide38Step 2: Probabilistic Transition to Policy Transfer Graph
We need to account for the future impact
38
Slide39Model Future and Discount It
Discount Factor: 0.5
0.5 for 3pm
0.25
for 4pm
0.125
for 5pm
>
<
<
<
>
<
<
1 for 2pm
Associate a reward to each action and weight it differently at different time slot. Find a series of actions leading to the maximum reward for the future k time slots.
39
Slide4080%
20%
Computing Long Term Expected Reward
40
Slide41The POMDP FormulationA POMDP problem is formulated as
: The system state space.
: The action space.
: The observation of the system state.
: The state transition function, defined as the probability that the system transits from state
to
when action
is taken.
: The observation function, defined as the probability that the observation is
when the state and action are
and
respectively.
: The reward function, defined as the reward achieved by the decision maker taking action
and the state transits from
to
.
41
Slide42Key 1: Observation, Action → StateUsing the belief state, the POMDP problem is reduced to
: The space of belief stateGiven a new observation, the belief state is updated as
: The intermediate reward for taking action
in the belief state
(1)
: The transition function between the belief states
(2)
, given the previous belief state, previous action and current
observation.
Thus,
Note
that even if we have exactly the same observations in two steps, we could have different belief states.
42
Slide43Key 2: State Transition Probability ComputationWhen
(
3
)
(
4
)
43
Slide44From
to
Compute
directly?
In general, we
cannot since we do not know the state.
The action
does not change the state,
so we
can obtain the state transition from the observation
transition.
Define
observation transition function
Training for
: In the past,
appears 10 times before
is taken. When
is taken, there are 8 times it transits to
and 2 times transits to
. Thus,
,
(5)
(6)
is approximated by
44
Slide45Key 3: State → Action?POMDP aims to maximize the expected long term reward
(Bellman’s Optimality), where
is a discount factor to reduce the importance of the future events, and
is the reward
achieved in step
.
Reward for each action
(7)
(8)
45
System loss when there is an undetected cyberattack
Labor cost due to detection
Slide46Compute Prob. Transition and Optimal Series of Actions Leading to Maximum Reward
46
Slide47Obtain the Observation
Map the observation to belief state
Compute the belief state transition
according to Eqn. (
2
)
Compute the intermediate reward function
according to Eqn. (
1
)
Solve the optimization problem P to get the optimal action
Obtain the training data
Estimate the state transition probability
for action
using
according to Eqn. (
5
) and Eqn. (
6
)
Reset state transition probability
and observation probability
for
from Eqn. (3) and Eqn. (
4
) respectively.
Obtain the reward functions according to Eqn. (
7
) and Eqn. (
8
) respectively.
?
Apply single event defense technique on each smart meter to check the hacked smart meters and fix them.
I
Yes
No
47
Slide48Simulation SetupWe conduct 2 simulations on a small testcase and a large testcase.
. Parameter
5-customer
4
5
$50
$50
$200
$500
0.9
500-customer
150
250
$50
$2000
$25000
$100000
0.9
Parameter
5-customer
4
5
$50
$50
$200
$500
0.9
500-customer
150
250
$50
$2000
$25000
$100000
0.9
48
Compare
with
Heuristic method (repeatedly using single event defense technique).
No defense technique.
We show
The
impact including PAR increase, bill increase and labor cost.
The observation accuracy defined as
, where
is the number of hacked smart meters and
is the observed number of hacked smart meters.
Observation Accuracy for The 500-Customer Testcase
49
Slide50Comparison on The 500-Customer TestcaseComparing with the results without defense technique, the PAR increase and bill
increase are reduced by and
,
respectively.
Comparing
with the
heuristic
method, our proposed method
can further
reduce the
PAR
and bill
increase by
and
, respectively
at the expense of increasing the labor cost
by
.
Method
No Defense
Heuristic Method
Proposed Method
PAR
Bill
PAR
Bill
Labor
PAR
Bill
Labor
Cost31.3%
1
8.40%
0.313
1
3.42%
0.118
1.0813
50
Slide51First Pricing Cyberattacks in Smart Home CPS
Guideline price changes
Energy usage changes
Actual price changes
We explore
interdependance
between the power system (energy load) and the communication system (the transmitted price values).
51
Slide52Energy Theft: Detection w/ Machine Learning?A smart meter is hacked such that it transmits the reading of 100kWh but actually 1000kWh is measured.
Detectable through the statistical data analysis technique such as bollinger band.
Energy consumption 2:00pm – 2:15pm over 100 days
52
Slide53Problem of This IdeaFalse positive Anomaly data do not necessarily mean meter tampering
They could be due to occasional user behavior change53
Critical to distinguish tampered anomaly and non-tampered anomaly
Slide54Feeder Remote Terminal Unit (FRTU)A device installed in the primary distribution networkMonitor the power flow of the distribution systemCommunicate with smart metersCommunicate with Distribution Dispatching Center (DDC)Perform some basic operation such as opening the switch
We propose to use it for cybersecurity54
FRTU
Use Machine Learning and Deploy Sensors Together
Slide55Using FRTU in Tampering Detection
1
2
4
5
7
6
3
8
9
Node
Distribution Transformer
Residential Consumer
Industrial Consumer
FRTU
Level 4
Level 3
Level 2
Level 1
10
11
12
13
14
15
16
17
18
19
21
20
22
23
24
25
26
27
28
29
30
31
32
33
34
35
Feeder head
Primary Network
Secondary Network
55
Slide56Impact of Different FRTU Deployment
56
1
2
4
5
7
6
3
8
9
Node
Distribution Transformer
Residential Consumer
Industrial Consumer
FRTU
Level 4
Level 3
Level 2
Level 1
10
11
12
13
14
15
16
17
18
19
21
20
22
23
24
25
26
27
28
29
30
31
32
33
34
35
Feeder head
Primary Network
Secondary Network
Let’s go there to check…
Mismatch detected
Tampering
Insert FRTU everywhere?
Please limited
number of FRTUs such that the system can well detect smart meter tampering
Slide57Motivation57
571
2
4
5
7
6
3
8
9
10
11
12
13
14
15
16
17
18
19
21
20
22
23
24
25
26
27
28
29
30
31
32
33
34
Primary Network
Secondary Network
10%
0%
0%
5%
5%
35%
0%
15%
10%
0%
7%
0%
7%
Probability that any of the 4 smart meters can have anomaly
is 14.5
%
Can narrow down to 4 smart meters with 100% probability
Probability that any of the 4 smart meters can have anomaly is 28.9%
These historical anomaly rates are changing
Slide58Stochastic Problem Formulation
Minimize FRTU usageCan narrow down to ≤ k meters with ≥ w% chanceConsidering future load growthWe propose a stochastic optimization technique based on cross entropy optimization technique and conditional random field method58
Slide59Theoretical Foundation of Cross Entropy Optimization
?
59
Slide60Estimating
δ(a)
a
a
f(X)
Importance Sampling
60
Slide61Importance Sampling
61
Slide62Our FRTU Deployment
62
Slide63Ongoing International CollaborationOur group is currently collaborating with 9 groups internationally, spanning both industry and academia, on the topic of smart home cybersecurity.
63
Slide64Collusive Energy TheftAttack a group of smart meters. For example, reduce mine by 1000kwh while increasing neighbors by 1000kwh.Interferes the electricity billing system leading to overloading without being sensed by the detection techniques.
64
Slide65Challenge #1: EV EnergyIf some EVs move from a local community to the other community, since EV charging is a large load the community energy profile is significantly changed which impacts the electricity pricing.
65
Slide66Challenge #2: Renewable Energy and Net Metering
According to net metering, the customers are allowed to sell the generated renewable energy back to power grid.What is the right pricing? Behavior modelling?
66
Due to the renewable energy, the grid energy demand changes which impacts the electricity pricing.
Slide67Smart Building and HVAC
The accurate HVAC modeling in a building can provide better energy and pricing prediction. This can help improve the cyberattack detection accuracy.
67
Slide68Hardware Security and Crosslayer DefensePart of detection code is implemented at a smart meter, but the smart meter itself can be hacked. We need the crosslayer defense.
Electricity Price
Energy Load
Embedded Software
68
Slide69Chain of Hack
Java Virtual Machine
Java Code
OS
Just check Java code?
What if VM is hacked?
What if OS is hacked?
Firmware
What if firmware is hacked?
Hardware
69
Slide70An ExampleTypically, the code jumps to the beginning of a routine.The hacker can manipulate the binary code to jump to the middle of a routine which contains malicious code.
A potential solution is to add some specific registers in the hardware architecture to monitor where a code jumps.
The detection algorithm needs to consider both the software security analysis and the runtime readings from those specific registers.
This is a
crosslayer
security solution, which aims to establish a chain of trust.
70
Slide71Developing POMDP Based
Crosslayer DefenseHierarchical Decomposition of the State Space
Cross
Entropy Based State
Minimization
Kernelized
Approximate Dynamic Programming
Slide72Privacy: Obfuscation by Proxy Mapping
Customer 1
Customer 2
Customer 3
Customer A
Customer B
Customer C
Customer 1
Customer 2
Customer 3
72
Central Computer
Central Computer
Proxy
Slide73Homomorphic Encryption
Encryption
Encryption
Encryption
Encrypt both communication and computation
73
Arithmetic on Encrypted Data
Conclusion
74
Slide75Thanks75