Content uploaded by Ricardo M. Czekster
Author content
All content in this area was uploaded by Ricardo M. Czekster on Dec 11, 2022
Content may be subject to copyright.
ORIGINAL ARTICLE
Journal Section
Cybersecurity Roadmap for Active Buildings
Ricardo M. Czekster1| Charles Morisset1| Aad van Moorsel1
| John C. Mace1| Walter A. Bassage2| John A. Clark2
1Newcastle University, 1 Science Square,
Newcastle upon Tyne,NE1 7RU
2University of Sheffield, 211 Portobello,
Sheffield, S1 4DP
Correspondence
Charles Morisset, Newcastle University
Email: charles.morisset@ncl.ac.uk
The technology integrated in modern smart infrastructures
makes them vulnerable to malicious cyber attacks and mis-
use of information systems. Active Buildings (AB) are no
exception. AB implement the vision of ‘buildings as power
stations’, aiming for operational efficiency in generation, stor-
age, release, and conservation of energy collaboratively among
neighbouring smart buildings. However, adversaries may ex-
ploit cyber-physical vulnerabilities on the smart infrastruc-
ture to cause service interruptions or financial losses. For
this reason, it is imperative to effectively respond and de-
vise countermeasures to deter attacks. This work presents a
roadmap to guide AB’s cybersecurity efforts, adapting exist-
ing mechanisms in enterprise information systems, Cyber-
Physical Systems, Internet-of-Things, and Industrial Control
Systems. We aim to help power and building managers to
understand trade-offs to assess risk, model threats, deploy
intrusion detection, or simulate the infrastructure. Our con-
tribution also discusses open research questions with re-
spect to cybersecurity, highlighting needed developments
for hardening AB and thwarting attacks.
1|INTRODUCTION
Strict cyber-physical security requirements in modern smart infrastructures [
1
] shield users and customers from
adversaries committing malicious interventions. The Smart Grid (SG) [
2
,
3
,
4
] is a Cyber-Physical System (CPS) [
5
,
6
]
considered a critical infrastructure. The SG comprises buildings in residential, commercial, and industrial settings.
Buildings are targets for performance improvements because they are the primary pollution drivers responsible for
1
2 CZE KST ER ET AL .
40% of global energy use according to the International Energy Agency (IEA)
1
. The UK government’s ambition is to
curtail carbon emissions by 80% until
2050
(baseline of
1990
) according to the Future Energy Scenarios
2
, thus urgent
action is necessary.
Active Buildings (AB) [
7
] are a novel approach built on top of the SG functioning as a grid-connected microgrid
3
.
They retain connectivity to the conventional infrastructure and are able to operate in islanded mode if required [
8
]. The
idea is to extend functionality by three axes [
9
]: i) increased adoption of Renewable Energy Resources (RER) such as
solar panels using photovoltaic (PV) technologies or Wind Turbine Power Converter Systems (WTPCS); ii) distributed
Energy Storage Systems (ESS) such as static batteries attached to buildings or mobile ones in Electric Vehicles (EV);
iii) Thermal Energy Storage Systems (TES) for balanced building thermodynamics within its envelope, energy storage,
and comfort level adjustments while heating or cooling. This decentralised infrastructure operates in Low-Voltage
Distribution Grids (LVDG) promoting decarbonisation, grid stability, and congregating customers that may produce and
consume power as so called prosumers [
2
,
10
] that participate in dynamic energy markets. RER, ESS, and TES (among
others) are considered key power-based assets referred as Distributed Energy Resources (DER) [
11
] that are managed
and controlled by a diversified number of systems and stakeholders.
AB aim to shift passive energy users towards active behaviour enacting ‘buildings as power stations’ [
12
,
13
]. Un-
der these contexts, bi-directional energy flows adds stability, reliability, and trading capabilities across Peer-to-Peer
(P2P) agents. It improves ancillary services such as frequency regulation and the management of power reserves for
continuous energy provision [
14
]. AB operate on the edge of conventional grids as nearly Net Zero Energy Buildings
(nZEB) [
15
,
16
]. nZEB approximate energy generation to consumption over a fixed duration
4
. The buildings in the P2P
network trade the energy surplus in the market or with their neighbours and make operational decisions about planning
and management.
AB encompass a plethora of sub-systems and devices, notably Internet-of-Things (IoT) capable of sensing and com-
municating data. It relies on the pervasive use of Information and Communication Technologies (ICT) and Information
Systems (IS). These elements relay the operational status of power and telecommunication networks to an Operation
Control Centre (OCC) that provide situational awareness, enact timely response coordination, and make planning
decisions to address supply and demand prognostics.
In such highly connected and data-centric settings it is essential to provide trustworthiness, i.e. security, privacy,
safety, reliability, and resilience
5
[
17
,
18
,
6
,
19
] to withstand the harmful effects of cyber attacks or abnormal situations.
Organisations usually require cybersecurity officers and managers to perform Risk Management
6
processes throughout
system’s life-cycle. One way is to employ a Risk Assessment (RA) methodology to map vulnerabilities and threats to com-
pute risk and exposure level [
20
,
21
,
22
]. Organisations devise RA as an ongoing effort to increase the trustworthiness
of their underlying systems and infrastructure. Over the years, authoritative bodies have defined standards, assessment
1IEA publishes energy datasets to support secure and sustainable energy with global scope. Link (for buildings): https://www.iea.org/topics/buildings.
All links here were accessed in January/2021.
2Forthe UK’s Future Energy Scenarios (2020 edition) please refer the following link: https://www.nationalgrideso.com/future-energy/future- energy-
scenarios/fes-2020- documents.
3According to NISTIR 7628 Rev. 1, microgrid is “an implied hierarchy in availability and resilienceeliminates potential peer-to-peer negotiations between microgrids.
Its models suggest that availability starts in a local microgrid and that resilience is gained by aggregating and interconnecting those microgrids. They are intended to
operate either as islands or interconnected; islands are keywhere critical operations need to be maintained.”.
4This definition is sanctioned by the European Commission on Directive 2010/31/EC, stating that “‘nearly zero-energy building’ means a building that has a very
high energy performance, as determined in accordance with Annex I. The nearly zero or verylow amount of energy required should be covered to a very significant extent
by energy from renewable sources, including energy fromrenewable sources produced on-site or nearby;”.
5Resilience in the context of this work is the ability of a system to remain in operationand continue to service in the presence of incidents or events that attempt
to disrupt or shut down assets.
6The US National Institute of Standards and Technology(NIST) has published a wealth of standards for cybersecurity and Risk Management, including a com-
prehensive framework to help managers. Link: https://csrc.nist.gov/projects/risk- management/.
CZEK STER E T AL. 3
methodologies, recommendations, and guidelines in the US and Europe [
22
]. For example, Ruland et al. [
23
] discussed
security standards whereas Gritzalis et al. [
24
] addressed how to select suitable RA methodologies. In terms of NIST
overview on cybersecurity and guidelines for RA we mention NISTIR 7628 [
25
] and most notably NIST.SP 800-30 [
26
].
The level-of-detail, effort, rigour, and quantitative/qualitative aspects to consider are left for the organisation to decide
in line with its objectives.
We present here a roadmap for tackling cyber-physical security in AB. Our aim is to focus on RA, security metrics,
intrusion detection, threat modelling, and simulation. The audience are cybersecurity officers and building managers
overviewing the vulnerability and threat landscape posed by AB. In terms of RA, we describe major methodologies
from accredited institutions and complement the research with established cybersecurity risk factors behind AB’s
designs. The novelty of our approach concerns infrastructures with active energy agents under coupled power and
telecommunications networks. These architectures have sizeable DER attached in LVDG, so one must observe the
cyber-physical security implications and the potential attack surface. Our work points out the overlap of AB with usual
SG designs with respect to cybersecurity as we survey related mechanisms and technologies to address effective RA.
The chapter is organised as follows. Section 2 describes Active Buildings and Section 3 details cyber-physical
security of SG and CPS discussing its application to AB. Section 4 presents a research roadmap and suggestions to tackle
cybersecurity across AB domains and Section 5 concludes the work with our final considerations. Figure 1 serves as a
visual guide to readers outlining the topics covered in our chapter.
FIGURE 1 Overview of topics covered by this work.
2|ACTIVE BUILDINGS
Electrical Power Grids (EPG) are responsible for delivering high quality energy to consumers in power Generation,
Transmission, and Distribution (GT&D). AB are “buildings to sustain a country’s energy infrastructure” [
13
] on top of
4 CZE KST ER ET AL .
EPG. They operate in a grid-connected microgrid handling bi-directional energy flows with respect to conservation,
generation, storage, and release of power. AB contrast with traditional (centralised) approaches in GT&D by presenting
a decentralised infrastructure operating in smaller contexts for increased control.
The core idea behind AB is flexibility [
13
,
9
]. It shifts from passive energy consumers to active entities that efficiently
respond to supply and demand for optimal grid stability. As millions of potential energy subscribers attach their RER into
the infrastructure, buildings may act as agents for managing resilience while reducing dependence on high-pollutant
conventional power generators. As a direct consequence, the carbon footprint generated by buildings diminishes
considerably and cascades across national and international boundaries7.
Energy operators achieve frequency regulation [
18
] in the grid by employing a number of strategies namely i)
toggling electricity in power plants; ii) shaping user behaviours thus curtailing electricity through pricing incentives;
iii) importing or exporting electricity with close geographical neighbours; iv) employing load shedding mechanisms, i.e.
partially disconnecting a region from the grid; and v) increasing electricity storage capacity with batteries (static or
EV) [
27
]. Figure 2 depicts the major components of AB, i.e., CPS and IoT, ICS [
28
], and SCADA, where IS aggregate data
from different sources for timely decision making [6].
CPS
Feedback
Actuation
Communication
Computing
Sensing
IoT
Dataand
Information
Systems
IndustrialControl
Systems(ICS)
Other:healthcare,
transportation,...
Conserve Conserve
Generate
ReleaseStore
"BuildingsasPowerStations"
SCADA
nZEB
goals
DER
ESS Mobile(EV)
Mgmt.Systems
Static
PG
Market ProsumersEnergyproviders
SmartGrid(SG)
FIGURE 2 Architectural overview of AB and CPS.
AB attach and manage DER across locations where installed ESS capacity helps tackling renewable energy intermit-
tency to provide ‘around the clock’ electricity to customers [
29
]. They leverage power release and storage employing
optimisation strategies that consider season, weather forecasts, time of the day, and energy profiles. AB interface
with the energy market in bidding and committing energy contracts. Ubiquitous telecommunication guarantees near
real-time state estimation for control and response while cybersecurity measures in place have the potential of isolate
the effects of incidents and avoid propagation.
The major stakeholders of AB are i) building managers: people working in OCC assess data provided by Build-
ing Management Systems (BMS), Building Energy Management Systems (BEMS), Advanced Metering Infrastructure
(AMI) [
2
] specialists, and SCADA operators; ii) decision makers and procurement officers acquiring power equipment
7The UK’s National Grid Electricity System Operator (ESO) has published a document entitled Operability Strategy Report 2021 in December/2020 with
comments on existing frequency response services, voltage requirements, and grid stability. Link: https://www.nationalgrideso.com/research-
publications/system-operability- framework-sof.
CZEK STER E T AL. 5
or supporting ICT systems, and compliance officers overseeing regulations dictated by the ESO; iii) security officers
addressing conformance in safety and security, accountability and digital forensics, privacy protections, Network
Intrusion Detection Systems (NIDS) and network administrators; iv) incident response teams in attack remediation; and
iv) aggregators, energy suppliers in wholesale and retail, prosumers, and application developers implementing solutions
on top of the infrastructure.
Figure 3 shows a schematic for AB where the power and the telecommunication are dissimilar, and power may be
dispatched or aggregated by the set of DER.
Bulk
power
Bi-direct.powerline
Telecommunicationline
Industry
Hospital
Large
commercialbuilding
School
Business
SCADA
Active
Buildings
Wind
Farm
AB#8
AB#5
AB#2
AB#3
AB#4
AB#9 AB#10
AB#7
AB#6
AB#1
FIGURE 3 AB schematic for power and telecommunication, components, and systems.
The AB’s infrastructure is not immune against malicious incursions. We detail next a few notable cybersecurity
concerns [
17
,
18
,
30
] and NIST 7628 recommendations [
25
] particular to IS and cybersecurity requirements for the SG.
•
Business proposition: trading energy, procurement (suppliers), generation, and consumption, impacting market
fairness.
•
Data and communication: invalid readings/measurements from devices. Adversaries may corrupt or delay data
traversed in the telecommunication network, jamming exchanges, or inserting spurious packets.
•Components and IS: attackers inputting corrupted data in CPS, IoT, SCADA elements, BMS/BEMS.
•
Optimality: the AB environment is supported by several systems, so attacks aiming at the control algorithms
executing on top of the infrastructure may cause critical responses to be wrongly assigned with catastrophic
consequences.
•
Synchronised incursions: attackers may install malicious firmware in high-wattage devices in attempts to imbalance
frequency through synchronised actions, i.e. simultaneously turning on or off (refer to Section 3.1).
•
Legacy systems: retrofitting buildings may increase vulnerabilities and pose new threats as customers attach DER
6 CZE KST ER ET AL .
or smart appliances. They may disregard basic cybersecurity measures (e.g. plugging-in unsigned devices), lax
systems maintenance (patching, updates), or inadvertently installing malicious firmware or as recipients of phishing
attacks [17].
Other sources of concern are Advanced Persistent Threats (APT) [
31
,
32
] and Load Redistribution Attacks (LRA) [
33
]
that are hard to track and pinpoint their sources, often requiring long duration tracking and historic datasets. APT
have devastating consequences to EPG [
31
,
34
], as attackers may patiently gather data on grid responses in long
term surveillance and hostile reconnaissance. They are more destructive than usual attacks as it may involve large
organisations or state sponsored agents exploiting back-doors in CPS or other vulnerable assets [
35
]. Honeypots and
continuous auditing are known countermeasures that may identify and contain APT.
2.1 |Attack surface
AB bring together energy and ICT infrastructure connecting and upgrading Smart Buildings (SB) to co-exist in an
active P2P environment. SB are a data-centric approach where cyber-physical structures are intertwined with sensing
capabilities, intelligent systems, and feedback loops. They allow for the remote management of assets ensuring
inhabitants’ comfort considering thermodynamics and automatically adapting to weather conditions and luminosity,
among other features.
Under AB, one must distinguish security as the set of contingencies in place in the event of faults from cybersecurity
incidents on system’s vulnerabilities and threats. Standardisation institutes such as the North American Electric
Reliability Corporation (NERC) in the USA and the European Programme for Critical Infrastructure Protection (EPCIP)
defined security measures and contingencies for power systems. For example, EPG are designed to sustain N-1 single
contingency criterion
8
to meet reliability constraints (there are other contingencies to address, out of the scope of this
work). This means that the system admits a single failure to remain operating.
The AB infrastructure must withstand cybersecurity incidents by implementing and enforcing security require-
ments [
25
]. Adversaries
9
target cyber-physical elements, exploiting vulnerabilities. The reasons behind attacks are
usually related to competitive advantage, industrial espionage (or state sponsored agent), energy theft (monetary
incentives or ransomware), technical challenge, or terrorism. Adversaries attempt to destabilise operation, cause
components to fail, exploit vulnerabilities, increase downtime, or impair communications [6].
AB present a large attack surface for adversaries due to the sheer size of their infrastructure, as shown in Figure 4.
Telecommunication is pervasive across AB and attackers attempt to maliciously influence major AB’s objectives on
power conservation, generation, storage, release, or a combined approach for greater damage. The peers interface with
the energy market, so adversaries have financial incentives (or other motives) as they try to artificially alter electricity
prices.
2.2 |Interfacing with the transactive energy market
The AB are connected to the energy market as prices fluctuate according to supply and demand. Transactive Energy (TE)
aims to coordinate DER to react to energy prices and system conditions that could be used in frequency regulation [
36
].
The idea is to use the market to shape demand through dynamic pricing mechanisms. The ESO interacts with the systems
8Please, refer to NERC Standard 51 – TransmissionSystem Adequacy and Security (2005). Link: http://www.nerc.com.
9The ‘adversary’or ‘attacker’ definition in use here is based on the Categories of Adversaries to IS described in NISTIR 7628r1: careless/poorly trained employees,
malicious customers, insiders, organised crime, nation states, disgruntled employees, terrorists, script kiddies, hacktivists, black/white hat hackers.
CZEK STER E T AL. 7
ESO/ISO/RTO/DSO-DNO/TSO,aggregators,administrators,managers
Sensinginfrastructure,HW,SW
Conserve
Generate
Control
Store
Fiscal
Batteries Static
Mobile
SolarPanels WindTurbines
Mgmt
Systems
AMI
BMS,BEMS,
SCADA
'Buildingsaspowerstations'
OtherDER
Dynamicpricing Prosumers
Thermodynamics Comfort
Release Tradeexcess Ancillaryservices
Smartappliances
Market
rechargeable batteries
electric vehicles
Market
Electrical
systems
Continuous
monitoring
Operational
MonitoringExecuting RetrofittingUpdating
Malicious attacks or security incidents
Risk
Assessment
Threat
Modelling
Intrusion
Detection
Modelling &
Simulation
High-Level
Security
Requirements
SmartGrid ICT
DataEnergy
criticalinfrastructure
Metrics
FIGURE 4 Attack surface of AB and cybersecurity.
using middleware capabilities offered by a layer known as the Virtual Power Plant (VPP) to communicate with deployed
field devices.
The VPP also coordinates interactions with Distribution System Operators (DSO), Transmission System Operators
(TSO), Independent System Operators (ISO), and Regional Transmission Operators (RTO) when submitting energy
bids and commitments [
37
]. The VPP triggers actions to access DER scattered across locations, turning buildings into
actual power plants [
38
]. From a cybersecurity perspective, the VPP is a high-valued target due to the amount of IS it
encompasses as well as the responsibilities to timely command DER.
Figure 5 shows a typical OCC for AB serving as an interface for the market and energy operators as well as the
VPP coordinating DER [
39
,
40
]. The OCC for AB monitors the infrastructure and coordinates responses in the event of
failures.
This architecture is flexible enough to accommodate changes as the stakeholders see fit to mitigate attacks,
prevent vulnerabilities, and harden the infrastructure against attacks. The VPP is fed by IS installed within the AB’s
infrastructure. Energy operators keep nominal frequency around 50Hz (the UK’s National ESO admits a 1% variation)
to avoid disconnecting parts of the grid, used as a last resort. Control systems in EPG perform Load Frequency Control
(LFC) responsible for the maintenance of load over generation ratio in the power grid [
18
]. The cybersecurity modules
in the VPP update their systems with recent vulnerabilities and weather forecasts. SCADA devices are responsible for
providing data from devices deployed away from the OCC [
28
]. Phasor Management Units (PMU) monitor frequency
whereas Remote Terminal Units (RTU) relay data in the network to Master Terminal Units (MTU).
8 CZE KST ER ET AL .
Energy
Operators
ABOCC
VPP
DER#1
Bulkpower
Energypriceupdates
Commitments/Bids
Other
Primary
reserves
Secondary
andTertiary
reserves
Aggregation-
upstreamcommunication
Dispatch-
downstreamcommunication
Ancillaryservices
DER#n
shortterm
medium/
longterm
Loads
...
Microgrid
Mgmt.
Systems
Weather
forecasts
Security
updates
NIDS
AMI
MTU RTU
PMU
FIGURE 5 OCC for AB managing power loads with the VPP across DER and energy operators in a grid-connected
microgrid.
3|CYBER-PHYSICAL SECURITY
Cyber-physical security encompasses a wealth of techniques to protect systems and customers. Next, we discuss an
overview of cybersecurity in the SG, RA, intrusion detection, threat modelling, security metrics, and co-simulation of
incidents in AB.
3.1 |Overview of Smart Grid cybersecurity
We present here a cybersecurity overview and list related work on CPS and ICS [
28
] that could be borrowed for
adaptation and application in AB. Authors compartmentalise the complex infrastructure of the SG and focus effort on
more manageable parts, e.g., CPS, IoT, smart homes, IS, and synchronised attacks.
Usual attacks perpetrated at network components in EPG are Man-in-The-Middle (MiTM), Denial-of-Service (DoS
or its distributed variation – DDoS), eavesdropping, jamming, spoofing, and packet flooding, to mention a few [
18
,
34
].
Another class of malicious events are called zero-day attacks where adversaries may choose targets not yet patched due
to some recently discovered security vulnerability, which may compromise resources and quickly propagate across
the network. Radhakrishnan et al. [
41
] compiled a list of zero-day and malware incursions over past years, discussing
detection and mitigation.
Over recent past security breaches targeting energy have caused major disruption and blackouts. Attacks targeting
energy infrastructure caused severe financial losses and even physical damage to components. One example is the
Stuxnet worm that attacked SCADA systems in late
2015
significantly interrupting the progress of the Iranian nuclear
program [
42
,
43
]. Another malicious incursion with massive proportions was the attack at the Ukrainian power grid
that blacked-out large portions of the infrastructure with interruptions that lasted for months. Examples include Duqu,
Red October, Dragonfly 2.0 and Black Energy [44, 35].
SG has a broad scope so we will focus on CPS, IoT, data, and smart homes.
CZEK STER E T AL. 9
CPS: We highlight the work of Humayed et al. [
6
] that discussed security of CPS with examples in ICS, SG, healthcare,
and EV. For each CPS it breaks down the cyber and the physical part showing the propensity of attacks by each
component, discussing major threats and listing vulnerabilities. It concludes the work by presenting real-world attacks
with targets, impacts, preconditions with mitigation strategies, and methods used by adversaries.
He and Yan [
18
] commented on attacks and defences in the SG, listing vulnerabilities and security issues in energy
generation and transmission. The work has focused on electrical issues arising in the SG, describing energy management
systems in detail, LRA, and switching attacks in the market, and on PMU. For defence, it listed countermeasures such as
protection, detection, and coordinated mitigation. Ashibani and Mahmoud [
45
] explained the differences between CPS
and IoT as well as shared characteristics. They have also addressed security in three layers common in CPS namely i)
perception layer; ii) transmission layer; and iii) application layer. For the most common types of attacks they related
security with countermeasures for combating malicious events.
IoT security: IoT research, protocols, technologies, privacy, safety, and security are the topic of many surveys and
literature reviews with a significant increase in recent years [
46
,
47
,
48
] across CPS (transportation systems, smart
cities, SG, ICS, and SB). Emmanuel and Rayudu [
49
] addressed communication issues aligned with the IEEE Guide for SG
Interoperability and NIST standards, commenting on protocols for media access and governing issues.
Lin et al. [
50
] discussed the integration of IoT in edge/fog computing and its relationship with CPS. Also, they
presented the enabling technologies behind IoT to realise a truthful cyber-physical world with opportunities for
stakeholders to address cybersecurity, privacy, resilience, and research challenges. Gunduz and Das [
35
] surveyed
cybersecurity in SG’s IoT. The authors evaluated cyber-attacks in the communication layer and explained defence
strategies. They listed a wealth of research on attacks directed at SG and detailed threats and countermeasures.
Smart Homes: Heartfield et al. [
51
] discussed attack vectors using IoT technologies in smart homes, major CPS threats,
and impact. Other security aspects are of interested in smart homes such as the discussion in Lin and Bergmann [
52
]
that tackled privacy of IoT and compared enabling technologies.
Data: Authors described how to deal with False Data Injection (FDI) attacks [
53
,
54
,
55
] to prevent storing data with
outliers or skewed measurements [
56
]. For mitigation, alternatives are Deep Learning [
57
] or Kalman filters [
58
]. Paté-
Cornell et al. [
59
] presented a risk analysis using statistical data for quantitative assessments in critical infrastructures.
They discussed three case studies: i) a Bayesian Network for high impact attack scenarios; ii) risk analysis of connectivity;
and iii) software upgrade decisions to thwart attacks, countermeasures, and anticipation when dealing with malicious
events.
Synchronised attacks in the SG: Attackers may compromise low security or outdated software of smart appliances
attached to high-wattage devices and promote synchronised attacks. Adversaries choose most susceptible scheduling
(e.g. peak hours) to switching on or off a massive number of heating/cooling units, water heaters, or pumps simulta-
neously. They try to imbalance frequency as systems will not be able to cope with the extra energy load in such short
notice. Examples covered in the literature include BlackIoT [
60
], Load Changing Attack (LCA) [
61
,
62
], Manipulation of
Demand (MAD) [
63
], flash attacks [
64
], or switching attacks [
18
]. Arnaboldi et al. [
65
] used Markov Chains to model LCA
and investigate appropriate mix of power generation units. Grid-connected microgrids are susceptible of LCA as they
could imbalance frequency, however, Huang et at. [
66
] discussed that current contingencies may in fact thwart attacks.
Surveys in security: A wealth of surveys was published over the years. We highlight Giraldo et al. [
19
] tackling privacy
issues and a survey based on a control perspective for attack detection in ICS [
30
]. There were also surveys combining
the strengths of SG and smart homes’ cybersecurity [67] and a comprehensive review on NIDS research in CPS [68].
10 CZE KST ER ET AL .
3.2 |Risk assessments
This topic has been discussed over the years as standards, methodologies, frameworks, and tools emerged. Next, we
present related work on RA for these dimensions.
Standards: Over the years, analysts, managers, and researchers have placed security as a significant and crucial aspect
of future EPG. They have defined a significant number of standards to help stakeholders conduct RA in organisations
tailoring their approach according to the objective. Leszczyna [
22
] surveyed standards and discussed their relationships,
advantages, and drawbacks highlighting
35
relevant publications over standards and guidelines published by NIST,
ISO/IEC, and NERC.
RA methodologies: Gritzalis et al. [
24
] selected popular frameworks such as Expression des Besoins et Identification
des Objectifs de Sécurité (EBIOS), MEthod for Harmonized Analysis of RIsk (MEHARI), Operationally Critical Threat
and Vulnerability Evaluation (OCTAVE), IT-Grundschutz, Metodología de Análisis y Gestión de Riesgos de los Sistemas de
Información (MAGERIT), Central Computing and Telecommunications Agency Risk Analysis and Management Method
(CRAMM), Harmonized Threat Risk Assessment (HTRA), NIST.SP 800, RiskSafe, and CORAS for a numerical comparative
analysis using multi-criteria decision methods. Out of those, EBIOS, MEHARI, HTRA, NIST.SP 800-30, and CORAS are
free whereas other methodologies demand a fixed or variable fee.
The authors employed risk calculation classes, e.g., high-level formulas to address quantitative indices according
to a methodology or standard, following previous work by Zambon et al. [
69
]. For instance, the operator
defines a
combination between two factors, as shown in Table 1.
TA B L E 1 Risk classes and risk calculation formulas according to cybersecurity characteristics.
Class Risk calculation
A Risk (
,
) = Likelihood (
)
Vulnerability (
,
)
Impact (
,
)
B Risk (
,
,
) = Vulnerability (
,
)
Impact (
,
)
C Risk (
,
) = Annual Loss Expectancy (
,
) = Likelihood (
,
)
Average Loss (
,
)
D Risk (
, Critical
) = Vulnerability (Critical
)
Impact (
, Critical
)
E Risk (
,
) = Likelihood (
)
Consequences (
,
)
Where
is Threat,
is Asset,
is Requirement,
is Incident
Class A uses threats and assets over likelihood, vulnerability, and impact whereas Class B includes security require-
ments to the formula. Class C adds costs and losses, and Class D considers only critical assets. Class E includes incidents
in the infrastructure and its consequences. For the authors, MEHARI, MAGERIT, CRAMM, HTRA, NIST SP800, and
RiskSafe are Class A whereas EBIOS is Class B, OCTAVE is Class D, and IT-Grundshutz is Class E.
Information Security Risk Assessment (ISRA) deals with threats, vulnerabilities, and risks associated with IS.
Throughout the years several approaches emerged for organisations [
70
,
71
,
21
], such as NIST.SP 800-30, ISO/IEC
27005, CRAMM, Facilitated Risk Assessment Process (FRAP), Consultative, Objective and Bi-functional Risk Analysis
(COBRA), CORAS, Microsoft’s Risk Assessment model, and OCTAVE/OCTAVE Allegro.
The European Network and Information Security Agency (ENISA) has compiled an inventory of risk assessment
tools
10
. The inventory has
12
tools (January/2021) with
22
attributes describing major characteristics and templates.
10Link: https://www.enisa.europa.eu/topics/threat- risk-management.
CZEK STER E T AL. 11
More specifically to NIST 7628, Abercrombie et al. [20] have proposed an RA for the SG.
Dependability issues: Chemweno et al. [
72
] relating dependability modelling using Failure Mode and Effect Analysis,
Fault Tree Analysis, Stochastic Petri Nets, Bayesian Networks, and Monte Carlo methods. Nagaraju et al. [
73
] discussed
benefits and limitations in risk based modelling using fault and attack trees.
RA in CPS/IoT: Cherdantseva et al. [
74
] discussed SCADA in a literature review. They divided case studies into formula
and model-based approaches. For risks in the SG, part of the European Community for research called Security for
Smart Electricity Grids (SEGRID) initiative, aims to increase protection against attacks. A framework emerged from
comparing pre-existing methodologies and as the SEGRID Risk Management Methodology (SRMM) [
75
]. SRMM is
based on the European Telecommunications Standards Institute’s (ETSI’s) Threat Vulnerability and Risk Analysis (TVRA)
method. Teixeira et al. [
76
] discussed networked control systems in coupled systems using NIST’s Risk Management
Framework whereas Mace et al. [
77
] investigated a real-world case study performing a RA in a SB detailing challenges
and lessons learned.
With respect to RA in IoT, Nurse et al. [
78
] discussed emerging issues such as connectivity and pervasiveness of
devices. Radanliev et al. [
79
] studied the economic impact of risks using different approaches and Casola et al. [
80
]
investigated automated threat assessment and risk modelling.
3.3 |Security metrics
The approaches in Table 1 do not quantify the actual security of a building. For building designers this is usually
unsatisfactory, since they need to determine if considered security techniques are sufficient, or they need to trade-off
cybersecurity with other system properties, such as reliability and performance. In this section we review a few security
metrics proposed in the literature.
A key metrics-based tool for computer systems security professionals is the Common Vulnerability Scoring System
(CVSS) [
81
], in conjunction with the US National Vulnerability Database (NVD)
11
. The NVD keeps track of all known
vulnerabilities, reported by industry and individuals, and scores each of the vulnerabilities using CVSS. Such scoring
is important for practitioners, since the numeric score provides an immediate appreciation of severity and potential
impact of the vulnerability. In cooperation with the NIST and the NVD, MITRE Corporation maintains the Common
Vulnerability and Exposures (CVE) database12.
Cybersecurity practitioners use the periodic list of ‘top’ vulnerabilities to guide their activities, allowing them to
prioritise the most urgent threats according to the CVSS scores. Details of CVSS can be found in the standard, now at
version 3.1
13
, but the main thrust is that scores are derived from expert opinions about elements such as the complexity
to exploit the vulnerability or the impact it may have on confidentiality. Vulnerabilities with higher scores are of more
immediate concern to the cybersecurity team that manages IS, for instance in SB.
A quite different approach, also of practical importance, is that of scoring cybersecurity activities carried out. In so
doing, one scores how well protected is the ICT system. For instance, in a SB, one can count the percentage of devices
for which firmware or software has been updated in the last month. The NIST Performance Measurement Guide for
Information Security
14
provides a useful introduction into such approaches, albeit not tailored to SB. As the authors
point out, such performance quantification is particularly useful if one can integrate it with risk management. However,
establishing this relation between security activities and their impact on risk is usually far from straightforward and
11National Vulnerability Database. Link: https://nvd.nist.gov/.
12Common Vulnerability and Exposures. Link: https://cve.mitre.org/.
13CVSS v3.1: Specification Document. Link: https://www.first.org/cvss/specification- document.
14NIST.SP 800-55r1, 2008. Link: https://csrc.nist.gov/publications/detail/sp/800-55/rev- 1/final.
12 CZE KST ER ET AL .
requires further research.
Thus far, the security metrics in this section provide a static measure for the state of the security, either by
considering the vulnerabilities that are present or the mediation actions that have been taken. This emphasis on static
metrics implies that there still is a gap in identifying measures that can help in decision making that relate to the
dynamics of the system, e.g., to make technology trade-offs between security and system efficiency or security and
reliability.
To alleviate this shortcoming, researchers have proposed metric frameworks to incorporate security considerations
in the design of networked IS, such as these for SB. Particularly Ramos et al. [
82
] provide an extensive and exhaustive
survey and discussion of metrics that consider security within dynamic systems, including the notion of Quality of
Protection. Metrics such as Quality of Protection typically assume model-based assessment approaches, executed in
the design phases, to configure and dimension ICT systems. In Nicol et al. [
83
] as well as in Ramos et al. [
82
] a survey
of model techniques is provided, both with and without representation of time. Security breaches and incidents are
represented in the model as system artefacts, similar to software failures and system malfunctions [
84
]. In so doing, the
impact of security on traditional performance and dependability metrics can be assessed.
In conclusion, there is no ‘silver bullet’ in terms of a metric that meaningfully capture system security for all
situations. Instead, the literature either proposes static metrics that quantify the level of vulnerability or mediating
actions or refer back to traditional performance and dependability metrics. In the latter case, security techniques as
well as attack patterns are represented within the model, not in the metric. Clearly, significant research challenges
remain in connecting up the various approaches, for instance relating vulnerability metrics with SB risk management
equations, and security management investments in buildings with their impact on the system’s combined Quality of
Service and Quality of Protection.
3.4 |Intrusion detection
With the rapidly growing market for IoT devices and the significant advancements in CPS, we have found that NIDS
have been playing a major role in cybersecurity solutions [
85
,
68
]. They are designed to safeguard computer systems
from a diverse range of malicious activities and attacks.
NIDS’ designs are divided into three classifications: i) Anomaly-Based [
86
], Signature-Based Systems [
87
], and
NIDS [
88
]. One of the main issues is detecting new or known threats that have been slightly modified and how they
have an altered effect on a network traffic. For example, Shenfield et al. [
89
] used Artificial Intelligence (AI) algorithms
trained to detect malicious network traffic with the use of artificial neural networks in deep packet inspection.
Research focuses primarily on comparing NIDS rather than evaluations methods to identify the advantages of
the methodology and the disadvantages for ensuring whether or not it meets requirements. Next, we present a list of
evaluation criteria to measure NIDS performance and identify open research questions.
Identification of threats: IoT and CPS environments encompass a range of devices and sensors connected by in a wide
range of networks. There is a challenge on how to account for all types of intrusions, bringing to the focus of an hybrid
NIDS to cover both network and devices. Reporting every threat detected is impractical and it would be advised to
conduct classification rankings. For instance, Snort
15
[
90
] uses a grading system from
1
to
10
, with
1
ranking in as a
low interest threat that need no intervention and can be dealt with by the NIDS whereas
10
represents a major threat
requiring user intervention.
Scalability and Adaptability: As infrastructures scale over time, so the amount of control and monitoring to keep systems
15Snort – Network Intrusion Detection and Prevention System. Link: https://www.snort.org/.
CZEK STER E T AL. 13
updated with new occurrences to NIDS. That is the main reason as to why it should be able to adapt to changing attack
strategies and the ability to scale over time to meet the additional devices and networks. This would include to work
over multiple NIDS pertaining a wide range of sub-systems as well as being able to combine reports for decision making
and traceability efforts. Ensuring that the NIDS is capable of adaptability can prove useful when having to adapt to
additional components or changes in the environment, allowing it to be customised to meet new requirements or to
carry a stricter level of security on networks.
Known vulnerabilities: It is the core responsibility and purpose of a NIDS to prevent known exploits and vulnerabilities.
Unfortunately, recent research has highlighted that many commercial NIDS fail to meet this responsibility, with the
given reason being the failure to swiftly update systems with recent vulnerabilities as and when they are discovered [
91
].
As discussed in Section 3.3, some of these vulnerabilities are well known to the security community. The cybersecurity
module in the VPP must constantly update the NIDS to ensure that periodic reviews are conducted on recent and past
exploits. One example is the zero-day attack where adversaries explore recent discovered vulnerabilities to trigger
attacks before administrators have the chance to update their systems.
Dynamic signature updating: A NIDS is highly dependent on its ability to detect signatures to identify intrusions.
However, they are not always able to efficiently detect most recently developed intrusions or in fact even slightly
modified ones [
92
]. For a NIDS to be effective, one will need to address the capability in which the system can be
updated with recent signatures as and when administrators discover new exploits and vulnerabilities.
Third Party support: Understanding the support one can receive from third parties and vendors can prove useful when
developing a NIDS. In addition, it may highlight areas in which the system does not meet pre-approved standards of
threat detection.
The AB environment pose several research opportunities on NIDS adapting efforts to cope with security require-
ments as they start interchanging data or interlinking components. One key issue is to investigate how NIDS deal
with IoT devices and CPS that are no longer supported or are simply outdated. There is potential research on how to
best integrate AI and machine learning to negate vulnerabilities by leveraging the computational tractability of the
algorithms.
3.5 |Threat modelling
One significant technique used in cybersecurity is known as Threat Modelling (TM) [
6
,
93
,
94
]. The idea is to devise
abstractions of systems and consider possible attackers with aims, goals, and methods. As output it generates a list of
threats that the system has and should be addressed. Methods used in this approach vary in objectives and scope, as an
example we highlight STRIDE, i.e. a mnemonic for security concerns accounting for Spoofing, Tampering, Repudiation,
Information Disclosure, Denial of Service, and Elevation of Privilege. Another example is to model and devise attack trees
where paths of attacks and defences are built to mitigate incidents [
32
]. In terms of TM research, Sion et al. [
95
] enriched
threat models with risk analysis information helping prioritisation and triaging. On a similar approach, Marksteiner et
al. [
96
] used TM in LVDG combining the approach with RA over legacy and newly added devices in the SG. Best practices
for TM can be broken up into five steps: i) asset identification; ii) threat reconnaissance; iii) risk assessment; iv) threat
mapping; and v) mitigation capabilities.
TM can be quite complex and therefore not always limited to a singular methodology. It is not uncommon for organi-
sations in industry to adopt multiple methodologies to insure all threats are covered within their given environment. For
this reason, some industries and academic researchers might broaden their choices by including methodologies such
as Process for Attack Simulation and Threat Analysis (PASTA), Hybrid Threat modelling Method (hTMM), or Security
14 CZE KST ER ET AL .
Cards focusing mostly on brainstorming threats.
PASTA is a TM methodology designed as an integrated application threat analysis. It works on a risk or asset based
approach, making it ideal for business focus environments such as active buildings. It is designed as an approach to
dynamic threat detection, enumeration, and producing a scoring process. Once the threat model is completed it allows
security experts to analyse vulnerabilities and other identified threats to the system environment, highlighting any
areas in which security controls need to be added [
97
]. PASTA methodology works around an attacker focused view of
the system and over all environment, in which the developers can design an asset focused defence.
The hTMM methodology has been recently introduced threat models by Security Equipment Inc. (SEI) in
2018
with
widespread application in CPS [
98
]. It consists of two other methodologies, Security Quality Requirements Engineering
(SQUARE) designed to extract, categorise and prioritise security requirements and Persona non Grata, used to identify
ways in which a system can be attacked according to adversaries’ goals.
The Security Card methodology approach to TM is designed around brainstorming and creative thinking, unlike the
other methodologies we have seen so far which focus on structured approaches. This methodology is designed to help
identify less common or novel attacks. It incorporates the use of
42
cards covering Human Impact (
9
cards), Adversary’s
Motivations (13 cards), Adversary Resources (11 cards), and Adversary’s Methods (9cards) [94].
3.6 |Modelling & Simulation
Modelling & Simulation help the design of virtually any system by artificially creating approximated versions of a target
infrastructure. Modellers then introduce controlled incidents in components devising ‘what-if’ scenarios for making
most likely assumptions on the system and evaluate yielded output [
99
] for analysis. There is a substantial integration of
MATLAB/Simulink with real time simulators such as OPAL-RT [
100
] to investigate power related problems with built-in
primitives, integrated toolboxes, and shared libraries. Modellers may use Hardware-in-the-Loop (HIL) simulation [
101
]
to assess designs by toggling the level-of-detail according to desired feature representations.
Cybersecurity-oriented simulation focuses on the consequence of attacks [
83
], i.e., what happens after an attack or
breach took place (data corruption in IS, stolen credentials, or increased privileges). Modellers tackle issues arising in
both the power network and in the telecommunication network [102, 103] with co-simulation [104].
A plethora of frameworks exists for co-simulating the SG such as GridLAB-D [
105
] or OpenDSS [
106
] combined
with the Network Simulator (ns) [
107
] or OMNeT++/INET [
108
]. In terms of platforms or tool-chains specific for
co-simulation we mention the Framework for Network Co-Simulation (FNCS) [
109
], gradually being replaced by the
Hierarchical Engine for Large-scale Infrastructure Co-Simulation (HELICS) [
110
], Mosaik [
111
], and pandapower [
112
].
For modelling buildings and energy efficiency across buildings analysts usually employ EnergyPlus
16
[
113
], broadly
adopted due to validation issues and trustful simulation results, thermal analysis, and other building related features. It
is yearly updated where new versions provide fixes to software defects as well as backwards compatibility (working
with older model versions). Modellers use EnergyPlus in conjunction the graphical interface offered by OpenStudio
17
,
and both tools are free.
There are co-simulation tools that offer modelling of DER in power distribution networks. For instance, Open Plat-
form for Energy Networks (OPEN) [
114
] used pandapower [
112
] for an integrated simulation. The authors presented a
case study consisting of a BEMS with PV and energy trading, and another of an EV fleet with an unbalanced three-phase
distribution network. The SCEPTRE toolchain [
115
] (Sandia National Laboratories, US) is used to model networks of
DER and cybersecurity defences where latency may impact grid performance. In its current version, the platform is
16Link: https://energyplus.net/.
17Link: https://openstudio.net/.
CZEK STER E T AL. 15
on-line (live) and uses virtualised servers for the co-simulation engine.
Some authors applied those frameworks to model cybersecurity aspects such as Souza et al. [
116
] that combined
OpenDSS, Mosaik, and ns-3 into a platform and Le et al. [117] that used FNCS to model threats in the SG.
3.7 |Discussion
There is substantial push for efficient planning (short, medium, and long term), preparedness, and accurate state
estimation as the SG is a critical infrastructure prone to unintended or malicious cybersecurity incidents. Measures
in place address rigorous access control, real-time tracking of people while sensing the buildings’ infrastructure, and
collecting data.
From a cybersecurity perspective, officers across responsibilities should balance trade-offs against functionality,
usability, control, and privacy while quickly acting to respond and prevent incidents. In AB, managers tackle these
concerns by overseeing the whole infrastructure involving the DER, the set of SB, the VPP controlling CPS and IoT,
SCADA sub-systems (if present), AMI, and the TE. Historic energy yields throughout seasons should account for scale,
i.e., new devices are attached to the grid as incentives are put in place over time. The OCC for AB integrates with ESO,
energy providers, aggregators, consumers, building managers, continuously gathering data for accurate state estimation
(an explanation on how the state estimator works is provided by He and Yan [
18
]), while enabling trustworthiness. It
accounts for short, medium, and long term planning and prepare for adverse weather conditions, avoiding the reliance
on conventional power to meet nZEB requirements.
One notices a significant increase in market penetration of roof-top PV, WTPCS, or other DER. Akram et al. [
118
]
researched on sizing the RER mix in grid-connected microgrids and compared reliability over minimum costs. Attackers
may target energy theft as customers will start behaving as small generators trading in the market as prosumers. It is a
substantial shift from conventional interactions with the energy market, from passive consumers to active players that
could even help balancing frequency if required by the management system or controller. These concerns will increase
with wide adoption of EV and smart chargers participating in the network as they may also regulate frequency [
29
,
27
].
Business stakeholders and cybersecurity experts must convene and use the RA for insights when addressing
threats and vulnerabilities. Establishing clear and quantifiable measures could help understanding the level of exposure
faced within AB and what actions to take to diminish risk and exploitation opportunities. They must discuss which
cybersecurity metrics they will consider, whether related to quality properties, system status (in terms of updating),
number of breaches or attack attempts per time unit, or a customised approach that address quantitative measures.
Within the context of SB, there is research to conduct in defining the important, easily measurable, and Quality of
Protection metrics. Moreover, it is crucial to research the relationship between different metrics, e.g., between software
updates and risk, so that different stakeholders can make use of each other’s metrics.
In AB settings it is essential to deal with uncertainty, i.e., imperfect or incomplete knowledge of threats and new
vulnerabilities. The intermittent aspect of renewable generation contributes to raise uncertainty, however one could
leverage it with the use of ESS in buildings and EV. Borrowing N-1 security ideas from the EPG, AB could address how to
cope with more localised contingencies to avoid load shedding or energy black-outs in their vicinity. One example is to
employ redundancy or signal the market and customers on prices so power frequency may be even out during crisis.
16 CZE KST ER ET AL .
4|RESEARCH ROADMAP FOR AB CYBERSECURITY
AB and nZEB are expected to permeate future power grid across residential, commercial, and industrial counterparts.
Their advantages will be weighed against the current model where customers will balance convenience, trustworthiness,
trade-offs in investments versus billing, and security and privacy guarantees to make a decision. As potentially millions
of IoT devices attached to DER proliferate into buildings and households, continuously updated RA across system
life-cycles will be compulsory. We outline next cybersecurity-oriented research roadmap for AB:
1. Risk Assessments
: research on timely, bespoke, and automated RA throughout (any) system life-cycle. Address
how to cope with emergent threats and vulnerabilities, and requirement changes. RA will be tailored to meet
organisation’s objectives and will require quick adapting to cope with increased levels of attack sophistication,
involving cybersecurity experts in the process [
77
]. The RA could help TM and vulnerability assessment through
combinations with security metrics. For instance, Rizvi et al. [
93
] modelled weaknesses of IoT in home, commerce,
and healthcare facilities and used NIST’s CVSS to compute vulnerability scores for the devices.
2. Efficiency codes
: just as energy efficiency labels grade appliances for power consumption, modern infrastructure
could address other concerns such as emissions, amount of energy generation, and storage capability. Nikolaidou et
al. [
13
] devised a code for AB, however, it could be extended to consider trustworthiness. It could help customers
evaluating trade-offs when purchasing estate or adjusting security in their premises. With respect to security met-
rics, a significant practical open problem is to establish relationships on the metrics used by different stakeholders,
for instance between the technology metrics used by ICT professionals and risk metrics used in business continuity
processes.
3. Market features:
•
New players: the number of prosumers in AB will increase as potential thousands of new power generators are
attached to the grid. This is highly motivated by low acquisition prices and governmental incentives. It promises
lower electric bills (among other advantages) and authors have studied how they manage and share energy in the
SG [
10
]. The envisioned massive penetration of roof-top solar panels and EV will change the energy landscape by
adding new DER and helping the flexibility of power grids, however, it will enlarge the attack surface considerably.
•
Transactive energy: TE may help prevent power cuts and blackouts, for instance, Yanksonand Ghamkhari [
62
] used
it for thwarting load-based attacks and flexible loads to balance frequency. Huang et al. [
36
] used co-simulation
to study the valuation in responsive loads for comparing TE and non-TE agents.
4. Smart Grid components:
•
Cross-domain control: more research is required to understand the required multidisciplinary approach involving
a plethora of systems and components bringing together experts from different domains.
•
Pervasiveness of smart components: the SG infrastructure allows potential millions of smart appliances to be
easily attached. In a cybersecurity point of view, it could open back-doors for malicious interventions as devices
may eavesdrop or divert communications, influence automated incident responses (or preventing them from
happening), and postpone (or prevent) events from reaching the OCC.
•
Component life-cycle: in AB, the infrastructure is composed by a plethora of components, each one has their own
life-cycle from pre-acquisition and procurement to deployment, i.e. when they start servicing customers until
decommission. Cybersecurity officers must address RA throughout these phases.
•
Legacy systems and retrofitting: one must consider the effect on cybersecurity aspects as customers retains
outdated equipment in their buildings.
•
Heterogeneity and interoperability: cybersecurity officers employ device heterogeneity to increase protection
CZEK STER E T AL. 17
as it difficults attacks. However, under these circumstances, they will have to account for other issues such as
intra-communication, timely maintenance, and interoperability.
5. Power based attacks:
•
Synchronised cyber incidents: these attacks occur when malicious actors inject malware and coordinate events
that may impact frequency, e.g., switching on or off a massive number of high-wattage devices. There is a
need to better understand LCA, MAD, or LRA [
61
,
63
,
64
], in detection as well as countermeasures to avoid its
propagation.
•
APT: measures consist on training systems and personnel on identifying long term incursions, monitoring data,
energy use based on previous consumption or generation, and building energy profiling over prolonged time
scales [
119
,
120
]. Also, investigating FDI attacks [
55
] and comparing multiple datasets to unveil patterns that
could hint diversions or inconsistent loads across the infrastructure to detect, assess, confirm, mitigate, and cope
with APT.
6. Modelling & Simulation:
•
Modelling scale: as the advantages of AB become visible to customers, companies, and the government, other
buildings and households will desire to participate and even trade energy, so the solution must account for scaling
the infrastructure to withstand the demand.
•
Testbeds: tackle realistic modelling and co-simulation efforts when designing and experimenting with varying
scale EPG, addressing power supply and demand in the presence of security incidents, physical destruction, or
service interruption, to name a few [
121
]. Address preparedness, pro-active responses, and accurate detection
and confirmation of incidents.
•
Cyber-Physical counterparts: one idea to test effectiveness of responses is to artificially inject attacks to see how
countermeasures in place react. Current research tackles replicas of physical and virtual counterparts into
Digital Twins, aimed to facilitate analysis by juxtapositioning these elements.
•
Prediction under uncertainty: user behaviour and weather intermittency may drive planning for short, medium,
and long term. The idea is to iterate over multiple scenarios considering computational tractability of running a
massive number of simulations. It is an open research question how to model the stochasticity of DER, ESS, and
EV.
•
Controlled stress testing: In order to avoid actual attacks on the physical infrastructure, simulation could be used
to add controlled failures to components in single or multiple sources. It could address susceptible scenarios
under different energy loads to drive design decisions on how to best tackle electricity-based shortcomings.
•
HIL: it allows for the modelling of hardware and its internal structures as they increasingly demand modelling
on varying level-of-detail. Kochanneck et al. [
122
] considered a HIL co-simulation in a LVDG comparing a
multi-building design with a real-world building setting;
•
Sensitivity analysis: this effort involves multiple parametrisations for comparing the impact of characteristics and
discover scenarios deemed deficient (according to metrics) for in-depth analysis.
7. Incident response
: fast reaction to malicious incursions and recovery from security incidents or unanticipated
breaches, learning from the situations and documenting details, actions, and reactions for future reference. Incident
response could be of crucial use in the event of catastrophes or natural disasters impairing the infrastructure.
8. Emergent techniques
: increased use of Machine Learning and AI algorithms for processing Big Data from multiple
sources (e.g. IoT measurements, fine-grained weather forecasts, logging, and so on), and distributed ledgers for
smart contracts in TE systems [123].
9. End-user related
: the inhabitants, managers, maintenance personnel, officers will have to adapt, learn, and point out
inconsistent behaviours, anomalies, improper use, invalid situations or user mishandling of technology throughout
18 CZE KST ER ET AL .
the premises of AB. The interaction with AB’s systems will have to leverage functionality over cybersecurity, coping
with easiness of operation with different user levels, e.g., children, the elderly, or non-savvy customers.
10. Legal aspects
: accountability, ownership, forensics, i.e. questions as to the magnitude of the attacks, impacted
systems, and who are responsible (and liable) for the AB infrastructure. These matter in both new and retrofitted
buildings as well as assigning unique individuals to attacks with evidence (forensics). As data pours in into IS,
security requirements [
25
] and data protection mechanisms will ensure better managerial actions in conjunction
with life-cycle RA, General Data Protection Regulation (GDPR) adherence, staff training, and health and safety
measures.
AB will revolutionise the way people handle power in buildings. It will support future energy systems evolving
current paradigms towards more active roles instead of just passive consumption. The advantages brought forth by AB
will improve balancing the power grid during peak demand while enabling prosumers to interact in the market in P2P
trading. The greener and sustainable approach offered by AB may also reduce electric bills as more conscious customers
will shift their behaviour according to electricity prices or other incentives.
Figure 6 shows an overview of the proposed cybersecurity roadmap for AB, showing areas of concern and most
susceptible targets. It covers the attack surface with highest likelihood of adversarial interventions, accounting major
issues for current and future architectures and technologies.
Cyber-PhysicalSecurity
Information
Systems
(VPP)
Generate
Storage
Release
Conserve
DER Energy
Loads
Planning&
Scheduling
Security
Requirements
forSG/ICS
Remote
Management
Power
Generators
Batteries
(static/mobile)
SmartMeters
Appliances
Data
manipulation
Predictionand
Forecasts
Securityupdates&
patching
Transmission
Generation
Storage
RiskAssessment
Threats Vulnerabilities
Sources Events Scenarios
Confidentiality Integrity Availability
Intermittency
Uncertainty
Accesscontrol,
incidentresponse,...
Bulkpower
Legacy Current Future
Retrofitting
Systems
FIGURE 6 Cyber-physical security, Risk Assessment, and potential targets in AB settings.
Bespoke RA aligns business objectives with cybersecurity trade-offs. As mentioned, the organisation leverages
the rigour, formality, and depth of the RA accounting business proposition, optimality, and potential threats that could
undermine service provision. The sheer complexity of AB calls for strict cybersecurity management as officers and
CZEK STER E T AL. 19
stakeholders ensure the quality of data that are fed into the systems for accurate system state estimation and situational
awareness. These protections safeguard IS and prevent the infrastructure to fall short on cyber-physical security.
As stated throughout this work, adversaries may target the AB business proposition (energy generation, storage,
release, and conservation), corrupt data in IS, skew predictions or transmit erroneous status of field devices. It is the
responsibility of the cybersecurity officers to quickly enact, identify, confirm, and respond to incidents in a timely
fashion, fast track exposures, and precisely reporting on occurrences to account for minimum level of false positives, i.e.,
teams responding to false events.
Finally, it is worth mentioning that adversaries may surveil the infrastructure and monitor signals and responses to
learn how to inflict more damage in future malicious incursions. To mitigate these situations, research is needed for
modelling attackers’ actions to establish effective countermeasures and thwart cyber-physical security incidents, thus
preventing them from re-occurring.
5|CONCLUSION
Security and safety encompass the proposition of AB as well as the intertwined nature of P2P energy provision. The
AB is defined as buildings that are active energy agents sustaining a nation’s power infrastructure. So, any adversarial
incursion against the infrastructure and all that it entails are attacks targeted at AB as well. Under these settings
one must consider the harmful effects that attacks have that could promote undesired load shedding or frequency
imbalance, not to mention the consequences to inhabitants and managers. Security, after all, is a trade-off between
adhering to requirements and user/customer/stakeholder interaction/experience. Riskier outcomes must be prioritised
before unimportant ones as cybersecurity officers continuously assess threats and vulnerabilities.
For these ideas to become reality, actions are required in a trans-national level, for example, a joint effort on how
to best decommissioning current power plants with few impacts to the environment. Renewable energy is known for
its uncertainty, as WTPCS and PV panels are not used 100% of the time (only a fraction) due to climatic conditions.
Besides this, another problem is the required surface when commissioning PV panels since it demands a large area
for a given energy yield whereas wind turbines may impact wildlife and vegetation. Nevertheless, despite those
shortcomings, cross-domain action must be taken to meet energy objectives for the near future, enshrining the solution
with cyber-physical security and safety.
AB adoption undoubtedly poses significant opportunities aligned with the decarbonisation strategy set forth by the
government. We have proposed here a roadmap for tackling cyber-physical security using RA, modelling, and intrusion
detection over the AB’s life-cycle, as well as future research opportunities. We have raised awareness to cybersecurity
in AB by commenting how to adapt existing mechanisms in CPS, IoT, and ICS. Our work has presented an overview on the
required cross-fertilisation effort across domains for increased preparedness to assess and respond to cyber-physical
incidents.
5.1 |Status Quo, Challenges, and Outlook
Cybersecurity is vital for any critical system design as sustains operational capabilities in the presence of adversar-
ial incursions. Power and building managers as well as security officers are expected to employ previous research
on infrastructure, learning from previous experiences and lessons learned as their cyber-physical systems become
increasingly hardened against attacks. As shown throughout the chapter, several challenges still persist in modern
(and smart) infrastructures as attackers devise creative means to criminally access systems and thwart operations.
20 CZE KST ER ET AL .
As adversaries will always have different incentives to thwart the SG due to its capabilities, managers should always
consider cybersecurity throughout the AB proposition and recruiting, whenever possible, the help of its underlying
stakeholders (e.g. reporting anomalies, phishing attempts, uncommon behaviour, and so on).
Our work has pointed out key aspects to observe in cyber-physicalsecurity from CPS research (SG and ICS), showing
related work on SCADA vulnerabilities and mitigations, risk assessments, threat modelling, and Modelling & Simulation.
Next efforts are expected to follow this path of building up from previous ideas and adapting systems, techniques,
and methods to cope with frequently changing cyber-physical topologies to accommodate emergent technologies
seamlessly to customers and administrators. The cybersecurity challenge in AB should take into account attacker
dynamics as the defences adapt in near real-time, detect malicious advances, and prevent more serious consequences
from propagating across the infrastructure.
ACKNOWLEDGEMENTS
The authors wish to acknowledge funding from the Industrial Strategy Challenge Fund and Engineering and Physical
Sciences Research Council, EP/V012053/1, for The Active Building Centre Research Programme (ABC RP).
REFERENCES
[1] Mo Y, Kim THJ, Brancik K, Dickinson D, Lee H, Perrig A, et al. Cyber-physical security of a smart grid infrastructure.
Proceedings of the IEEE 2011;100(1):195–209.
[2] Greer C, Wollman DA, Prochaska DE, Boynton PA, Mazer JA, Nguyen CT,et al. NIST framework and roadmap for smart
grid interoperability standards, release 3.0; 2014.
[3] Amin SM, Wollenberg BF. Toward a smart grid: power delivery for the 21st century. IEEE Power Energy Magazine
2005;3(5):34–41.
[4] Fang X, Misra S, Xue G, YangD. Smart grid – The new and improved power grid: A survey. IEEE Communications Surveys
and Tutorials 2011;14(4):944–980.
[5] Gunes V, Peter S, Givargis T, Vahid F. A survey on concepts, applications, and challenges in cyber-physical systems. KSII
Transactionson Internet & Information Systems 2014;8(12).
[6] Humayed A, Lin J, Li F, Luo B. Cyber-physical systems security – A survey. IEEE Internet of Things Journal
2017;4(6):1802–1831.
[7] Clarke J, Jones P, Littlewood J, Worsley D. Active Buildings in Practice. In: Sustainability in Energy and Buildings
Springer; 2020.p. 555–564.
[8] Hatziargyriou N, Asano H, Iravani R, Marnay C. Microgrids. IEEE Power Energy Magazine 2007;5(4):78–94.
[9] Strbac G, Woolf M, WalkerS, Vahidinasab V. The Role of Active Buildings in the Transitionto a Net Zero Energy System.
Imperial College, Newcastle University 2020;.
[10] Zafar R, Mahmood A, Razzaq S, Ali W, Naeem U, Shehzad K. Prosumer based energy management and sharing in smart
grid. Renewable and Sustainable Energy Reviews 2018;82:1675–1684.
[11] Driesen J, Katiraei F. Design for distributed energy resources. IEEE Power Energy Magazine 2008;6(3):30–40.
[12] Bankovskis A. One million homes constructed as ‘buildings as power stations’ – report of indicative benefits. SPECIFIC
online report 2017;.
CZEK STER E T AL. 21
[13] Nikolaidou E, FosasD, Roberts M, Allen S, Walker I, Coley D. Buildings as Energy Infrastructure, not Passive Consumers.
University of Bath 2020;.
[14] Ma O, Alkadi N, Cappers P, Denholm P, Dudley J, Goli S, et al. Demand response for ancillary services. IEEE Transactions
on Smart Grid 2013;4(4):1988–1995.
[15] Attia S. Net Zero Energy Buildings (NZEB): Concepts, frameworks and roadmap for project analysis and implementa-
tion. Butterworth-Heinemann; 2018.
[16] Kurnitski J, Allard F, Braham D, Goeders G, Heiselberg P, Jagemar L, et al. How to define nearly net zero energy buildings
nZEB. Rehva Journal 2011;48(3):6–12.
[17] Sridhar S, Hahn A, Govindarasu M. Cyber-physical system security for the electric power grid. Proceedings of the IEEE
2012;100(1):210–224.
[18] He H, Yan J. Cyber-physical attacks and defences in the smart grid: a survey. IET Cyber-Physical Systems: Theory &
Applications 2016;1(1):13–27.
[19] Giraldo J, Sarkar E, Cardenas AA, Maniatakos M, Kantarcioglu M. Security and privacy in cyber-physical systems: A
survey of surveys. IEEE Design & Test 2017;34(4):7–17.
[20] Abercrombie RK, Sheldon FT, Hauser KR, Lantz MW, Mili A. Risk assessment methodology based on the NISTIR 7628
guidelines. In: 2013 46
th
Hawaii International Conference on System Sciences IEEE; 2013. p. 1802–1811.
[21] Wangen G. Information security risk assessment: A method comparison. Computer 2017;50(4):52–61.
[22] Leszczyna R. Standards on cyber security assessment of smart grid. International Journal of Critical Infrastructure
Protection 2018;22:70–89.
[23] Ruland KC, Sassmannshausen J, Waedt K, Zivic N. Smart grid security – an overview of standards and guidelines. e&i
Elektrotech Inf Tech 2017;134(1):19–25.
[24] Gritzalis D, Iseppi G, Mylonas A, Stavrou V. Exiting the Risk Assessment maze: A meta-survey. ACM Computing Surveys
(CSUR) 2018;51(1):1–30.
[25] Pillitteri VY, Brewer TL. Guidelines for smart grid cybersecurity (NIST 7628); 2014.
[26] Initiative JTFT. Guide for conducting risk assessments (NIST. SP 800-30rev1). The National Institute of Standards and
Technology (NIST), Gaithersburg 2012;.
[27] Greenwood D, Lim KY, Patsios C, Lyons P, Lim YS, Taylor P. Frequency response services designed for energy storage.
Applied Energy 2017;203:115–127.
[28] Stouffer K, Falco J, Scarfone K. Guide to industrial control systems (ICS) security – Rev. 2. NIST Special Publication
2015;800(82).
[29] Izadkhast S, Garcia-Gonzalez P, Frías P. An Aggregate Model of Plug-In Electric Vehicles for Primary FrequencyControl.
IEEE Transactionson Power Systems 2015;30(3):1475–1482.
[30] Ding D, Han QL, Xiang Y,Ge X, Zhang XM. A survey on security control and attack detection for industrial cyber-physical
systems. Neurocomputing 2018;275:1674–1683.
[31] Kim J, Tong L. On topology attack of a smart grid: Undetectable attacks and countermeasures. IEEE Journal on Selected
Areas in Communications 2013;31(7):1294–1305.
[32] Camana Acosta MR, Ahmed S, Garcia CE, Koo I. Extremely Randomized Trees-Based Scheme for Stealthy Cyber-Attack
Detection in Smart Grid Networks. IEEE Access 2020;8:19921–19933.
22 CZE KST ER ET AL .
[33] Yuan Y, Li Z, Ren K. Modeling load redistribution attacks in power systems. IEEE Transactions on Smart Grid
2011;2(2):382–390.
[34] Kumar P, Lin Y, Bai G, Paverd A, Dong JS, Martin A. Smart grid metering networks: A survey on security, privacy and
open research issues. IEEE Communications Surveys and Tutorials 2019;21(3):2886–2927.
[35] Gunduz MZ, Das R. Cyber-security on smart grid: Threats and potential solutions. Computer Networks
2020;169:107094.
[36] Huang Q, McDermott TE, Tang Y, Makhmalbaf A, Hammerstrom DJ, Fisher AR, et al. Simulation-based valuation of
transactive energy systems. IEEE Transactions on Power Systems 2019;34(5):4138–4147.
[37] Pudjianto D, Ramsay C, Strbac G. Virtual power plant and system integration of distributed energy resources. IET
Renewable Power Generation 2007;1(1):10–16.
[38] Royapoor M, Pazhoohesh M, Davison PJ, Patsios C, Walker S. Building as a virtual power plant, magnitude and persis-
tence of deferrable loads and human comfort implications. Energy and Buildings 2020;213:109794.
[39] Zajc M, Kolenc M, Suljanović N. Virtual power plant communication system architecture. In: Smart Power Distribution
Systems Elsevier; 2019.p. 231–250.
[40] Kolenc M, Nemˇ
cek P, Gutschi C, Suljanović N, Zajc M. Performance evaluation of a virtual power plant communication
system providing ancillary services. Electric Power Systems Research 2017;149:46–54.
[41] Radhakrishnan K, Menon RR, Nath HV. A survey of zero-day malware attacks and its detection methodology. In: TEN-
CON 2019-2019 IEEE Region 10 Conference (TENCON) IEEE; 2019. p. 533–539.
[42] Langner R. Stuxnet: Dissecting a cyberwarfare weapon. IEEE Security & Privacy 2011;9(3):49–51.
[43] Farwell JP, Rohozinski R. Stuxnet and the future of cyber war. Survival 2011;53(1):23–40.
[44] Kimani K, Oduol V, Langat K. Cyber security challenges for IoT-based smart grid networks. International Journal of
Critical Infrastructure Protection 2019;25:36–49.
[45] Ashibani Y, Mahmoud QH. Cyber physical systems security: Analysis, challenges and solutions. Computer Security
2017;68:81–97.
[46] Al-Fuqaha A, Guizani M, Mohammadi M, Aledhari M, Ayyash M. Internet of things: A survey on enabling technologies,
protocols, and applications. IEEE Communications Surveys and Tutorials 2015;17(4):2347–2376.
[47] Alaba FA, Othman M, Hashem IAT, Alotaibi F. Internet of Things security: A survey. Journal of Network and Computer
Applications 2017;88:10–28.
[48] Yang Y, Wu L, Yin G, Li L, Zhao H. A survey on security and privacy issues in Internet-of-Things. IEEE Internet of Things
Journal 2017;4(5):1250–1258.
[49] Emmanuel M, Rayudu R. Communication technologies for smart grid applications: A survey. Journal of Network and
Computer Applications 2016;74:133–148.
[50] Lin J, Yu W, Zhang N, Yang X, Zhang H, Zhao W. A survey on internet of things: Architecture, enabling technologies,
security and privacy, and applications. IEEE Internet of Things Journal 2017;4(5):1125–1142.
[51] Heartfield R, Loukas G, Budimir S, Bezemskij A, Fontaine JR, Filippoupolitis A, et al. A taxonomy of cyber-physical
threats and impact in the smart home. Computer Security 2018;78:398–428.
[52] Lin H, Bergmann NW. IoT privacy and security challenges for smart home environments. Information 2016;7(3):44.
CZEK STER E T AL. 23
[53] Deng R, Xiao G, Lu R, Liang H, Vasilakos AV. False data injection on state estimation in power systems —- Attacks,
impacts, and defense: A survey. IEEE Transactions on Industrial Informatics 2016;13(2):411–423.
[54] Liang G, Zhao J, Luo F, Weller SR, Dong ZY. A review of false data injection attacks against modern power systems. IEEE
Transactionson Smart Grid 2016;8(4):1630–1638.
[55] Musleh AS, Chen G, Dong ZY. A survey on the detection algorithms for false data injection attacks in smart grids. IEEE
Transactionson Smart Grid 2019;11(3):2218–2234.
[56] Huang Y, Esmalifalak M, Nguyen H, Zheng R, Han Z, Li H, et al. Bad data injection in smart grid: attack and defense
mechanisms. IEEE Communications Magazine 2013;51(1):27–33.
[57] He Y, Mendis GJ, Wei J. Real-time detection of false data injection attacks in smart grid: A deep learning-based intelli-
gent mechanism. IEEE Transactions on Smart Grid 2017;8(5):2505–2516.
[58] Manandhar K, Cao X, Hu F,Liu Y. Detection of faults and attacks including false data injection attack in smart grid using
Kalman filter. IEEE Transactions on Control of Network Systems 2014;1(4):370–379.
[59] Paté-Cornell ME, Kuypers M, Smith M, Keller P. Cyber risk management for critical infrastructure: a risk analysis model
and three case studies. Risk Analysis 2018;38(2):226–241.
[60] Soltan S, Mittal P, Poor HV. BlackIoT: IoT botnet of high wattage devicescan disrupt the power grid. In: 27
th
f
USENIX
g
Security Symposium; 2018. p. 15–32.
[61] Dabrowski A, Ullrich J, Weippl ER. Grid shock: Coordinated load-changing attacks on power grids: The non-smart
power grid is vulnerable to cyber attacks as well. In: Proceedings of the 33
rd
Annual Computer Security Applications
Conference; 2017. p. 303–314.
[62] Yankson S, Ghamkhari M. Transactive Energy to Thwart Load Altering Attacks on Power Distribution Systems. Future
Internet 2020;12(1):4.
[63] Soltan S, Mittal P, Poor V. Protecting the Grid against MAD Attacks. IEEE Transactions on Network Science and Engi-
neering 2019;.
[64] Kumar CO, Bhama PRS. Detecting and confronting flash attacks from IoT botnets. The Journal of Supercomputing
2019;75(12):8312–8338.
[65] Arnaboldi L, Czekster RM, Morisset C, Metere R. Modelling Load-Changing Attacks in Cyber-Physical Systems. Elec-
tronic Notes in Theoretical Computer Science 2020;353C:39–60.
[66] Huang B, Cardenas AA, Baldick R. Not everything is dark and gloomy: Power grid protections against IoT demand
attacks. In: 28th
f
USENIX
g
Security Symposium; 2019. p. 1115–1132.
[67] Komninos N, Philippou E, Pitsillides A. Survey in smart grid and smart home security: Issues, challenges and counter-
measures. IEEE Communications Surveys and Tutorials 2014;16(4):1933–1954.
[68] Mitchell R, Chen IR. A survey of intrusion detection techniques for cyber-physical systems. ACM Computing Surveys
(CSUR) 2014;46(4):1–29.
[69] Zambon E, Etalle S, Wieringa RJ, Hartel P. Model-based qualitative risk assessment for availability of IT infrastructures.
Software & Systems Modeling 2011;10(4):553–580.
[70] Shamala P, Ahmad R, Yusoff M. A conceptual framework of info structure for information security risk assessment
(ISRA). Journal of Information Security and Applications 2013;18(1):45–52.
[71] Shameli-Sendi A, Aghababaei-Barzegar R, Cheriet M. Taxonomy of information security risk assessment (ISRA). Com-
puter Security 2016;57:14–30.
24 CZE KST ER ET AL .
[72] Chemweno P, Pintelon L, Muchiri PN, Van Horenbeek A. Risk assessment methodologies in maintenance decision mak-
ing: A review of dependability modelling approaches. Reliability Engineering & System Safety 2018;173:64–77.
[73] Nagaraju V, Fiondella L, Wandji T. A survey of fault and attack tree modeling and analysis for cyber risk management.
In: 2017 IEEE International Symposium on Technologies for Homeland Security (HST) IEEE; 2017. p. 1–6.
[74] Cherdantseva Y,Burnap P,Blyth A, Eden P, Jones K, Soulsby H, et al. A review of cyber security risk assessment methods
for SCADA systems. Computer Security 2016;56:1–27.
[75] Rossebø JE, Wolthuis R, Fransen F, Björkman G, Medeiros N. An enhanced risk-assessment methodology for smart
grids. Computer 2017;50(4):62–71.
[76] Teixeira A, Sou KC, Sandberg H, Johansson KH. Secure control systems: A quantitative risk management approach.
IEEE Control Systems Magazine 2015;35(1):24–45.
[77] Mace JC, Czekster RM, Morisset C, Maple C. Smart Building Risk Assessment Case Study: Challenges, Deficiencies and
Recommendations. In: 16
th
European Dependable Computing Conference (EDCC) IEEE; 2020. p. 59–64.
[78] Nurse JR, Creese S, De Roure D. Security risk assessment in Internet of Things systems. IT professional 2017;19(5):20–
26.
[79] Radanliev P, De Roure DC, Nicolescu R, Huth M, Montalvo RM, Cannady S, et al. Future developments in cyber risk
assessment for the internet of things. Computers in Industry 2018;102:14–22.
[80] Casola V, De Benedictis A, Rak M, Villano U. Toward the automation of threat modeling and risk assessment in IoT
systems. Internet of Things 2019;7:100056.
[81] Mell P, Scarfone K, Romanosky S. Common vulnerability scoring system. IEEE Security & Privacy 2006;4(6):85–89.
[82] Ramos A, Lazar M, Holanda Filho R, Rodrigues JJ. Model-based quantitative network security metrics: A survey. IEEE
Communications Surveys and Tutorials 2017;19(4):2704–2734.
[83] Nicol DM, Sanders WH, Trivedi KS. Model-based evaluation: from dependability to security. IEEE Transactions on
Dependable and Secure Computing 2004;1(1):48–65.
[84] Avizienis A, Laprie JC, Randell B, Landwehr C. Basic concepts and taxonomy of dependable and secure computing. IEEE
Transactionson Dependable and Secure Computing 2004;1(1):11–33.
[85] Radoglou-Grammatikis PI, Sarigiannidis PG. Securing the smart grid: A comprehensive compilation of intrusion detec-
tion and prevention systems. IEEE Access 2019;7:46595–46620.
[86] Garcia-Teodoro P, Diaz-Verdejo J, Maciá-Fernández G, Vázquez E. Anomaly-based network intrusion detection: Tech-
niques, systems and challenges. Computer Security 2009;28(1-2):18–28.
[87] Challa S, Wazid M, Das AK, Kumar N, Reddy AG,Yoon EJ, et al. Secure signature-based authenticated key establishment
scheme for future IoT applications. IEEE Access 2017;5:3028–3043.
[88] Raghunath BR, Mahadeo SN. Network intrusion detection system (NIDS). In: 1
st
International Conference on Emerg-
ing Trends in Eng. and Tech. IEEE; 2008. p. 1272–1277.
[89] Shenfield A, Day D, Ayesh A. Intelligent intrusion detection systems using artificial neural networks. ICT Express 2018
05;4.
[90] Premathilaka NA, Aponso AC, Krishnarajah N. Review on state of art intrusion detection systems designed for the
cloud computing paradigm. In: 2013 47
th
International Carnahan Conference on Security Technology (ICCST) IEEE;
2013. p. 1–6.
CZEK STER E T AL. 25
[91] Debar H, Morin B. Evaluation of the Diagnostic Capabilities of Commercial Intrusion Detection Systems. In: Wespi A,
Vigna G, Deri L, editors. Recent Advances in Intrusion Detection Berlin, Heidelberg: Springer Berlin Heidelberg; 2002.p.
177–198.
[92] Alhanahnah M, Lin Q, Yan Q, Zhang N, Chen Z. Efficient Signature Generation for Classifying Cross-Architecture IoT
Malware 2018;p. 1–9.
[93] Rizvi S, Pipetti R, McIntyre N, Todd J, Williams I. Threat model for securing internet of things (IoT) network at device-
level. Internet of Things 2020;11:100240.
[94] Shevchenko N, Chick TA, O’Riordan P, Scanlon TP, Woody C. Threat modeling: a summary of available methods. CMU
– Software Engineering Institute; 2018.
[95] Sion L, YskoutK, Van Landuyt D, Joosen W. Risk-based design security analysis. In: Proceedings of the 1
st
International
Workshop on Security Awareness from Design to Deployment; 2018. p. 11–18.
[96] Marksteiner S, Vallant H, Nahrgang K. Cyber security requirements engineering for low-voltage distribution smart grid
architectures using threat modeling. Journal of Information Security and Applications 2019;49:102389.
[97] UcedaVelez T, Morana MM. Risk centric threat modeling. Wiley Online Library; 2015.
[98] Mead NR, Shull F, Vemuru K, Villadsen O. A hybrid threat modeling method. CMU – Software Engineering Institute;
2018.
[99] Li W, Zhang X. Simulation of the smart grid communications: Challenges, techniques, and future trends. Computers &
Electrical Engineering 2014;40(1):270–288.
[100] Poudel S, Ni Z, Malla N. Real-time cyber physical system testbed for power system security and control. International
Journal of Electrical Power & Energy Systems 2017;90:124–133.
[101] Ren W, Steurer M, Baldwin TL. Improve the stability and the accuracy of power hardware-in-the-loop simulation by
selecting appropriate interface algorithms. IEEE Transactions on Industry Applications 2008;44(4):1286–1294.
[102] Mets K, Ojea JA, Develder C. Combining power and communication network simulation for cost-effective smart grid
analysis. IEEE Communications Surveys and Tutorials 2014;16(3):1771–1796.
[103] Müller SC, Georg H, Nutaro JJ, Widl E, Deng Y, Palensky P, et al. Interfacing power system and ICT simulators: Chal-
lenges, state-of-the-art, and case studies. IEEE Transactions on Smart Grid 2016;9(1):14–24.
[104] Gomes C, Thule C, Broman D, Larsen PG, Vangheluwe H. Co-simulation: a survey. ACM Computing Surveys (CSUR)
2018;51(3):49.
[105] Chassin DP, Fuller JC, Djilali N. GridLAB-D: An agent-based simulation framework for smart grids. Journal of Applied
Mathematics 2014;2014.
[106] Dugan RC, McDermott TE. An open source platform for collaborating on smart grid research. In: 2011 IEEE Power and
Energy Society General Meeting IEEE; 2011. p. 1–7.
[107] Riley GF, Henderson TR. The ns-3 network simulator. In: Modeling and tools for network simulation Springer; 2010.p.
15–34.
[108] Varga A. OMNeT++. In: Modeling and tools for network simulation Springer; 2010.p. 35–59.
[109] Ciraci S, Daily J, Fuller J, Fisher A, Marinovici L, Agarwal K. FNCS: a framework for power system and communication
networks co-simulation. In: Proceedings of the Symposium on Theory of Modeling & Simulation-DEVS integrative;
2014. p. 1–8.
26 CZE KST ER ET AL .
[110] Palmintier B, Krishnamurthy D, Top P, Smith S, Daily J, Fuller J. Design of the HELICS high-performance transmission-
distribution-communication-market co-simulation framework. In: 2017 Workshop on Modeling and Simulation of
Cyber-Physical Energy Systems (MSCPES) IEEE; 2017. p. 1–6.
[111] Schütte S, Scherfke S, Tröschel M. Mosaik: A framework for modular simulation of active components in Smart Grids.
In: 2011 IEEE First International Workshop on Smart Grid Modeling and Simulation (SGMS) IEEE; 2011. p. 55–60.
[112] Thurner L, Scheidler A, Schäfer F, Menke JH, Dollichon J, Meier F, et al. pandapower – an open-source python tool
for convenient modeling, analysis, and optimization of electric power systems. IEEE Transactions on Power Systems
2018;33(6):6510–6521.
[113] Crawley DB, Lawrie LK, WinkelmannFC, Buhl WF, Huang YJ, Pedersen CO, et al. EnergyPlus: creating a new-generation
building energy simulation program. Energy and Buildings 2001;33(4):319–331.
[114] Morstyn T, Collett KA, Vijay A, Deakin M, Wheeler S, Bhagavathy SM, et al. OPEN: An open-source platform for devel-
oping smart local energy system applications. Applied Energy 2020;275:115397.
[115] Johnson J, Onunkwo I, Cordeiro P, Wright BJ, Jacobs N, Lai C. Assessing DER network cybersecurity de-
fences in a power-communication co-simulation environment. IET Cyber-Physical Systems: Theory & Applications
2020;5(3):274–282.
[116] de Souza E, Ardakanian O, Nikolaidis I. A Co-simulation Platform for Evaluating Cyber Security and Control Applica-
tions in the Smart Grid. In: IEEE International Conference on Communications (ICC) IEEE; 2020. p. 1–7.
[117] Le TD, Anwar A, Beuran R, Loke SW. Smart Grid Co-Simulation Tools: Review and Cybersecurity Case Study. In: 7
th
International Conference on Smart Grid (icSmartGrid) IEEE; 2019. p. 39–45.
[118] Akram U, Khalid M, Shafiq S. Optimal sizing of a wind/solar/battery hybrid grid-connected microgrid system. IET Re-
newable Power Generation 2017;12(1):72–80.
[119] Skopik F, Friedberg I, Fiedler R. Dealing with advanced persistent threats in smart grid ICT networks. In: Innovative
Smart Grid Technologies (ISGT) IEEE Power & Energy Society; 2014. p. 1–5.
[120] Friedberg I, Skopik F, Settanni G, Fiedler R. Combating advanced persistent threats: From network event correlation
to incident detection. Computer Security 2015;48:35–57.
[121] Cintuglu MH, Mohammed OA, Akkaya K, Uluagac AS. A survey on smart grid cyber-physical system testbeds. IEEE
Communications Surveys and Tutorials 2016;19(1):446–464.
[122] Kochanneck S, Mauser I, Phipps K, Schmeck H. Hardware-in-the-Loop Co-simulation of a Smart Building in a Low-
voltage Distribution Grid. In: IEEE Innovative Smart Grid Technologies Conference Europe IEEE Power & Energy Soci-
ety; 2018. p. 1–6.
[123] Siano P, De Marco G, Rolán A, Loia V. A survey and evaluation of the potentials of distributed ledger technology for
peer-to-peer transactive energy exchanges in local energy markets. IEEE Systems Journal 2019;13(3):3454–3466.