Methods to Attack and Secure the Power Grids and Energy Markets

The power grid is a highly complex control system and one of the most impressive engineering feats of the modern era. Nearly every facet of modern society critically relies on the proper operation of the power grid such that long or even short interruptions can impose significant economic and social hardship on society. The current power grid is undergoing a transformation to a Smart Grid, that seeks to monitor and track diagnostic and operational information so as to enable a more efficient and resilient system. This significant transformation, however, has made the grid more susceptible to attacks by cybercriminals, as highlighted by several recent attacks on power grids that have exposed the vulnerabilities in modern power systems. Motivated by this, this thesis aims at analyzing the effect of three classes of emerging cyberattacks on smart grids and a set of possible defense mechanisms to prevent them or at least reduce their damaging consequences in the grid. In the first part of the thesis, we analyze the security of the power grid against the attacks targeting the supervisory control and data acquisition (SCADA) network. We show that the existing techniques require some level of trust from components on SCADA system, rendering them vulnerable to sophisticated attacks that could compromise the entire SCADA system. As a viable solution to this issue, we present a radio frequency-based distributed intrusion detection system (RFDIDS) that remains reliable even when the entire SCADA system is considered untrusted. In the second part of the thesis, we analyze the performance of the existing high-wattage IoT botnet attacks (Manipulation of Demand IoT (MaDIoT)) on power grids and show they are ineffective in most of the cases because of the existence of legacy protection schemes and the randomness of the attacks. We discuss how an attacker can launch more sophisticated attacks in this category which can cause a total collapse of the power system. We illustrate that by computing voltage instability indices, an attacker can find the appropriate time and locations to activate the high-wattage bots, causing (with very high probability) a complete voltage collapse and blackout in the bulk power system; we call these new attacks MaDIoT 2.0. We also propose novel effective defenses against MaDIoT 2.0 attacks by modifying the way classical protection algorithms work in the power networks. In the third part of the thesis, we discuss how an smart attacker with access to high-wattage IoT botnet can indirectly manipulate the energy prices in the electricity markets. We name this attack as Manipulation of Market via IoT (MaMIoT). MaMIoT is the first energy market manipulation cyberattack that leverages high-wattage IoT botnets to slightly change the total demand of the power grid with the aim of affecting the electricity prices in the favor of specific market players. Using real-world data obtained from two major energy markets, we show that MaMIoT can significantly increase the profit of particular market players or financially damage a group of players depending on the motivation of the attacker. We discuss a set of effective countermeasures to reduce the possibility and effect of such attacks.Ph.D

Charge Manipulation Attacks Against Smart Electric Vehicle Charging Stations and Deep Learning-based Detection Mechanisms

The widespread deployment of "smart" electric vehicle charging stations (EVCSs) will be a key step toward achieving green transportation. The connectivity features of smart EVCSs can be utilized to schedule EV charging operations while respecting user preferences, thus avoiding synchronous charging from a large number of customers and relieving grid congestion. However, the communication and connectivity requirements involved in smart charging raise cybersecurity concerns. In this work, we investigate charge manipulation attacks (CMAs) against EV charging, in which an attacker manipulates the information exchanged during smart charging operations. The objective of CMAs is to shift the EV aggregator's demand across different times of the day. The proposed CMAs can bypass existing protection mechanisms in EV communication protocols. We quantify the impact of CMAs on the EV aggregator's economic profit by modeling their participation in the day-ahead (DA) and real-time (RT) electricity markets. Finally, we propose an unsupervised deep learning-based mechanism to detect CMAs by monitoring the parameters involved in EV charging. We extensively analyze the attack impact and the efficiency of the proposed detection on real-world EV charging datasets. The results highlight the vulnerabilities of smart charging operations and the need for a monitoring mechanism to detect malicious CMAs

Leveraging Conventional Internet Routing Protocol Behavior to Defeat DDoS and Adverse Networking Conditions

The Internet is a cornerstone of modern society. Yet increasingly devastating attacks against the Internet threaten to undermine the Internet\u27s success at connecting the unconnected. Of all the adversarial campaigns waged against the Internet and the organizations that rely on it, distributed denial of service, or DDoS, tops the list of the most volatile attacks. In recent years, DDoS attacks have been responsible for large swaths of the Internet blacking out, while other attacks have completely overwhelmed key Internet services and websites. Core to the Internet\u27s functionality is the way in which traffic on the Internet gets from one destination to another. The set of rules, or protocol, that defines the way traffic travels the Internet is known as the Border Gateway Protocol, or BGP, the de facto routing protocol on the Internet. Advanced adversaries often target the most used portions of the Internet by flooding the routes benign traffic takes with malicious traffic designed to cause widespread traffic loss to targeted end users and regions. This dissertation focuses on examining the following thesis statement. Rather than seek to redefine the way the Internet works to combat advanced DDoS attacks, we can leverage conventional Internet routing behavior to mitigate modern distributed denial of service attacks. The research in this work breaks down into a single arc with three independent, but connected thrusts, which demonstrate that the aforementioned thesis is possible, practical, and useful. The first thrust demonstrates that this thesis is possible by building and evaluating Nyx, a system that can protect Internet networks from DDoS using BGP, without an Internet redesign and without cooperation from other networks. This work reveals that Nyx is effective in simulation for protecting Internet networks and end users from the impact of devastating DDoS. The second thrust examines the real-world practicality of Nyx, as well as other systems which rely on real-world BGP behavior. Through a comprehensive set of real-world Internet routing experiments, this second thrust confirms that Nyx works effectively in practice beyond simulation as well as revealing novel insights about the effectiveness of other Internet security defensive and offensive systems. We then follow these experiments by re-evaluating Nyx under the real-world routing constraints we discovered. The third thrust explores the usefulness of Nyx for mitigating DDoS against a crucial industry sector, power generation, by exposing the latent vulnerability of the U.S. power grid to DDoS and how a system such as Nyx can protect electric power utilities. This final thrust finds that the current set of exposed U.S. power facilities are widely vulnerable to DDoS that could induce blackouts, and that Nyx can be leveraged to reduce the impact of these targeted DDoS attacks

Ethical Hacking for IoT Security: A First Look into Bug Bounty Programs and Responsible Disclosure

The security of the Internet of Things (IoT) has attracted much attention due to the growing number of IoT-oriented security incidents. IoT hardware and software security vulnerabilities are exploited affecting many companies and persons. Since the causes of vulnerabilities go beyond pure technical measures, there is a pressing demand nowadays to demystify IoT "security complex" and develop practical guidelines for both companies, consumers, and regulators. In this paper, we present an initial study targeting an unexplored sphere in IoT by illuminating the potential of crowdsource ethical hacking approaches for enhancing IoT vulnerability management. We focus on Bug Bounty Programs (BBP) and Responsible Disclosure (RD), which stimulate hackers to report vulnerability in exchange for monetary rewards. We carried out a qualitative investigation supported by literature survey and expert interviews to explore how BBP and RD can facilitate the practice of identifying, classifying, prioritizing, remediating, and mitigating IoT vulnerabilities in an effective and cost-efficient manner. Besides deriving tangible guidelines for IoT stakeholders, our study also sheds light on a systematic integration path to combine BBP and RD with existing security practices (e.g., penetration test) to further boost overall IoT security.Comment: Pre-print version for conference publication at ICTRS 201

A methodology for the quantitative evaluation of attacks and mitigations in IoT systems

PhD ThesisAs we move towards a more distributed and unsupervised internet, namely through the Internet of Things (IoT), the avenues of attack multiply. To compound these issues, whilst attacks are developing, the current security of devices is much lower than for traditional systems. In this thesis I propose a new methodology for white box behaviour intrusion detection in constrained systems. I leverage the characteristics of these types of systems, namely their: heterogeneity, distributed nature, and constrained capabilities; to devise a pipeline, that given a specification of a IoT scenario can generate an actionable intrusion detection system to protect it. I identify key IoT scenarios for which more traditional black box approaches would not suffice, and devise means to bypass these limitations. The contributions include; 1) A survey of intrusion detection for IoT; 2) A modelling technique to observe interactions in IoT deployments; 3) A modelling approach that focuses on the observation of specific attacks on possible configurations of IoT devices; Combining these components: a specification of the system as per contribution 1 and a attack specification as per contribution 2, we can deploy a bespoke behaviour based IDS for the specified system. This one of a kind approach allows for the quick and efficient generation of attack detection from the onset, positioning this approach as particularly suitable to dynamic and constrained IoT environments

Investigating the Security of EV Charging Mobile Applications As an Attack Surface

The adoption rate of EVs has witnessed a significant increase in recent years driven by multiple factors, chief among which is the increased flexibility and ease of access to charging infrastructure. To improve user experience, increase system flexibility and commercialize the charging process, mobile applications have been incorporated into the EV charging ecosystem. EV charging mobile applications allow consumers to remotely trigger actions on charging stations and use functionalities such as start/stop charging sessions, pay for usage, and locate charging stations, to name a few. In this paper, we study the security posture of the EV charging ecosystem against remote attacks, which exploit the insecurity of the EV charging mobile applications as an attack surface. We leverage a combination of static and dynamic analysis techniques to analyze the security of widely used EV charging mobile applications. Our analysis of 31 widely used mobile applications and their interactions with various components such as the cloud management systems indicate the lack of user/vehicle verification and improper authorization for critical functions, which lead to remote (dis)charging session hijacking and Denial of Service (DoS) attacks against the EV charging station. Indeed, we discuss specific remote attack scenarios and their impact on the EV users. More importantly, our analysis results demonstrate the feasibility of leveraging existing vulnerabilities across various EV charging mobile applications to perform wide-scale coordinated remote charging/discharging attacks against the connected critical infrastructure (e.g., power grid), with significant undesired economical and operational implications. Finally, we propose counter measures to secure the infrastructure and impede adversaries from performing reconnaissance and launching remote attacks using compromised accounts

Federated deep learning for botnet attack detection in IoT networks

The wide adoption of the Internet of Things (IoT) technology in various critical infrastructure sectors has attracted the attention of cyber attackers. They exploit the vulnerabilities in IoT to form a network of compromised devices, known as botnet, which is used to launch sophisticated cyber-attacks against the connected critical infrastructure. Recently, researchers have widely explored the potentials of Machine Learning (ML) and Deep Learning (DL) to detect botnet attacks in IoT networks. However, there are still some challenges that need to be addressed in this area, which include the determination of optimal model hyperparameters, low classification performance due to imbalanced sample distribution in the training set, high memory space requirement for network traffic data storage, inability to detect zero-day attacks, and lack of data privacy. In order to address these problems, a Federated Deep Learning (FDL) method is developed for botnet attack detection in IoT-enabled critical infrastructure. First, a hyperparameter optimisation method is developed for DL-based botnet attack detection in IoT networks to achieve high classification performance. The effectiveness of the method is evaluated using the Bot-IoT and N-BaIoT datasets, and the DL models achieved 99.99 ± 0.02% accuracy, 97.85 ± 3.77% precision, 98.72 ± 2.77% recall, and 97.72 ± 4.51% F1 score. Then, an oversampling algorithm is combined with DL models to improve the classification performance when the training data is highly imbalanced, without any significant increase in the overall computation time. This method improved the precision, recall, and F1 score of the DL models by 1.66-13.23%. Furthermore, a hybrid DL method is developed to reduce the amount of memory space required to store the network traffic data. This method reduced the memory space requirement for DL-based botnet attack detection by 86.45-98.26%. Finally, a FDL method, which also employed the hyperparameter optimisation, class balance, and memory space reduction methods, is developed to detect zero-day botnet attacks in IoT edge nodes, while preserving the data privacy of IoT users. The FDL models achieved high classification performance, and they had low communication overhead and low network latency

Defending Against IoT-Enabled DDoS Attacks at Critical Vantage Points on the Internet

The number of Internet of Things (IoT) devices continues to grow every year. Unfortunately, with the rise of IoT devices, the Internet is also witnessing a rise in the number and scale of IoT-enabled distributed denial-of-service (DDoS) attacks. However, there is a lack of network-based solutions targeted directly for IoT networks to address the problem of IoT-enabled DDoS. Unlike most security approaches for IoT which focus on hardening device security through hardware and/or software modification, which in many cases is infeasible, we introduce network-based approaches for addressing IoT-enabled DDoS attacks. We argue that in order to effectively defend the Internet against IoT-enabled DDoS attacks, it is necessary to consider network-wide defense at critical vantage points on the Internet. This dissertation is focused on three inherently connected and complimentary components: (1) preventing IoT devices from being turned into DDoS bots by inspecting traffic towards IoT networks at an upstream ISP/IXP, (2) detecting DDoS traffic leaving an IoT network by inspecting traffic at its gateway, and (3) mitigating attacks as close to the devices in an IoT network originating DDoS traffic. To this end, we present three security solutions to address the three aforementioned components to defend against IoT-enabled DDoS attacks

La sécurité dans l’Internet des objets : des configurations par défaut aux dénis de services

Notre projet de recherche consiste à étudier divers aspects de la sécurité des objets connectés (ou IoT), et plus particulièrement leur exploitation de masse. En effet, ces dernières années, nous avons constaté la multiplication des attaques de déni de services provoqués par des réseaux de zombies d’objets connectés. Un réseau de zombies est un ensemble d’objets connectés, serveurs ou ordinateurs infectés et contrôlés à distance par un programme malicieux. Nous souhaitions donc comprendre les mécanismes permettant à des attaquants d’infecter des centaines de milliers d’objets connectés pour ensuite les coordonner et provoquer de grandes attaques de déni de services. Pour ce faire, nous avons d’abord étudié les objets connectés en général, les principales applications et les principaux mécanismes de sécurité. Nous avons analysé en détail deux des protocoles de communication les plus utilisés dans le monde des objets connectés. Ensuite, nous nous sommes concentrés sur les objets assurant le pont entre le réseau Internet et le réseau local d’objets connectés. En effet, ce sont ces objets directement connectés à Internet qui se font massivement exploiter pour former des réseaux de zombies. Nous avons étudié divers réseaux de zombies afin de lister et comprendre chacune de leurs fonctionnalités. Les buts ici sont multiples : créer une taxonomie pour réseaux de zombies d’objets connectés et dans un second temps, essayer de comprendre l’évolution de ces réseaux en étudiant l’évolution de leur fonctionnalité. Ainsi, nous avons mis en place une taxonomie comportant 46 taxons représentant chacun une fonctionnalité. Ces taxons sont classés en plusieurs familles, basées sur le cycle de vie des réseaux de zombies. Notre taxonomie comporte 8 taxons spécifiques aux réseaux de zombies d’objets connectés. Grâce à cette taxonomie, nous avons pu mettre en place une nouvelle représentation de l’évolution de ces réseaux de zombies. Nous avons dessiné les graphes de propagation de fonctionnalités permettant de montrer à quel moment est apparue une fonctionnalité, quels sont les réseaux qui l’implémentent, etc. Enfin, pour mieux comprendre pourquoi, certaines fonctionnalités disparaissaient au profit d’autres, nous avons supposé que ces dernières devaient être plus efficaces (permettre à un réseau de zombies d’infecter plus d’objets dans un temps plus court). Nous supposons que d’autres facteurs peuvent intervenir, comme la difficulté d’implémentation de la fonctionnalité. Cependant, afin de tester notre hypothèse principale, nous avons développé un modèle de simulation d’infection. Ce modèle est inspiré par les modèles épidémiologiques utilisés en médecine afin de modéliser les propagations des maladies infectieuses au sein des populations. Cependant, au lieu d’utiliser un ensemble d’équations différentielles, nous avons développé un programme Python sous forme d’un jeu tour par tour. Cette implémentation permet d’abstraire plusieurs paramètres, comme le temps par exemple. Grâce à ce modèle, nous avons pu montrer l’efficacité d’une méthode de recherche de victime aléatoire par rapport à une méthode séquentielle. Cette large supériorité d’efficacité explique pourquoi la méthode de scan aléatoire a très vite remplacé la méthode de scan séquentielle. Nous pensons que ce modèle pourra servir plus tard, afin d’imaginer de nouvelles fonctionnalités, les tester et ainsi prévoir une partie des fonctionnalités qui apparaitront au sein des réseaux de zombies