ChapterPDF Available

Cybersecurity Roadmap for Active Buildings


Abstract and Figures

The technology integrated in modern smart infrastructures makes them vulnerable to malicious cyber attacks and misuse of information systems. Active Buildings (AB) are no exception. AB implement the vision of 'buildings as power stations', aiming for operational efficiency in generation, storage, release, and conservation of energy collaboratively among neighbouring smart buildings. However, adversaries may exploit cyber-physical vulnerabilities on the smart infrastructure to cause service interruptions or financial losses. For this reason, it is imperative to effectively respond and devise countermeasures to deter attacks. This work presents a roadmap to guide AB's cybersecurity efforts, adapting existing mechanisms in enterprise information systems, Cyber-Physical Systems, Internet-of-Things, and Industrial Control Systems. We aim to help power and building managers to understand trade-offs to assess risk, model threats, deploy intrusion detection, or simulate the infrastructure. Our contribution also discusses open research questions with respect to cybersecurity, highlighting needed developments for hardening AB and thwarting attacks.
Content may be subject to copyright.
Journal Section
Cybersecurity Roadmap for Active Buildings
Ricardo M. Czekster1| Charles Morisset1| Aad van Moorsel1
| John C. Mace1| Walter A. Bassage2| John A. Clark2
1Newcastle University, 1 Science Square,
Newcastle upon Tyne,NE1 7RU
2University of Shefeld, 211 Portobello,
Shefeld, S1 4DP
Charles Morisset, Newcastle University
The technology integrated in modern smart infrastructures
makes them vulnerable to malicious cyber attacks and mis-
use of information systems. Active Buildings (AB) are no
exception. AB implement the vision of ‘buildings as power
stations’, aiming for operational efciency in generation, stor-
age, release, and conservation of energy collaboratively among
neighbouring smart buildings. However, adversaries may ex-
ploit cyber-physical vulnerabilities on the smart infrastruc-
ture to cause service interruptions or nancial losses. For
this reason, it is imperative to effectively respond and de-
vise countermeasures to deter attacks. This work presents a
roadmap to guide AB’s cybersecurity efforts, adapting exist-
ing mechanisms in enterprise information systems, Cyber-
Physical Systems, Internet-of-Things, and Industrial Control
Systems. We aim to help power and building managers to
understand trade-offs to assess risk, model threats, deploy
intrusion detection, or simulate the infrastructure. Our con-
tribution also discusses open research questions with re-
spect to cybersecurity, highlighting needed developments
for hardening AB and thwarting attacks.
Strict cyber-physical security requirements in modern smart infrastructures [
] shield users and customers from
adversaries committing malicious interventions. The Smart Grid (SG) [
] is a Cyber-Physical System (CPS) [
considered a critical infrastructure. The SG comprises buildings in residential, commercial, and industrial settings.
Buildings are targets for performance improvements because they are the primary pollution drivers responsible for
40% of global energy use according to the International Energy Agency (IEA)
. The UK government’s ambition is to
curtail carbon emissions by 80% until
(baseline of
) according to the Future Energy Scenarios
, thus urgent
action is necessary.
Active Buildings (AB) [
] are a novel approach built on top of the SG functioning as a grid-connected microgrid
They retain connectivity to the conventional infrastructure and are able to operate in islanded mode if required [
]. The
idea is to extend functionality by three axes [
]: i) increased adoption of Renewable Energy Resources (RER) such as
solar panels using photovoltaic (PV) technologies or Wind Turbine Power Converter Systems (WTPCS); ii) distributed
Energy Storage Systems (ESS) such as static batteries attached to buildings or mobile ones in Electric Vehicles (EV);
iii) Thermal Energy Storage Systems (TES) for balanced building thermodynamics within its envelope, energy storage,
and comfort level adjustments while heating or cooling. This decentralised infrastructure operates in Low-Voltage
Distribution Grids (LVDG) promoting decarbonisation, grid stability, and congregating customers that may produce and
consume power as so called prosumers [
] that participate in dynamic energy markets. RER, ESS, and TES (among
others) are considered key power-based assets referred as Distributed Energy Resources (DER) [
] that are managed
and controlled by a diversied number of systems and stakeholders.
AB aim to shift passive energy users towards active behaviour enacting ‘buildings as power stations’ [
]. Un-
der these contexts, bi-directional energy ows adds stability, reliability, and trading capabilities across Peer-to-Peer
(P2P) agents. It improves ancillary services such as frequency regulation and the management of power reserves for
continuous energy provision [
]. AB operate on the edge of conventional grids as nearly Net Zero Energy Buildings
(nZEB) [
]. nZEB approximate energy generation to consumption over a xed duration
. The buildings in the P2P
network trade the energy surplus in the market or with their neighbours and make operational decisions about planning
and management.
AB encompass a plethora of sub-systems and devices, notably Internet-of-Things (IoT) capable of sensing and com-
municating data. It relies on the pervasive use of Information and Communication Technologies (ICT) and Information
Systems (IS). These elements relay the operational status of power and telecommunication networks to an Operation
Control Centre (OCC) that provide situational awareness, enact timely response coordination, and make planning
decisions to address supply and demand prognostics.
In such highly connected and data-centric settings it is essential to provide trustworthiness, i.e. security, privacy,
safety, reliability, and resilience
] to withstand the harmful effects of cyber attacks or abnormal situations.
Organisations usually require cybersecurity ofcers and managers to perform Risk Management
processes throughout
system’s life-cycle. One way is to employ a Risk Assessment (RA) methodology to map vulnerabilities and threats to com-
pute risk and exposure level [
]. Organisations devise RA as an ongoing effort to increase the trustworthiness
of their underlying systems and infrastructure. Over the years, authoritative bodies have dened standards, assessment
1IEA publishes energy datasets to support secure and sustainable energy with global scope. Link (for buildings):
All links here were accessed in January/2021.
2Forthe UK’s Future Energy Scenarios (2020 edition) please refer the following link: energy-
scenarios/fes-2020- documents.
3According to NISTIR 7628 Rev. 1, microgrid is “an implied hierarchy in availability and resilienceeliminates potential peer-to-peer negotiations between microgrids.
Its models suggest that availability starts in a local microgrid and that resilience is gained by aggregating and interconnecting those microgrids. They are intended to
operate either as islands or interconnected; islands are keywhere critical operations need to be maintained.”.
4This denition is sanctioned by the European Commission on Directive 2010/31/EC, stating that ‘nearly zero-energy building’ means a building that has a very
high energy performance, as determined in accordance with Annex I. The nearly zero or verylow amount of energy required should be covered to a very signicant extent
by energy from renewable sources, including energy fromrenewable sources produced on-site or nearby;”.
5Resilience in the context of this work is the ability of a system to remain in operationand continue to service in the presence of incidents or events that attempt
to disrupt or shut down assets.
6The US National Institute of Standards and Technology(NIST) has published a wealth of standards for cybersecurity and Risk Management, including a com-
prehensive framework to help managers. Link: management/.
methodologies, recommendations, and guidelines in the US and Europe [
]. For example, Ruland et al. [
] discussed
security standards whereas Gritzalis et al. [
] addressed how to select suitable RA methodologies. In terms of NIST
overview on cybersecurity and guidelines for RA we mention NISTIR 7628 [
] and most notably NIST.SP 800-30 [
The level-of-detail, effort, rigour, and quantitative/qualitative aspects to consider are left for the organisation to decide
in line with its objectives.
We present here a roadmap for tackling cyber-physical security in AB. Our aim is to focus on RA, security metrics,
intrusion detection, threat modelling, and simulation. The audience are cybersecurity ofcers and building managers
overviewing the vulnerability and threat landscape posed by AB. In terms of RA, we describe major methodologies
from accredited institutions and complement the research with established cybersecurity risk factors behind AB’s
designs. The novelty of our approach concerns infrastructures with active energy agents under coupled power and
telecommunications networks. These architectures have sizeable DER attached in LVDG, so one must observe the
cyber-physical security implications and the potential attack surface. Our work points out the overlap of AB with usual
SG designs with respect to cybersecurity as we survey related mechanisms and technologies to address effective RA.
The chapter is organised as follows. Section 2 describes Active Buildings and Section 3 details cyber-physical
security of SG and CPS discussing its application to AB. Section 4 presents a research roadmap and suggestions to tackle
cybersecurity across AB domains and Section 5 concludes the work with our nal considerations. Figure 1 serves as a
visual guide to readers outlining the topics covered in our chapter.
FIGURE 1 Overview of topics covered by this work.
Electrical Power Grids (EPG) are responsible for delivering high quality energy to consumers in power Generation,
Transmission, and Distribution (GT&D). AB are “buildings to sustain a country’s energy infrastructure [
] on top of
EPG. They operate in a grid-connected microgrid handling bi-directional energy ows with respect to conservation,
generation, storage, and release of power. AB contrast with traditional (centralised) approaches in GT&D by presenting
a decentralised infrastructure operating in smaller contexts for increased control.
The core idea behind AB is exibility [
]. It shifts from passive energy consumers to active entities that efciently
respond to supply and demand for optimal grid stability. As millions of potential energy subscribers attach their RER into
the infrastructure, buildings may act as agents for managing resilience while reducing dependence on high-pollutant
conventional power generators. As a direct consequence, the carbon footprint generated by buildings diminishes
considerably and cascades across national and international boundaries7.
Energy operators achieve frequency regulation [
] in the grid by employing a number of strategies namely i)
toggling electricity in power plants; ii) shaping user behaviours thus curtailing electricity through pricing incentives;
iii) importing or exporting electricity with close geographical neighbours; iv) employing load shedding mechanisms, i.e.
partially disconnecting a region from the grid; and v) increasing electricity storage capacity with batteries (static or
EV) [
]. Figure 2 depicts the major components of AB, i.e., CPS and IoT, ICS [
], and SCADA, where IS aggregate data
from different sources for timely decision making [6].
Conserve Conserve
ESS Mobile(EV)
Market ProsumersEnergyproviders
FIGURE 2 Architectural overview of AB and CPS.
AB attach and manage DER across locations where installed ESS capacity helps tackling renewable energy intermit-
tency to provide ‘around the clock’ electricity to customers [
]. They leverage power release and storage employing
optimisation strategies that consider season, weather forecasts, time of the day, and energy proles. AB interface
with the energy market in bidding and committing energy contracts. Ubiquitous telecommunication guarantees near
real-time state estimation for control and response while cybersecurity measures in place have the potential of isolate
the effects of incidents and avoid propagation.
The major stakeholders of AB are i) building managers: people working in OCC assess data provided by Build-
ing Management Systems (BMS), Building Energy Management Systems (BEMS), Advanced Metering Infrastructure
(AMI) [
] specialists, and SCADA operators; ii) decision makers and procurement ofcers acquiring power equipment
7The UK’s National Grid Electricity System Operator (ESO) has published a document entitled Operability Strategy Report 2021 in December/2020 with
comments on existing frequency response services, voltage requirements, and grid stability. Link:
publications/system-operability- framework-sof.
or supporting ICT systems, and compliance ofcers overseeing regulations dictated by the ESO; iii) security ofcers
addressing conformance in safety and security, accountability and digital forensics, privacy protections, Network
Intrusion Detection Systems (NIDS) and network administrators; iv) incident response teams in attack remediation; and
iv) aggregators, energy suppliers in wholesale and retail, prosumers, and application developers implementing solutions
on top of the infrastructure.
Figure 3 shows a schematic for AB where the power and the telecommunication are dissimilar, and power may be
dispatched or aggregated by the set of DER.
AB#9 AB#10
FIGURE 3 AB schematic for power and telecommunication, components, and systems.
The AB’s infrastructure is not immune against malicious incursions. We detail next a few notable cybersecurity
concerns [
] and NIST 7628 recommendations [
] particular to IS and cybersecurity requirements for the SG.
Business proposition: trading energy, procurement (suppliers), generation, and consumption, impacting market
Data and communication: invalid readings/measurements from devices. Adversaries may corrupt or delay data
traversed in the telecommunication network, jamming exchanges, or inserting spurious packets.
Components and IS: attackers inputting corrupted data in CPS, IoT, SCADA elements, BMS/BEMS.
Optimality: the AB environment is supported by several systems, so attacks aiming at the control algorithms
executing on top of the infrastructure may cause critical responses to be wrongly assigned with catastrophic
Synchronised incursions: attackers may install malicious rmware in high-wattage devices in attempts to imbalance
frequency through synchronised actions, i.e. simultaneously turning on or off (refer to Section 3.1).
Legacy systems: retrotting buildings may increase vulnerabilities and pose new threats as customers attach DER
or smart appliances. They may disregard basic cybersecurity measures (e.g. plugging-in unsigned devices), lax
systems maintenance (patching, updates), or inadvertently installing malicious rmware or as recipients of phishing
attacks [17].
Other sources of concern are Advanced Persistent Threats (APT) [
] and Load Redistribution Attacks (LRA) [
that are hard to track and pinpoint their sources, often requiring long duration tracking and historic datasets. APT
have devastating consequences to EPG [
], as attackers may patiently gather data on grid responses in long
term surveillance and hostile reconnaissance. They are more destructive than usual attacks as it may involve large
organisations or state sponsored agents exploiting back-doors in CPS or other vulnerable assets [
]. Honeypots and
continuous auditing are known countermeasures that may identify and contain APT.
2.1 |Attack surface
AB bring together energy and ICT infrastructure connecting and upgrading Smart Buildings (SB) to co-exist in an
active P2P environment. SB are a data-centric approach where cyber-physical structures are intertwined with sensing
capabilities, intelligent systems, and feedback loops. They allow for the remote management of assets ensuring
inhabitants’ comfort considering thermodynamics and automatically adapting to weather conditions and luminosity,
among other features.
Under AB, one must distinguish security as the set of contingencies in place in the event of faults from cybersecurity
incidents on system’s vulnerabilities and threats. Standardisation institutes such as the North American Electric
Reliability Corporation (NERC) in the USA and the European Programme for Critical Infrastructure Protection (EPCIP)
dened security measures and contingencies for power systems. For example, EPG are designed to sustain N-1 single
contingency criterion
to meet reliability constraints (there are other contingencies to address, out of the scope of this
work). This means that the system admits a single failure to remain operating.
The AB infrastructure must withstand cybersecurity incidents by implementing and enforcing security require-
ments [
]. Adversaries
target cyber-physical elements, exploiting vulnerabilities. The reasons behind attacks are
usually related to competitive advantage, industrial espionage (or state sponsored agent), energy theft (monetary
incentives or ransomware), technical challenge, or terrorism. Adversaries attempt to destabilise operation, cause
components to fail, exploit vulnerabilities, increase downtime, or impair communications [6].
AB present a large attack surface for adversaries due to the sheer size of their infrastructure, as shown in Figure 4.
Telecommunication is pervasive across AB and attackers attempt to maliciously inuence major AB’s objectives on
power conservation, generation, storage, release, or a combined approach for greater damage. The peers interface with
the energy market, so adversaries have nancial incentives (or other motives) as they try to articially alter electricity
2.2 |Interfacing with the transactive energy market
The AB are connected to the energy market as prices uctuate according to supply and demand. Transactive Energy (TE)
aims to coordinate DER to react to energy prices and system conditions that could be used in frequency regulation [
The idea is to use the market to shape demand through dynamic pricing mechanisms. The ESO interacts with the systems
8Please, refer to NERC Standard 51 TransmissionSystem Adequacy and Security (2005). Link:
9The ‘adversary’or ‘attacker’ denition in use here is based on the Categories of Adversaries to IS described in NISTIR 7628r1: careless/poorly trained employees,
malicious customers, insiders, organised crime, nation states, disgruntled employees, terrorists, script kiddies, hacktivists, black/white hat hackers.
Batteries Static
SolarPanels WindTurbines
Dynamicpricing Prosumers
Thermodynamics Comfort
Release Tradeexcess Ancillaryservices
rechargeable batteries
electric vehicles
MonitoringExecuting RetrofittingUpdating
Malicious attacks or security incidents
Modelling &
SmartGrid ICT
FIGURE 4 Attack surface of AB and cybersecurity.
using middleware capabilities offered by a layer known as the Virtual Power Plant (VPP) to communicate with deployed
eld devices.
The VPP also coordinates interactions with Distribution System Operators (DSO), Transmission System Operators
(TSO), Independent System Operators (ISO), and Regional Transmission Operators (RTO) when submitting energy
bids and commitments [
]. The VPP triggers actions to access DER scattered across locations, turning buildings into
actual power plants [
]. From a cybersecurity perspective, the VPP is a high-valued target due to the amount of IS it
encompasses as well as the responsibilities to timely command DER.
Figure 5 shows a typical OCC for AB serving as an interface for the market and energy operators as well as the
VPP coordinating DER [
]. The OCC for AB monitors the infrastructure and coordinates responses in the event of
This architecture is exible enough to accommodate changes as the stakeholders see t to mitigate attacks,
prevent vulnerabilities, and harden the infrastructure against attacks. The VPP is fed by IS installed within the AB’s
infrastructure. Energy operators keep nominal frequency around 50Hz (the UK’s National ESO admits a 1% variation)
to avoid disconnecting parts of the grid, used as a last resort. Control systems in EPG perform Load Frequency Control
(LFC) responsible for the maintenance of load over generation ratio in the power grid [
]. The cybersecurity modules
in the VPP update their systems with recent vulnerabilities and weather forecasts. SCADA devices are responsible for
providing data from devices deployed away from the OCC [
]. Phasor Management Units (PMU) monitor frequency
whereas Remote Terminal Units (RTU) relay data in the network to Master Terminal Units (MTU).
FIGURE 5 OCC for AB managing power loads with the VPP across DER and energy operators in a grid-connected
Cyber-physical security encompasses a wealth of techniques to protect systems and customers. Next, we discuss an
overview of cybersecurity in the SG, RA, intrusion detection, threat modelling, security metrics, and co-simulation of
incidents in AB.
3.1 |Overview of Smart Grid cybersecurity
We present here a cybersecurity overview and list related work on CPS and ICS [
] that could be borrowed for
adaptation and application in AB. Authors compartmentalise the complex infrastructure of the SG and focus effort on
more manageable parts, e.g., CPS, IoT, smart homes, IS, and synchronised attacks.
Usual attacks perpetrated at network components in EPG are Man-in-The-Middle (MiTM), Denial-of-Service (DoS
or its distributed variation DDoS), eavesdropping, jamming, spoong, and packet ooding, to mention a few [
Another class of malicious events are called zero-day attacks where adversaries may choose targets not yet patched due
to some recently discovered security vulnerability, which may compromise resources and quickly propagate across
the network. Radhakrishnan et al. [
] compiled a list of zero-day and malware incursions over past years, discussing
detection and mitigation.
Over recent past security breaches targeting energy have caused major disruption and blackouts. Attacks targeting
energy infrastructure caused severe nancial losses and even physical damage to components. One example is the
Stuxnet worm that attacked SCADA systems in late
signicantly interrupting the progress of the Iranian nuclear
program [
]. Another malicious incursion with massive proportions was the attack at the Ukrainian power grid
that blacked-out large portions of the infrastructure with interruptions that lasted for months. Examples include Duqu,
Red October, Dragony 2.0 and Black Energy [44, 35].
SG has a broad scope so we will focus on CPS, IoT, data, and smart homes.
CPS: We highlight the work of Humayed et al. [
] that discussed security of CPS with examples in ICS, SG, healthcare,
and EV. For each CPS it breaks down the cyber and the physical part showing the propensity of attacks by each
component, discussing major threats and listing vulnerabilities. It concludes the work by presenting real-world attacks
with targets, impacts, preconditions with mitigation strategies, and methods used by adversaries.
He and Yan [
] commented on attacks and defences in the SG, listing vulnerabilities and security issues in energy
generation and transmission. The work has focused on electrical issues arising in the SG, describing energy management
systems in detail, LRA, and switching attacks in the market, and on PMU. For defence, it listed countermeasures such as
protection, detection, and coordinated mitigation. Ashibani and Mahmoud [
] explained the differences between CPS
and IoT as well as shared characteristics. They have also addressed security in three layers common in CPS namely i)
perception layer; ii) transmission layer; and iii) application layer. For the most common types of attacks they related
security with countermeasures for combating malicious events.
IoT security: IoT research, protocols, technologies, privacy, safety, and security are the topic of many surveys and
literature reviews with a signicant increase in recent years [
] across CPS (transportation systems, smart
cities, SG, ICS, and SB). Emmanuel and Rayudu [
] addressed communication issues aligned with the IEEE Guide for SG
Interoperability and NIST standards, commenting on protocols for media access and governing issues.
Lin et al. [
] discussed the integration of IoT in edge/fog computing and its relationship with CPS. Also, they
presented the enabling technologies behind IoT to realise a truthful cyber-physical world with opportunities for
stakeholders to address cybersecurity, privacy, resilience, and research challenges. Gunduz and Das [
] surveyed
cybersecurity in SG’s IoT. The authors evaluated cyber-attacks in the communication layer and explained defence
strategies. They listed a wealth of research on attacks directed at SG and detailed threats and countermeasures.
Smart Homes: Hearteld et al. [
] discussed attack vectors using IoT technologies in smart homes, major CPS threats,
and impact. Other security aspects are of interested in smart homes such as the discussion in Lin and Bergmann [
that tackled privacy of IoT and compared enabling technologies.
Data: Authors described how to deal with False Data Injection (FDI) attacks [
] to prevent storing data with
outliers or skewed measurements [
]. For mitigation, alternatives are Deep Learning [
] or Kalman lters [
]. Paté-
Cornell et al. [
] presented a risk analysis using statistical data for quantitative assessments in critical infrastructures.
They discussed three case studies: i) a Bayesian Network for high impact attack scenarios; ii) risk analysis of connectivity;
and iii) software upgrade decisions to thwart attacks, countermeasures, and anticipation when dealing with malicious
Synchronised attacks in the SG: Attackers may compromise low security or outdated software of smart appliances
attached to high-wattage devices and promote synchronised attacks. Adversaries choose most susceptible scheduling
(e.g. peak hours) to switching on or off a massive number of heating/cooling units, water heaters, or pumps simulta-
neously. They try to imbalance frequency as systems will not be able to cope with the extra energy load in such short
notice. Examples covered in the literature include BlackIoT [
], Load Changing Attack (LCA) [
], Manipulation of
Demand (MAD) [
], ash attacks [
], or switching attacks [
]. Arnaboldi et al. [
] used Markov Chains to model LCA
and investigate appropriate mix of power generation units. Grid-connected microgrids are susceptible of LCA as they
could imbalance frequency, however, Huang et at. [
] discussed that current contingencies may in fact thwart attacks.
Surveys in security: A wealth of surveys was published over the years. We highlight Giraldo et al. [
] tackling privacy
issues and a survey based on a control perspective for attack detection in ICS [
]. There were also surveys combining
the strengths of SG and smart homes’ cybersecurity [67] and a comprehensive review on NIDS research in CPS [68].
3.2 |Risk assessments
This topic has been discussed over the years as standards, methodologies, frameworks, and tools emerged. Next, we
present related work on RA for these dimensions.
Standards: Over the years, analysts, managers, and researchers have placed security as a signicant and crucial aspect
of future EPG. They have dened a signicant number of standards to help stakeholders conduct RA in organisations
tailoring their approach according to the objective. Leszczyna [
] surveyed standards and discussed their relationships,
advantages, and drawbacks highlighting
relevant publications over standards and guidelines published by NIST,
RA methodologies: Gritzalis et al. [
] selected popular frameworks such as Expression des Besoins et Identication
des Objectifs de Sécurité (EBIOS), MEthod for Harmonized Analysis of RIsk (MEHARI), Operationally Critical Threat
and Vulnerability Evaluation (OCTAVE), IT-Grundschutz, Metodología de Análisis y Gestión de Riesgos de los Sistemas de
Información (MAGERIT), Central Computing and Telecommunications Agency Risk Analysis and Management Method
(CRAMM), Harmonized Threat Risk Assessment (HTRA), NIST.SP 800, RiskSafe, and CORAS for a numerical comparative
analysis using multi-criteria decision methods. Out of those, EBIOS, MEHARI, HTRA, NIST.SP 800-30, and CORAS are
free whereas other methodologies demand a xed or variable fee.
The authors employed risk calculation classes, e.g., high-level formulas to address quantitative indices according
to a methodology or standard, following previous work by Zambon et al. [
]. For instance, the operator
denes a
combination between two factors, as shown in Table 1.
TA B L E 1 Risk classes and risk calculation formulas according to cybersecurity characteristics.
Class Risk calculation
A Risk (
) = Likelihood (
Vulnerability (
Impact (
B Risk (
) = Vulnerability (
Impact (
C Risk (
) = Annual Loss Expectancy (
) = Likelihood (
Average Loss (
D Risk (
, Critical
) = Vulnerability (Critical
Impact (
, Critical
E Risk (
) = Likelihood (
Consequences (
is Threat,
is Asset,
is Requirement,
is Incident
Class A uses threats and assets over likelihood, vulnerability, and impact whereas Class B includes security require-
ments to the formula. Class C adds costs and losses, and Class D considers only critical assets. Class E includes incidents
in the infrastructure and its consequences. For the authors, MEHARI, MAGERIT, CRAMM, HTRA, NIST SP800, and
RiskSafe are Class A whereas EBIOS is Class B, OCTAVE is Class D, and IT-Grundshutz is Class E.
Information Security Risk Assessment (ISRA) deals with threats, vulnerabilities, and risks associated with IS.
Throughout the years several approaches emerged for organisations [
], such as NIST.SP 800-30, ISO/IEC
27005, CRAMM, Facilitated Risk Assessment Process (FRAP), Consultative, Objective and Bi-functional Risk Analysis
(COBRA), CORAS, Microsoft’s Risk Assessment model, and OCTAVE/OCTAVE Allegro.
The European Network and Information Security Agency (ENISA) has compiled an inventory of risk assessment
. The inventory has
tools (January/2021) with
attributes describing major characteristics and templates.
10Link: risk-management.
More specically to NIST 7628, Abercrombie et al. [20] have proposed an RA for the SG.
Dependability issues: Chemweno et al. [
] relating dependability modelling using Failure Mode and Effect Analysis,
Fault Tree Analysis, Stochastic Petri Nets, Bayesian Networks, and Monte Carlo methods. Nagaraju et al. [
] discussed
benets and limitations in risk based modelling using fault and attack trees.
RA in CPS/IoT: Cherdantseva et al. [
] discussed SCADA in a literature review. They divided case studies into formula
and model-based approaches. For risks in the SG, part of the European Community for research called Security for
Smart Electricity Grids (SEGRID) initiative, aims to increase protection against attacks. A framework emerged from
comparing pre-existing methodologies and as the SEGRID Risk Management Methodology (SRMM) [
]. SRMM is
based on the European Telecommunications Standards Institute’s (ETSI’s) Threat Vulnerability and Risk Analysis (TVRA)
method. Teixeira et al. [
] discussed networked control systems in coupled systems using NIST’s Risk Management
Framework whereas Mace et al. [
] investigated a real-world case study performing a RA in a SB detailing challenges
and lessons learned.
With respect to RA in IoT, Nurse et al. [
] discussed emerging issues such as connectivity and pervasiveness of
devices. Radanliev et al. [
] studied the economic impact of risks using different approaches and Casola et al. [
investigated automated threat assessment and risk modelling.
3.3 |Security metrics
The approaches in Table 1 do not quantify the actual security of a building. For building designers this is usually
unsatisfactory, since they need to determine if considered security techniques are sufcient, or they need to trade-off
cybersecurity with other system properties, such as reliability and performance. In this section we review a few security
metrics proposed in the literature.
A key metrics-based tool for computer systems security professionals is the Common Vulnerability Scoring System
(CVSS) [
], in conjunction with the US National Vulnerability Database (NVD)
. The NVD keeps track of all known
vulnerabilities, reported by industry and individuals, and scores each of the vulnerabilities using CVSS. Such scoring
is important for practitioners, since the numeric score provides an immediate appreciation of severity and potential
impact of the vulnerability. In cooperation with the NIST and the NVD, MITRE Corporation maintains the Common
Vulnerability and Exposures (CVE) database12.
Cybersecurity practitioners use the periodic list of ‘top’ vulnerabilities to guide their activities, allowing them to
prioritise the most urgent threats according to the CVSS scores. Details of CVSS can be found in the standard, now at
version 3.1
, but the main thrust is that scores are derived from expert opinions about elements such as the complexity
to exploit the vulnerability or the impact it may have on condentiality. Vulnerabilities with higher scores are of more
immediate concern to the cybersecurity team that manages IS, for instance in SB.
A quite different approach, also of practical importance, is that of scoring cybersecurity activities carried out. In so
doing, one scores how well protected is the ICT system. For instance, in a SB, one can count the percentage of devices
for which rmware or software has been updated in the last month. The NIST Performance Measurement Guide for
Information Security
provides a useful introduction into such approaches, albeit not tailored to SB. As the authors
point out, such performance quantication is particularly useful if one can integrate it with risk management. However,
establishing this relation between security activities and their impact on risk is usually far from straightforward and
11National Vulnerability Database. Link:
12Common Vulnerability and Exposures. Link:
13CVSS v3.1: Specication Document. Link: document.
14NIST.SP 800-55r1, 2008. Link: 1/final.
requires further research.
Thus far, the security metrics in this section provide a static measure for the state of the security, either by
considering the vulnerabilities that are present or the mediation actions that have been taken. This emphasis on static
metrics implies that there still is a gap in identifying measures that can help in decision making that relate to the
dynamics of the system, e.g., to make technology trade-offs between security and system efciency or security and
To alleviate this shortcoming, researchers have proposed metric frameworks to incorporate security considerations
in the design of networked IS, such as these for SB. Particularly Ramos et al. [
] provide an extensive and exhaustive
survey and discussion of metrics that consider security within dynamic systems, including the notion of Quality of
Protection. Metrics such as Quality of Protection typically assume model-based assessment approaches, executed in
the design phases, to congure and dimension ICT systems. In Nicol et al. [
] as well as in Ramos et al. [
] a survey
of model techniques is provided, both with and without representation of time. Security breaches and incidents are
represented in the model as system artefacts, similar to software failures and system malfunctions [
]. In so doing, the
impact of security on traditional performance and dependability metrics can be assessed.
In conclusion, there is no ‘silver bullet’ in terms of a metric that meaningfully capture system security for all
situations. Instead, the literature either proposes static metrics that quantify the level of vulnerability or mediating
actions or refer back to traditional performance and dependability metrics. In the latter case, security techniques as
well as attack patterns are represented within the model, not in the metric. Clearly, signicant research challenges
remain in connecting up the various approaches, for instance relating vulnerability metrics with SB risk management
equations, and security management investments in buildings with their impact on the system’s combined Quality of
Service and Quality of Protection.
3.4 |Intrusion detection
With the rapidly growing market for IoT devices and the signicant advancements in CPS, we have found that NIDS
have been playing a major role in cybersecurity solutions [
]. They are designed to safeguard computer systems
from a diverse range of malicious activities and attacks.
NIDS’ designs are divided into three classications: i) Anomaly-Based [
], Signature-Based Systems [
], and
]. One of the main issues is detecting new or known threats that have been slightly modied and how they
have an altered effect on a network trafc. For example, Sheneld et al. [
] used Articial Intelligence (AI) algorithms
trained to detect malicious network trafc with the use of articial neural networks in deep packet inspection.
Research focuses primarily on comparing NIDS rather than evaluations methods to identify the advantages of
the methodology and the disadvantages for ensuring whether or not it meets requirements. Next, we present a list of
evaluation criteria to measure NIDS performance and identify open research questions.
Identication of threats: IoT and CPS environments encompass a range of devices and sensors connected by in a wide
range of networks. There is a challenge on how to account for all types of intrusions, bringing to the focus of an hybrid
NIDS to cover both network and devices. Reporting every threat detected is impractical and it would be advised to
conduct classication rankings. For instance, Snort
] uses a grading system from
, with
ranking in as a
low interest threat that need no intervention and can be dealt with by the NIDS whereas
represents a major threat
requiring user intervention.
Scalability and Adaptability: As infrastructures scale over time, so the amount of control and monitoring to keep systems
15Snort Network Intrusion Detection and Prevention System. Link:
updated with new occurrences to NIDS. That is the main reason as to why it should be able to adapt to changing attack
strategies and the ability to scale over time to meet the additional devices and networks. This would include to work
over multiple NIDS pertaining a wide range of sub-systems as well as being able to combine reports for decision making
and traceability efforts. Ensuring that the NIDS is capable of adaptability can prove useful when having to adapt to
additional components or changes in the environment, allowing it to be customised to meet new requirements or to
carry a stricter level of security on networks.
Known vulnerabilities: It is the core responsibility and purpose of a NIDS to prevent known exploits and vulnerabilities.
Unfortunately, recent research has highlighted that many commercial NIDS fail to meet this responsibility, with the
given reason being the failure to swiftly update systems with recent vulnerabilities as and when they are discovered [
As discussed in Section 3.3, some of these vulnerabilities are well known to the security community. The cybersecurity
module in the VPP must constantly update the NIDS to ensure that periodic reviews are conducted on recent and past
exploits. One example is the zero-day attack where adversaries explore recent discovered vulnerabilities to trigger
attacks before administrators have the chance to update their systems.
Dynamic signature updating: A NIDS is highly dependent on its ability to detect signatures to identify intrusions.
However, they are not always able to efciently detect most recently developed intrusions or in fact even slightly
modied ones [
]. For a NIDS to be effective, one will need to address the capability in which the system can be
updated with recent signatures as and when administrators discover new exploits and vulnerabilities.
Third Party support: Understanding the support one can receive from third parties and vendors can prove useful when
developing a NIDS. In addition, it may highlight areas in which the system does not meet pre-approved standards of
threat detection.
The AB environment pose several research opportunities on NIDS adapting efforts to cope with security require-
ments as they start interchanging data or interlinking components. One key issue is to investigate how NIDS deal
with IoT devices and CPS that are no longer supported or are simply outdated. There is potential research on how to
best integrate AI and machine learning to negate vulnerabilities by leveraging the computational tractability of the
3.5 |Threat modelling
One signicant technique used in cybersecurity is known as Threat Modelling (TM) [
]. The idea is to devise
abstractions of systems and consider possible attackers with aims, goals, and methods. As output it generates a list of
threats that the system has and should be addressed. Methods used in this approach vary in objectives and scope, as an
example we highlight STRIDE, i.e. a mnemonic for security concerns accounting for Spoong, Tampering, Repudiation,
Information Disclosure, Denial of Service, and Elevation of Privilege. Another example is to model and devise attack trees
where paths of attacks and defences are built to mitigate incidents [
]. In terms of TM research, Sion et al. [
] enriched
threat models with risk analysis information helping prioritisation and triaging. On a similar approach, Marksteiner et
al. [
] used TM in LVDG combining the approach with RA over legacy and newly added devices in the SG. Best practices
for TM can be broken up into ve steps: i) asset identication; ii) threat reconnaissance; iii) risk assessment; iv) threat
mapping; and v) mitigation capabilities.
TM can be quite complex and therefore not always limited to a singular methodology. It is not uncommon for organi-
sations in industry to adopt multiple methodologies to insure all threats are covered within their given environment. For
this reason, some industries and academic researchers might broaden their choices by including methodologies such
as Process for Attack Simulation and Threat Analysis (PASTA), Hybrid Threat modelling Method (hTMM), or Security
Cards focusing mostly on brainstorming threats.
PASTA is a TM methodology designed as an integrated application threat analysis. It works on a risk or asset based
approach, making it ideal for business focus environments such as active buildings. It is designed as an approach to
dynamic threat detection, enumeration, and producing a scoring process. Once the threat model is completed it allows
security experts to analyse vulnerabilities and other identied threats to the system environment, highlighting any
areas in which security controls need to be added [
]. PASTA methodology works around an attacker focused view of
the system and over all environment, in which the developers can design an asset focused defence.
The hTMM methodology has been recently introduced threat models by Security Equipment Inc. (SEI) in
widespread application in CPS [
]. It consists of two other methodologies, Security Quality Requirements Engineering
(SQUARE) designed to extract, categorise and prioritise security requirements and Persona non Grata, used to identify
ways in which a system can be attacked according to adversaries’ goals.
The Security Card methodology approach to TM is designed around brainstorming and creative thinking, unlike the
other methodologies we have seen so far which focus on structured approaches. This methodology is designed to help
identify less common or novel attacks. It incorporates the use of
cards covering Human Impact (
cards), Adversary’s
Motivations (13 cards), Adversary Resources (11 cards), and Adversary’s Methods (9cards) [94].
3.6 |Modelling & Simulation
Modelling & Simulation help the design of virtually any system by articially creating approximated versions of a target
infrastructure. Modellers then introduce controlled incidents in components devising ‘what-if’ scenarios for making
most likely assumptions on the system and evaluate yielded output [
] for analysis. There is a substantial integration of
MATLAB/Simulink with real time simulators such as OPAL-RT [
] to investigate power related problems with built-in
primitives, integrated toolboxes, and shared libraries. Modellers may use Hardware-in-the-Loop (HIL) simulation [
to assess designs by toggling the level-of-detail according to desired feature representations.
Cybersecurity-oriented simulation focuses on the consequence of attacks [
], i.e., what happens after an attack or
breach took place (data corruption in IS, stolen credentials, or increased privileges). Modellers tackle issues arising in
both the power network and in the telecommunication network [102, 103] with co-simulation [104].
A plethora of frameworks exists for co-simulating the SG such as GridLAB-D [
] or OpenDSS [
] combined
with the Network Simulator (ns) [
] or OMNeT++/INET [
]. In terms of platforms or tool-chains specic for
co-simulation we mention the Framework for Network Co-Simulation (FNCS) [
], gradually being replaced by the
Hierarchical Engine for Large-scale Infrastructure Co-Simulation (HELICS) [
], Mosaik [
], and pandapower [
For modelling buildings and energy efciency across buildings analysts usually employ EnergyPlus
], broadly
adopted due to validation issues and trustful simulation results, thermal analysis, and other building related features. It
is yearly updated where new versions provide xes to software defects as well as backwards compatibility (working
with older model versions). Modellers use EnergyPlus in conjunction the graphical interface offered by OpenStudio
and both tools are free.
There are co-simulation tools that offer modelling of DER in power distribution networks. For instance, Open Plat-
form for Energy Networks (OPEN) [
] used pandapower [
] for an integrated simulation. The authors presented a
case study consisting of a BEMS with PV and energy trading, and another of an EV eet with an unbalanced three-phase
distribution network. The SCEPTRE toolchain [
] (Sandia National Laboratories, US) is used to model networks of
DER and cybersecurity defences where latency may impact grid performance. In its current version, the platform is
on-line (live) and uses virtualised servers for the co-simulation engine.
Some authors applied those frameworks to model cybersecurity aspects such as Souza et al. [
] that combined
OpenDSS, Mosaik, and ns-3 into a platform and Le et al. [117] that used FNCS to model threats in the SG.
3.7 |Discussion
There is substantial push for efcient planning (short, medium, and long term), preparedness, and accurate state
estimation as the SG is a critical infrastructure prone to unintended or malicious cybersecurity incidents. Measures
in place address rigorous access control, real-time tracking of people while sensing the buildings’ infrastructure, and
collecting data.
From a cybersecurity perspective, ofcers across responsibilities should balance trade-offs against functionality,
usability, control, and privacy while quickly acting to respond and prevent incidents. In AB, managers tackle these
concerns by overseeing the whole infrastructure involving the DER, the set of SB, the VPP controlling CPS and IoT,
SCADA sub-systems (if present), AMI, and the TE. Historic energy yields throughout seasons should account for scale,
i.e., new devices are attached to the grid as incentives are put in place over time. The OCC for AB integrates with ESO,
energy providers, aggregators, consumers, building managers, continuously gathering data for accurate state estimation
(an explanation on how the state estimator works is provided by He and Yan [
]), while enabling trustworthiness. It
accounts for short, medium, and long term planning and prepare for adverse weather conditions, avoiding the reliance
on conventional power to meet nZEB requirements.
One notices a signicant increase in market penetration of roof-top PV, WTPCS, or other DER. Akram et al. [
researched on sizing the RER mix in grid-connected microgrids and compared reliability over minimum costs. Attackers
may target energy theft as customers will start behaving as small generators trading in the market as prosumers. It is a
substantial shift from conventional interactions with the energy market, from passive consumers to active players that
could even help balancing frequency if required by the management system or controller. These concerns will increase
with wide adoption of EV and smart chargers participating in the network as they may also regulate frequency [
Business stakeholders and cybersecurity experts must convene and use the RA for insights when addressing
threats and vulnerabilities. Establishing clear and quantiable measures could help understanding the level of exposure
faced within AB and what actions to take to diminish risk and exploitation opportunities. They must discuss which
cybersecurity metrics they will consider, whether related to quality properties, system status (in terms of updating),
number of breaches or attack attempts per time unit, or a customised approach that address quantitative measures.
Within the context of SB, there is research to conduct in dening the important, easily measurable, and Quality of
Protection metrics. Moreover, it is crucial to research the relationship between different metrics, e.g., between software
updates and risk, so that different stakeholders can make use of each other’s metrics.
In AB settings it is essential to deal with uncertainty, i.e., imperfect or incomplete knowledge of threats and new
vulnerabilities. The intermittent aspect of renewable generation contributes to raise uncertainty, however one could
leverage it with the use of ESS in buildings and EV. Borrowing N-1 security ideas from the EPG, AB could address how to
cope with more localised contingencies to avoid load shedding or energy black-outs in their vicinity. One example is to
employ redundancy or signal the market and customers on prices so power frequency may be even out during crisis.
AB and nZEB are expected to permeate future power grid across residential, commercial, and industrial counterparts.
Their advantages will be weighed against the current model where customers will balance convenience, trustworthiness,
trade-offs in investments versus billing, and security and privacy guarantees to make a decision. As potentially millions
of IoT devices attached to DER proliferate into buildings and households, continuously updated RA across system
life-cycles will be compulsory. We outline next cybersecurity-oriented research roadmap for AB:
1. Risk Assessments
: research on timely, bespoke, and automated RA throughout (any) system life-cycle. Address
how to cope with emergent threats and vulnerabilities, and requirement changes. RA will be tailored to meet
organisation’s objectives and will require quick adapting to cope with increased levels of attack sophistication,
involving cybersecurity experts in the process [
]. The RA could help TM and vulnerability assessment through
combinations with security metrics. For instance, Rizvi et al. [
] modelled weaknesses of IoT in home, commerce,
and healthcare facilities and used NIST’s CVSS to compute vulnerability scores for the devices.
2. Efciency codes
: just as energy efciency labels grade appliances for power consumption, modern infrastructure
could address other concerns such as emissions, amount of energy generation, and storage capability. Nikolaidou et
al. [
] devised a code for AB, however, it could be extended to consider trustworthiness. It could help customers
evaluating trade-offs when purchasing estate or adjusting security in their premises. With respect to security met-
rics, a signicant practical open problem is to establish relationships on the metrics used by different stakeholders,
for instance between the technology metrics used by ICT professionals and risk metrics used in business continuity
3. Market features:
New players: the number of prosumers in AB will increase as potential thousands of new power generators are
attached to the grid. This is highly motivated by low acquisition prices and governmental incentives. It promises
lower electric bills (among other advantages) and authors have studied how they manage and share energy in the
SG [
]. The envisioned massive penetration of roof-top solar panels and EV will change the energy landscape by
adding new DER and helping the exibility of power grids, however, it will enlarge the attack surface considerably.
Transactive energy: TE may help prevent power cuts and blackouts, for instance, Yanksonand Ghamkhari [
] used
it for thwarting load-based attacks and exible loads to balance frequency. Huang et al. [
] used co-simulation
to study the valuation in responsive loads for comparing TE and non-TE agents.
4. Smart Grid components:
Cross-domain control: more research is required to understand the required multidisciplinary approach involving
a plethora of systems and components bringing together experts from different domains.
Pervasiveness of smart components: the SG infrastructure allows potential millions of smart appliances to be
easily attached. In a cybersecurity point of view, it could open back-doors for malicious interventions as devices
may eavesdrop or divert communications, inuence automated incident responses (or preventing them from
happening), and postpone (or prevent) events from reaching the OCC.
Component life-cycle: in AB, the infrastructure is composed by a plethora of components, each one has their own
life-cycle from pre-acquisition and procurement to deployment, i.e. when they start servicing customers until
decommission. Cybersecurity ofcers must address RA throughout these phases.
Legacy systems and retrotting: one must consider the effect on cybersecurity aspects as customers retains
outdated equipment in their buildings.
Heterogeneity and interoperability: cybersecurity ofcers employ device heterogeneity to increase protection
as it difcults attacks. However, under these circumstances, they will have to account for other issues such as
intra-communication, timely maintenance, and interoperability.
5. Power based attacks:
Synchronised cyber incidents: these attacks occur when malicious actors inject malware and coordinate events
that may impact frequency, e.g., switching on or off a massive number of high-wattage devices. There is a
need to better understand LCA, MAD, or LRA [
], in detection as well as countermeasures to avoid its
APT: measures consist on training systems and personnel on identifying long term incursions, monitoring data,
energy use based on previous consumption or generation, and building energy proling over prolonged time
scales [
]. Also, investigating FDI attacks [
] and comparing multiple datasets to unveil patterns that
could hint diversions or inconsistent loads across the infrastructure to detect, assess, conrm, mitigate, and cope
with APT.
6. Modelling & Simulation:
Modelling scale: as the advantages of AB become visible to customers, companies, and the government, other
buildings and households will desire to participate and even trade energy, so the solution must account for scaling
the infrastructure to withstand the demand.
Testbeds: tackle realistic modelling and co-simulation efforts when designing and experimenting with varying
scale EPG, addressing power supply and demand in the presence of security incidents, physical destruction, or
service interruption, to name a few [
]. Address preparedness, pro-active responses, and accurate detection
and conrmation of incidents.
Cyber-Physical counterparts: one idea to test effectiveness of responses is to articially inject attacks to see how
countermeasures in place react. Current research tackles replicas of physical and virtual counterparts into
Digital Twins, aimed to facilitate analysis by juxtapositioning these elements.
Prediction under uncertainty: user behaviour and weather intermittency may drive planning for short, medium,
and long term. The idea is to iterate over multiple scenarios considering computational tractability of running a
massive number of simulations. It is an open research question how to model the stochasticity of DER, ESS, and
Controlled stress testing: In order to avoid actual attacks on the physical infrastructure, simulation could be used
to add controlled failures to components in single or multiple sources. It could address susceptible scenarios
under different energy loads to drive design decisions on how to best tackle electricity-based shortcomings.
HIL: it allows for the modelling of hardware and its internal structures as they increasingly demand modelling
on varying level-of-detail. Kochanneck et al. [
] considered a HIL co-simulation in a LVDG comparing a
multi-building design with a real-world building setting;
Sensitivity analysis: this effort involves multiple parametrisations for comparing the impact of characteristics and
discover scenarios deemed decient (according to metrics) for in-depth analysis.
7. Incident response
: fast reaction to malicious incursions and recovery from security incidents or unanticipated
breaches, learning from the situations and documenting details, actions, and reactions for future reference. Incident
response could be of crucial use in the event of catastrophes or natural disasters impairing the infrastructure.
8. Emergent techniques
: increased use of Machine Learning and AI algorithms for processing Big Data from multiple
sources (e.g. IoT measurements, ne-grained weather forecasts, logging, and so on), and distributed ledgers for
smart contracts in TE systems [123].
9. End-user related
: the inhabitants, managers, maintenance personnel, ofcers will have to adapt, learn, and point out
inconsistent behaviours, anomalies, improper use, invalid situations or user mishandling of technology throughout
the premises of AB. The interaction with AB’s systems will have to leverage functionality over cybersecurity, coping
with easiness of operation with different user levels, e.g., children, the elderly, or non-savvy customers.
10. Legal aspects
: accountability, ownership, forensics, i.e. questions as to the magnitude of the attacks, impacted
systems, and who are responsible (and liable) for the AB infrastructure. These matter in both new and retrotted
buildings as well as assigning unique individuals to attacks with evidence (forensics). As data pours in into IS,
security requirements [
] and data protection mechanisms will ensure better managerial actions in conjunction
with life-cycle RA, General Data Protection Regulation (GDPR) adherence, staff training, and health and safety
AB will revolutionise the way people handle power in buildings. It will support future energy systems evolving
current paradigms towards more active roles instead of just passive consumption. The advantages brought forth by AB
will improve balancing the power grid during peak demand while enabling prosumers to interact in the market in P2P
trading. The greener and sustainable approach offered by AB may also reduce electric bills as more conscious customers
will shift their behaviour according to electricity prices or other incentives.
Figure 6 shows an overview of the proposed cybersecurity roadmap for AB, showing areas of concern and most
susceptible targets. It covers the attack surface with highest likelihood of adversarial interventions, accounting major
issues for current and future architectures and technologies.
DER Energy
Threats Vulnerabilities
Sources Events Scenarios
Confidentiality Integrity Availability
Legacy Current Future
FIGURE 6 Cyber-physical security, Risk Assessment, and potential targets in AB settings.
Bespoke RA aligns business objectives with cybersecurity trade-offs. As mentioned, the organisation leverages
the rigour, formality, and depth of the RA accounting business proposition, optimality, and potential threats that could
undermine service provision. The sheer complexity of AB calls for strict cybersecurity management as ofcers and
stakeholders ensure the quality of data that are fed into the systems for accurate system state estimation and situational
awareness. These protections safeguard IS and prevent the infrastructure to fall short on cyber-physical security.
As stated throughout this work, adversaries may target the AB business proposition (energy generation, storage,
release, and conservation), corrupt data in IS, skew predictions or transmit erroneous status of eld devices. It is the
responsibility of the cybersecurity ofcers to quickly enact, identify, conrm, and respond to incidents in a timely
fashion, fast track exposures, and precisely reporting on occurrences to account for minimum level of false positives, i.e.,
teams responding to false events.
Finally, it is worth mentioning that adversaries may surveil the infrastructure and monitor signals and responses to
learn how to inict more damage in future malicious incursions. To mitigate these situations, research is needed for
modelling attackers’ actions to establish effective countermeasures and thwart cyber-physical security incidents, thus
preventing them from re-occurring.
Security and safety encompass the proposition of AB as well as the intertwined nature of P2P energy provision. The
AB is dened as buildings that are active energy agents sustaining a nation’s power infrastructure. So, any adversarial
incursion against the infrastructure and all that it entails are attacks targeted at AB as well. Under these settings
one must consider the harmful effects that attacks have that could promote undesired load shedding or frequency
imbalance, not to mention the consequences to inhabitants and managers. Security, after all, is a trade-off between
adhering to requirements and user/customer/stakeholder interaction/experience. Riskier outcomes must be prioritised
before unimportant ones as cybersecurity ofcers continuously assess threats and vulnerabilities.
For these ideas to become reality, actions are required in a trans-national level, for example, a joint effort on how
to best decommissioning current power plants with few impacts to the environment. Renewable energy is known for
its uncertainty, as WTPCS and PV panels are not used 100% of the time (only a fraction) due to climatic conditions.
Besides this, another problem is the required surface when commissioning PV panels since it demands a large area
for a given energy yield whereas wind turbines may impact wildlife and vegetation. Nevertheless, despite those
shortcomings, cross-domain action must be taken to meet energy objectives for the near future, enshrining the solution
with cyber-physical security and safety.
AB adoption undoubtedly poses signicant opportunities aligned with the decarbonisation strategy set forth by the
government. We have proposed here a roadmap for tackling cyber-physical security using RA, modelling, and intrusion
detection over the AB’s life-cycle, as well as future research opportunities. We have raised awareness to cybersecurity
in AB by commenting how to adapt existing mechanisms in CPS, IoT, and ICS. Our work has presented an overview on the
required cross-fertilisation effort across domains for increased preparedness to assess and respond to cyber-physical
5.1 |Status Quo, Challenges, and Outlook
Cybersecurity is vital for any critical system design as sustains operational capabilities in the presence of adversar-
ial incursions. Power and building managers as well as security ofcers are expected to employ previous research
on infrastructure, learning from previous experiences and lessons learned as their cyber-physical systems become
increasingly hardened against attacks. As shown throughout the chapter, several challenges still persist in modern
(and smart) infrastructures as attackers devise creative means to criminally access systems and thwart operations.
As adversaries will always have different incentives to thwart the SG due to its capabilities, managers should always
consider cybersecurity throughout the AB proposition and recruiting, whenever possible, the help of its underlying
stakeholders (e.g. reporting anomalies, phishing attempts, uncommon behaviour, and so on).
Our work has pointed out key aspects to observe in cyber-physicalsecurity from CPS research (SG and ICS), showing
related work on SCADA vulnerabilities and mitigations, risk assessments, threat modelling, and Modelling & Simulation.
Next efforts are expected to follow this path of building up from previous ideas and adapting systems, techniques,
and methods to cope with frequently changing cyber-physical topologies to accommodate emergent technologies
seamlessly to customers and administrators. The cybersecurity challenge in AB should take into account attacker
dynamics as the defences adapt in near real-time, detect malicious advances, and prevent more serious consequences
from propagating across the infrastructure.
The authors wish to acknowledge funding from the Industrial Strategy Challenge Fund and Engineering and Physical
Sciences Research Council, EP/V012053/1, for The Active Building Centre Research Programme (ABC RP).
[1] Mo Y, Kim THJ, Brancik K, Dickinson D, Lee H, Perrig A, et al. Cyber-physical security of a smart grid infrastructure.
Proceedings of the IEEE 2011;100(1):195–209.
[2] Greer C, Wollman DA, Prochaska DE, Boynton PA, Mazer JA, Nguyen CT,et al. NIST framework and roadmap for smart
grid interoperability standards, release 3.0; 2014.
[3] Amin SM, Wollenberg BF. Toward a smart grid: power delivery for the 21st century. IEEE Power Energy Magazine
[4] Fang X, Misra S, Xue G, YangD. Smart grid The new and improved power grid: A survey. IEEE Communications Surveys
and Tutorials 2011;14(4):944–980.
[5] Gunes V, Peter S, Givargis T, Vahid F. A survey on concepts, applications, and challenges in cyber-physical systems. KSII
Transactionson Internet & Information Systems 2014;8(12).
[6] Humayed A, Lin J, Li F, Luo B. Cyber-physical systems security A survey. IEEE Internet of Things Journal
[7] Clarke J, Jones P, Littlewood J, Worsley D. Active Buildings in Practice. In: Sustainability in Energy and Buildings
Springer; 2020.p. 555–564.
[8] Hatziargyriou N, Asano H, Iravani R, Marnay C. Microgrids. IEEE Power Energy Magazine 2007;5(4):78–94.
[9] Strbac G, Woolf M, WalkerS, Vahidinasab V. The Role of Active Buildings in the Transitionto a Net Zero Energy System.
Imperial College, Newcastle University 2020;.
[10] Zafar R, Mahmood A, Razzaq S, Ali W, Naeem U, Shehzad K. Prosumer based energy management and sharing in smart
grid. Renewable and Sustainable Energy Reviews 2018;82:1675–1684.
[11] Driesen J, Katiraei F. Design for distributed energy resources. IEEE Power Energy Magazine 2008;6(3):30–40.
[12] Bankovskis A. One million homes constructed as ‘buildings as power stations’ report of indicative benets. SPECIFIC
online report 2017;.
[13] Nikolaidou E, FosasD, Roberts M, Allen S, Walker I, Coley D. Buildings as Energy Infrastructure, not Passive Consumers.
University of Bath 2020;.
[14] Ma O, Alkadi N, Cappers P, Denholm P, Dudley J, Goli S, et al. Demand response for ancillary services. IEEE Transactions
on Smart Grid 2013;4(4):1988–1995.
[15] Attia S. Net Zero Energy Buildings (NZEB): Concepts, frameworks and roadmap for project analysis and implementa-
tion. Butterworth-Heinemann; 2018.
[16] Kurnitski J, Allard F, Braham D, Goeders G, Heiselberg P, Jagemar L, et al. How to dene nearly net zero energy buildings
nZEB. Rehva Journal 2011;48(3):6–12.
[17] Sridhar S, Hahn A, Govindarasu M. Cyber-physical system security for the electric power grid. Proceedings of the IEEE
[18] He H, Yan J. Cyber-physical attacks and defences in the smart grid: a survey. IET Cyber-Physical Systems: Theory &
Applications 2016;1(1):13–27.
[19] Giraldo J, Sarkar E, Cardenas AA, Maniatakos M, Kantarcioglu M. Security and privacy in cyber-physical systems: A
survey of surveys. IEEE Design & Test 2017;34(4):7–17.
[20] Abercrombie RK, Sheldon FT, Hauser KR, Lantz MW, Mili A. Risk assessment methodology based on the NISTIR 7628
guidelines. In: 2013 46
Hawaii International Conference on System Sciences IEEE; 2013. p. 1802–1811.
[21] Wangen G. Information security risk assessment: A method comparison. Computer 2017;50(4):52–61.
[22] Leszczyna R. Standards on cyber security assessment of smart grid. International Journal of Critical Infrastructure
Protection 2018;22:70–89.
[23] Ruland KC, Sassmannshausen J, Waedt K, Zivic N. Smart grid security an overview of standards and guidelines. e&i
Elektrotech Inf Tech 2017;134(1):19–25.
[24] Gritzalis D, Iseppi G, Mylonas A, Stavrou V. Exiting the Risk Assessment maze: A meta-survey. ACM Computing Surveys
(CSUR) 2018;51(1):1–30.
[25] Pillitteri VY, Brewer TL. Guidelines for smart grid cybersecurity (NIST 7628); 2014.
[26] Initiative JTFT. Guide for conducting risk assessments (NIST. SP 800-30rev1). The National Institute of Standards and
Technology (NIST), Gaithersburg 2012;.
[27] Greenwood D, Lim KY, Patsios C, Lyons P, Lim YS, Taylor P. Frequency response services designed for energy storage.
Applied Energy 2017;203:115–127.
[28] Stouffer K, Falco J, Scarfone K. Guide to industrial control systems (ICS) security Rev. 2. NIST Special Publication
[29] Izadkhast S, Garcia-Gonzalez P, Frías P. An Aggregate Model of Plug-In Electric Vehicles for Primary FrequencyControl.
IEEE Transactionson Power Systems 2015;30(3):1475–1482.
[30] Ding D, Han QL, Xiang Y,Ge X, Zhang XM. A survey on security control and attack detection for industrial cyber-physical
systems. Neurocomputing 2018;275:1674–1683.
[31] Kim J, Tong L. On topology attack of a smart grid: Undetectable attacks and countermeasures. IEEE Journal on Selected
Areas in Communications 2013;31(7):1294–1305.
[32] Camana Acosta MR, Ahmed S, Garcia CE, Koo I. Extremely Randomized Trees-Based Scheme for Stealthy Cyber-Attack
Detection in Smart Grid Networks. IEEE Access 2020;8:19921–19933.
[33] Yuan Y, Li Z, Ren K. Modeling load redistribution attacks in power systems. IEEE Transactions on Smart Grid
[34] Kumar P, Lin Y, Bai G, Paverd A, Dong JS, Martin A. Smart grid metering networks: A survey on security, privacy and
open research issues. IEEE Communications Surveys and Tutorials 2019;21(3):2886–2927.
[35] Gunduz MZ, Das R. Cyber-security on smart grid: Threats and potential solutions. Computer Networks
[36] Huang Q, McDermott TE, Tang Y, Makhmalbaf A, Hammerstrom DJ, Fisher AR, et al. Simulation-based valuation of
transactive energy systems. IEEE Transactions on Power Systems 2019;34(5):4138–4147.
[37] Pudjianto D, Ramsay C, Strbac G. Virtual power plant and system integration of distributed energy resources. IET
Renewable Power Generation 2007;1(1):10–16.
[38] Royapoor M, Pazhoohesh M, Davison PJ, Patsios C, Walker S. Building as a virtual power plant, magnitude and persis-
tence of deferrable loads and human comfort implications. Energy and Buildings 2020;213:109794.
[39] Zajc M, Kolenc M, Suljanović N. Virtual power plant communication system architecture. In: Smart Power Distribution
Systems Elsevier; 2019.p. 231–250.
[40] Kolenc M, Nemˇ
cek P, Gutschi C, Suljanović N, Zajc M. Performance evaluation of a virtual power plant communication
system providing ancillary services. Electric Power Systems Research 2017;149:46–54.
[41] Radhakrishnan K, Menon RR, Nath HV. A survey of zero-day malware attacks and its detection methodology. In: TEN-
CON 2019-2019 IEEE Region 10 Conference (TENCON) IEEE; 2019. p. 533–539.
[42] Langner R. Stuxnet: Dissecting a cyberwarfare weapon. IEEE Security & Privacy 2011;9(3):49–51.
[43] Farwell JP, Rohozinski R. Stuxnet and the future of cyber war. Survival 2011;53(1):23–40.
[44] Kimani K, Oduol V, Langat K. Cyber security challenges for IoT-based smart grid networks. International Journal of
Critical Infrastructure Protection 2019;25:36–49.
[45] Ashibani Y, Mahmoud QH. Cyber physical systems security: Analysis, challenges and solutions. Computer Security
[46] Al-Fuqaha A, Guizani M, Mohammadi M, Aledhari M, Ayyash M. Internet of things: A survey on enabling technologies,
protocols, and applications. IEEE Communications Surveys and Tutorials 2015;17(4):2347–2376.
[47] Alaba FA, Othman M, Hashem IAT, Alotaibi F. Internet of Things security: A survey. Journal of Network and Computer
Applications 2017;88:10–28.
[48] Yang Y, Wu L, Yin G, Li L, Zhao H. A survey on security and privacy issues in Internet-of-Things. IEEE Internet of Things
Journal 2017;4(5):1250–1258.
[49] Emmanuel M, Rayudu R. Communication technologies for smart grid applications: A survey. Journal of Network and
Computer Applications 2016;74:133–148.
[50] Lin J, Yu W, Zhang N, Yang X, Zhang H, Zhao W. A survey on internet of things: Architecture, enabling technologies,
security and privacy, and applications. IEEE Internet of Things Journal 2017;4(5):1125–1142.
[51] Hearteld R, Loukas G, Budimir S, Bezemskij A, Fontaine JR, Filippoupolitis A, et al. A taxonomy of cyber-physical
threats and impact in the smart home. Computer Security 2018;78:398–428.
[52] Lin H, Bergmann NW. IoT privacy and security challenges for smart home environments. Information 2016;7(3):44.
[53] Deng R, Xiao G, Lu R, Liang H, Vasilakos AV. False data injection on state estimation in power systems —- Attacks,
impacts, and defense: A survey. IEEE Transactions on Industrial Informatics 2016;13(2):411–423.
[54] Liang G, Zhao J, Luo F, Weller SR, Dong ZY. A review of false data injection attacks against modern power systems. IEEE
Transactionson Smart Grid 2016;8(4):1630–1638.
[55] Musleh AS, Chen G, Dong ZY. A survey on the detection algorithms for false data injection attacks in smart grids. IEEE
Transactionson Smart Grid 2019;11(3):2218–2234.
[56] Huang Y, Esmalifalak M, Nguyen H, Zheng R, Han Z, Li H, et al. Bad data injection in smart grid: attack and defense
mechanisms. IEEE Communications Magazine 2013;51(1):27–33.
[57] He Y, Mendis GJ, Wei J. Real-time detection of false data injection attacks in smart grid: A deep learning-based intelli-
gent mechanism. IEEE Transactions on Smart Grid 2017;8(5):2505–2516.
[58] Manandhar K, Cao X, Hu F,Liu Y. Detection of faults and attacks including false data injection attack in smart grid using
Kalman lter. IEEE Transactions on Control of Network Systems 2014;1(4):370–379.
[59] Paté-Cornell ME, Kuypers M, Smith M, Keller P. Cyber risk management for critical infrastructure: a risk analysis model
and three case studies. Risk Analysis 2018;38(2):226–241.
[60] Soltan S, Mittal P, Poor HV. BlackIoT: IoT botnet of high wattage devicescan disrupt the power grid. In: 27
Security Symposium; 2018. p. 15–32.
[61] Dabrowski A, Ullrich J, Weippl ER. Grid shock: Coordinated load-changing attacks on power grids: The non-smart
power grid is vulnerable to cyber attacks as well. In: Proceedings of the 33
Annual Computer Security Applications
Conference; 2017. p. 303–314.
[62] Yankson S, Ghamkhari M. Transactive Energy to Thwart Load Altering Attacks on Power Distribution Systems. Future
Internet 2020;12(1):4.
[63] Soltan S, Mittal P, Poor V. Protecting the Grid against MAD Attacks. IEEE Transactions on Network Science and Engi-
neering 2019;.
[64] Kumar CO, Bhama PRS. Detecting and confronting ash attacks from IoT botnets. The Journal of Supercomputing
[65] Arnaboldi L, Czekster RM, Morisset C, Metere R. Modelling Load-Changing Attacks in Cyber-Physical Systems. Elec-
tronic Notes in Theoretical Computer Science 2020;353C:39–60.
[66] Huang B, Cardenas AA, Baldick R. Not everything is dark and gloomy: Power grid protections against IoT demand
attacks. In: 28th
Security Symposium; 2019. p. 1115–1132.
[67] Komninos N, Philippou E, Pitsillides A. Survey in smart grid and smart home security: Issues, challenges and counter-
measures. IEEE Communications Surveys and Tutorials 2014;16(4):1933–1954.
[68] Mitchell R, Chen IR. A survey of intrusion detection techniques for cyber-physical systems. ACM Computing Surveys
(CSUR) 2014;46(4):1–29.
[69] Zambon E, Etalle S, Wieringa RJ, Hartel P. Model-based qualitative risk assessment for availability of IT infrastructures.
Software & Systems Modeling 2011;10(4):553–580.
[70] Shamala P, Ahmad R, Yusoff M. A conceptual framework of info structure for information security risk assessment
(ISRA). Journal of Information Security and Applications 2013;18(1):45–52.
[71] Shameli-Sendi A, Aghababaei-Barzegar R, Cheriet M. Taxonomy of information security risk assessment (ISRA). Com-
puter Security 2016;57:14–30.
[72] Chemweno P, Pintelon L, Muchiri PN, Van Horenbeek A. Risk assessment methodologies in maintenance decision mak-
ing: A review of dependability modelling approaches. Reliability Engineering & System Safety 2018;173:64–77.
[73] Nagaraju V, Fiondella L, Wandji T. A survey of fault and attack tree modeling and analysis for cyber risk management.
In: 2017 IEEE International Symposium on Technologies for Homeland Security (HST) IEEE; 2017. p. 1–6.
[74] Cherdantseva Y,Burnap P,Blyth A, Eden P, Jones K, Soulsby H, et al. A review of cyber security risk assessment methods
for SCADA systems. Computer Security 2016;56:1–27.
[75] Rossebø JE, Wolthuis R, Fransen F, Björkman G, Medeiros N. An enhanced risk-assessment methodology for smart
grids. Computer 2017;50(4):62–71.
[76] Teixeira A, Sou KC, Sandberg H, Johansson KH. Secure control systems: A quantitative risk management approach.
IEEE Control Systems Magazine 2015;35(1):24–45.
[77] Mace JC, Czekster RM, Morisset C, Maple C. Smart Building Risk Assessment Case Study: Challenges, Deciencies and
Recommendations. In: 16
European Dependable Computing Conference (EDCC) IEEE; 2020. p. 59–64.
[78] Nurse JR, Creese S, De Roure D. Security risk assessment in Internet of Things systems. IT professional 2017;19(5):20–
[79] Radanliev P, De Roure DC, Nicolescu R, Huth M, Montalvo RM, Cannady S, et al. Future developments in cyber risk
assessment for the internet of things. Computers in Industry 2018;102:14–22.
[80] Casola V, De Benedictis A, Rak M, Villano U. Toward the automation of threat modeling and risk assessment in IoT
systems. Internet of Things 2019;7:100056.
[81] Mell P, Scarfone K, Romanosky S. Common vulnerability scoring system. IEEE Security & Privacy 2006;4(6):85–89.
[82] Ramos A, Lazar M, Holanda Filho R, Rodrigues JJ. Model-based quantitative network security metrics: A survey. IEEE
Communications Surveys and Tutorials 2017;19(4):2704–2734.
[83] Nicol DM, Sanders WH, Trivedi KS. Model-based evaluation: from dependability to security. IEEE Transactions on
Dependable and Secure Computing 2004;1(1):48–65.
[84] Avizienis A, Laprie JC, Randell B, Landwehr C. Basic concepts and taxonomy of dependable and secure computing. IEEE
Transactionson Dependable and Secure Computing 2004;1(1):11–33.
[85] Radoglou-Grammatikis PI, Sarigiannidis PG. Securing the smart grid: A comprehensive compilation of intrusion detec-
tion and prevention systems. IEEE Access 2019;7:46595–46620.
[86] Garcia-Teodoro P, Diaz-Verdejo J, Maciá-Fernández G, Vázquez E. Anomaly-based network intrusion detection: Tech-
niques, systems and challenges. Computer Security 2009;28(1-2):18–28.
[87] Challa S, Wazid M, Das AK, Kumar N, Reddy AG,Yoon EJ, et al. Secure signature-based authenticated key establishment
scheme for future IoT applications. IEEE Access 2017;5:3028–3043.
[88] Raghunath BR, Mahadeo SN. Network intrusion detection system (NIDS). In: 1
International Conference on Emerg-
ing Trends in Eng. and Tech. IEEE; 2008. p. 1272–1277.
[89] Sheneld A, Day D, Ayesh A. Intelligent intrusion detection systems using articial neural networks. ICT Express 2018
[90] Premathilaka NA, Aponso AC, Krishnarajah N. Review on state of art intrusion detection systems designed for the
cloud computing paradigm. In: 2013 47
International Carnahan Conference on Security Technology (ICCST) IEEE;
2013. p. 1–6.
[91] Debar H, Morin B. Evaluation of the Diagnostic Capabilities of Commercial Intrusion Detection Systems. In: Wespi A,
Vigna G, Deri L, editors. Recent Advances in Intrusion Detection Berlin, Heidelberg: Springer Berlin Heidelberg; 2002.p.
[92] Alhanahnah M, Lin Q, Yan Q, Zhang N, Chen Z. Efcient Signature Generation for Classifying Cross-Architecture IoT
Malware 2018;p. 1–9.
[93] Rizvi S, Pipetti R, McIntyre N, Todd J, Williams I. Threat model for securing internet of things (IoT) network at device-
level. Internet of Things 2020;11:100240.
[94] Shevchenko N, Chick TA, O’Riordan P, Scanlon TP, Woody C. Threat modeling: a summary of available methods. CMU
Software Engineering Institute; 2018.
[95] Sion L, YskoutK, Van Landuyt D, Joosen W. Risk-based design security analysis. In: Proceedings of the 1
Workshop on Security Awareness from Design to Deployment; 2018. p. 11–18.
[96] Marksteiner S, Vallant H, Nahrgang K. Cyber security requirements engineering for low-voltage distribution smart grid
architectures using threat modeling. Journal of Information Security and Applications 2019;49:102389.
[97] UcedaVelez T, Morana MM. Risk centric threat modeling. Wiley Online Library; 2015.
[98] Mead NR, Shull F, Vemuru K, Villadsen O. A hybrid threat modeling method. CMU Software Engineering Institute;
[99] Li W, Zhang X. Simulation of the smart grid communications: Challenges, techniques, and future trends. Computers &
Electrical Engineering 2014;40(1):270–288.
[100] Poudel S, Ni Z, Malla N. Real-time cyber physical system testbed for power system security and control. International
Journal of Electrical Power & Energy Systems 2017;90:124–133.
[101] Ren W, Steurer M, Baldwin TL. Improve the stability and the accuracy of power hardware-in-the-loop simulation by
selecting appropriate interface algorithms. IEEE Transactions on Industry Applications 2008;44(4):1286–1294.
[102] Mets K, Ojea JA, Develder C. Combining power and communication network simulation for cost-effective smart grid
analysis. IEEE Communications Surveys and Tutorials 2014;16(3):1771–1796.
[103] Müller SC, Georg H, Nutaro JJ, Widl E, Deng Y, Palensky P, et al. Interfacing power system and ICT simulators: Chal-
lenges, state-of-the-art, and case studies. IEEE Transactions on Smart Grid 2016;9(1):14–24.
[104] Gomes C, Thule C, Broman D, Larsen PG, Vangheluwe H. Co-simulation: a survey. ACM Computing Surveys (CSUR)
[105] Chassin DP, Fuller JC, Djilali N. GridLAB-D: An agent-based simulation framework for smart grids. Journal of Applied
Mathematics 2014;2014.
[106] Dugan RC, McDermott TE. An open source platform for collaborating on smart grid research. In: 2011 IEEE Power and
Energy Society General Meeting IEEE; 2011. p. 1–7.
[107] Riley GF, Henderson TR. The ns-3 network simulator. In: Modeling and tools for network simulation Springer; 2010.p.
[108] Varga A. OMNeT++. In: Modeling and tools for network simulation Springer; 2010.p. 35–59.
[109] Ciraci S, Daily J, Fuller J, Fisher A, Marinovici L, Agarwal K. FNCS: a framework for power system and communication
networks co-simulation. In: Proceedings of the Symposium on Theory of Modeling & Simulation-DEVS integrative;
2014. p. 1–8.
[110] Palmintier B, Krishnamurthy D, Top P, Smith S, Daily J, Fuller J. Design of the HELICS high-performance transmission-
distribution-communication-market co-simulation framework. In: 2017 Workshop on Modeling and Simulation of
Cyber-Physical Energy Systems (MSCPES) IEEE; 2017. p. 1–6.
[111] Schütte S, Scherfke S, Tröschel M. Mosaik: A framework for modular simulation of active components in Smart Grids.
In: 2011 IEEE First International Workshop on Smart Grid Modeling and Simulation (SGMS) IEEE; 2011. p. 55–60.
[112] Thurner L, Scheidler A, Schäfer F, Menke JH, Dollichon J, Meier F, et al. pandapower an open-source python tool
for convenient modeling, analysis, and optimization of electric power systems. IEEE Transactions on Power Systems
[113] Crawley DB, Lawrie LK, WinkelmannFC, Buhl WF, Huang YJ, Pedersen CO, et al. EnergyPlus: creating a new-generation
building energy simulation program. Energy and Buildings 2001;33(4):319–331.
[114] Morstyn T, Collett KA, Vijay A, Deakin M, Wheeler S, Bhagavathy SM, et al. OPEN: An open-source platform for devel-
oping smart local energy system applications. Applied Energy 2020;275:115397.
[115] Johnson J, Onunkwo I, Cordeiro P, Wright BJ, Jacobs N, Lai C. Assessing DER network cybersecurity de-
fences in a power-communication co-simulation environment. IET Cyber-Physical Systems: Theory & Applications
[116] de Souza E, Ardakanian O, Nikolaidis I. A Co-simulation Platform for Evaluating Cyber Security and Control Applica-
tions in the Smart Grid. In: IEEE International Conference on Communications (ICC) IEEE; 2020. p. 1–7.
[117] Le TD, Anwar A, Beuran R, Loke SW. Smart Grid Co-Simulation Tools: Review and Cybersecurity Case Study. In: 7
International Conference on Smart Grid (icSmartGrid) IEEE; 2019. p. 39–45.
[118] Akram U, Khalid M, Shaq S. Optimal sizing of a wind/solar/battery hybrid grid-connected microgrid system. IET Re-
newable Power Generation 2017;12(1):72–80.
[119] Skopik F, Friedberg I, Fiedler R. Dealing with advanced persistent threats in smart grid ICT networks. In: Innovative
Smart Grid Technologies (ISGT) IEEE Power & Energy Society; 2014. p. 1–5.
[120] Friedberg I, Skopik F, Settanni G, Fiedler R. Combating advanced persistent threats: From network event correlation
to incident detection. Computer Security 2015;48:35–57.
[121] Cintuglu MH, Mohammed OA, Akkaya K, Uluagac AS. A survey on smart grid cyber-physical system testbeds. IEEE
Communications Surveys and Tutorials 2016;19(1):446–464.
[122] Kochanneck S, Mauser I, Phipps K, Schmeck H. Hardware-in-the-Loop Co-simulation of a Smart Building in a Low-
voltage Distribution Grid. In: IEEE Innovative Smart Grid Technologies Conference Europe IEEE Power & Energy Soci-
ety; 2018. p. 1–6.
[123] Siano P, De Marco G, Rolán A, Loia V. A survey and evaluation of the potentials of distributed ledger technology for
peer-to-peer transactive energy exchanges in local energy markets. IEEE Systems Journal 2019;13(3):3454–3466.
... Adopting information and communication technology (ICT) for cyber-physical system upgrading has created a conducive environment for cyber components. Cyberattacks threaten cyber-physical system sustainability and security concerns (Czekster et al., 2022). According to recent research, a cyberattack on the cyber-physical system disrupted the grid control and functioning system. ...
... This devastated the SG cyber-physical system market. A Denial of Service (DoS) cyber-attack may affect SG cyber-physical system's dynamic performance (Czekster et al., 2022;Yohanandhan et al., 2022a;Kazemy and Hajatipour, 2021). Before deploying in the existing cyber-physical system, it's important to evaluate device applications, algorithms, and settings. ...
The smart grid (SG) system is an intelligent technology that facilitates the integration of green technology and environmental aspects, which is a two-way communication system for information transformation, power generation, and distribution. The development and application of communication technology in the traditional power system deployed the SG cyber-physical system. The SG systems have a complex architecture that contains critical devices and Internet of Things (IoT)-based infrastructures. These critical infrastructures and devices are faced with cyber-attacks. Therefore, the SG systems required lots of research to protect these attacks from economic damage, security deficits, national grid security, and life loss. This paper comprehensively reviews SG cyber-physical and cyber security systems, standard protocols, and challenges. We discussed the SG model, key elements, advanced distribution management system (ADMS), supervisory control and data acquisition (SCADA), and advanced metering infrastructure framework (AMI). Then, we discussed the SG cyber-physical system communication standards and protocols. We present a correlation between SG cyber-physical system communication technology, standards and protocols, and application. Then, we thoroughly study cyber security principles, standards, and protocols. Finally, we discuss some challenges for SG cyber-physical systems, cyber-attacks, and cyber security systems and recommend some solutions for future research. This study provided a deep understanding of the cyber security systems and standards and proposed direction for future research in smart grid system applications.
... In business/enterprise levels, analysts depend on accurate measurements and historic data to perform medium/long planning efforts. We suggest further reading about the cybersecurity underpinnings behind the active buildings from Czekster et al. [64], where its authors detail a roadmap for tackling cyber-attacks in this architecture. ...
Full-text available
Active buildings can be briefly described as smart buildings with distributed and renewable energy resources able to energise other premises in their neighbourhood. As their energy capacity is significant, they can provide ancillary services to the traditional power grid. As such, they can be a worthy target of cyber-attacks potentially more devastating than if targeting traditional smart buildings. Furthermore, to handshake energy transfers, they need additional communications that add up to their attack surface. In such a context, security analysis would benefit from collection of cyber threat intelligence (CTI). To facilitate the analysis, we provide a base active building model in STIX in the tool cyberaCTIve that handles complex models. Active buildings are expected to implement standard network security measures, such as intrusion-detection systems. However, to timely respond to incidents, real-time detection should promptly update CTI, as it would significantly speed up the understanding of the nature of incidents and, as such, allow for a more effective response. To fill this gap, we propose an extension to the tool cyberaCTIve with a web service able to accept (incursion) feeds in real-time and apply the necessary modifications to a STIX model of interest.
Full-text available
Cyber-Physical Systems (CPS) are present in many settings addressing a myriad of purposes. Examples are Internet-of-Things (IoT) or sensing software embedded in appliances or even specialised meters that measure and respond to electricity demands in smart grids. Due to their pervasive nature, they are usually chosen as recipients for larger scope cyber-security attacks. Those promote system-wide disruptions and are directed towards one key aspect such as confidentiality, integrity, availability or a combination of those characteristics. Our paper focuses on a particular and distressing attack where coordinated malware infected IoT units are maliciously employed to synchronously turn on or off high-wattage appliances, affecting the grid's primary control management. Our model could be extended to larger (smart) grids, Active Buildings as well as similar infrastructures. Our approach models Coordinated Load-Changing Attacks (CLCA) also referred as GridLock or BlackIoT, against a theoretical power grid, containing various types of power plants. It employs Continuous-Time Markov Chains where elements such as Power Plants and Botnets are modelled under normal or attack situations to evaluate the effect of CLCA in power reliant infrastructures. We showcase our modelling approach in the scenario of a power supplier (e.g. power plant) being targeted by a botnet. We demonstrate how our modelling approach can quantify the impact of a botnet attack and be abstracted for any CPS system involving power load management in a smart grid. Our results show that by prioritising the type of power-plants, the impact of the attack may change: in particular, we find the most impacting attack times and show how different strategies impact their success. We also find the best power generator to use depending on the current demand and strength of attack.
Full-text available
Inter-networked control systems make smart buildings increasingly efficient but can lead to severe operational disruptions and infrastructure damage. It is vital the security state of smart buildings is properly assessed so that thorough and cost effective risk management can be established. This paper uniquely reports on an actual risk assessment performed in 2018 on one of the world's most densely monitored, state-of-the-art, smart buildings. From our observations, we suggest that current practice may be inadequate due to a number of challenges and deficiencies, including the lack of a recognised smart building risk assessment methodology. As a result, the security posture of many smart buildings may not be as robust as their risk assessments suggest. Crucially, we highlight a number of key recommendations for a more comprehensive risk assessment process for smart buildings. As a whole, we believe this practical experience report will be of interest to a range of smart building stakeholders.
Full-text available
This paper presents OPEN, an open-source software platform for integrated modelling, control and simulation of smart local energy systems. Electric power systems are undergoing a fundamental transition towards a significant proportion of generation and flexibility being provided by distributed energy resources. The concept of ‘smart local energy systems’ brings together related strategies for localised management of distributed energy resources, including active distribution networks, microgrids, energy communities, multi-energy hubs, peer-to-peer trading platforms and virtual power plants. OPEN provides an extensible platform for developing and testing new smart local energy system management applications, helping to bridge the gap between academic research and industry translation. OPEN combines features for managing smart local energy systems which are not provided together by existing energy management tools, including multi-phase distribution network power flow, energy market modelling, nonlinear energy storage modelling and receding horizon optimisation. The platform is implemented in Python with an object-oriented structure, providing modularity and allowing it to be easily integrated with third-party packages. Case studies are presented, demonstrating how OPEN can be used for a range of smart local energy system applications due to its support of multiple model fidelities for simulation and control.
Full-text available
Increasing penetrations of interoperable distributed energy resources (DER) in the electric power system are expanding the power system attack surface. Maloperation or malicious control of DER equipment can now cause substantial disturbances to grid operations. Fortunately, many options exist to defend and limit adversary impact on these newly-created DER communication networks, which typically traverse the public internet. However, implementing these security features will increase communication latency, thereby adversely impacting real-time DER grid support service effectiveness. In this work, a collection of software tools called SCEPTRE was used to create a co-simulation environment where SunSpec-compliant photovoltaic inverters were deployed as virtual machines and interconnected to simulated communication network equipment. Network segmentation, encryption, and moving target defence security features were deployed on the control network to evaluate their influence on cybersecurity metrics and power system performance. The results indicated that adding these security features did not impact DER-based grid control systems but improved the cybersecurity posture of the network when implemented appropriately.
Conference Paper
Full-text available
The growing adoption of Distributed Energy Resources (DER) in low-voltage distribution grids calls for new feedback control algorithms that rely on quasi-real-time data collected by remote sensors. The design and evaluation of such algorithms necessitates a prudent and comprehensive approach since these algorithms require a tight integration of power and communication systems. A simple link failure or a sophisticated cyberattack launched against the grid's monitoring, communication , and control infrastructure could rapidly grow out of control, making the grid unstable. We investigate the design and implementation of a high-fidelity smart grid simulation platform which integrates a network simulator and a power flow simulator using the Mosaik co-simulation framework. The platform allows for evaluating the performance of new control algorithms and understanding dynamics of modern distribution grids. Example case studies are presented to validate the proposed platform.
Conference Paper
Full-text available
The smart grid is a complicated system consisting of communication network and power grid components. There are various powerful simulation tools for communication networks, as well as power systems. However, co-simulation tools are required to reproduce the interaction between cyber-physical components. We conducted a survey overview of various cosimulation tools and their characteristics applicable to smart grid research. We determined that the combination of FCNS, GridLAB-D and ns-3 is a promising direction for smart grid study, improving co-simulation speed by 20%. By applying these tools and the IEEE 13 Node Test Feeder Model, we conducted a case study on the impact of security threats on smart grid demand/response and dynamic pricing applications. The impact of fake data injection and jamming attacks are obvious as a result of our simulation. The findings support related research in the field and can be used for cybersecurity training.
Full-text available
Smart grids have become susceptible to cyber-attacks, being one of the most diversified cyber–physical systems. Measurements collected by the supervisory control and data acquisition system can be compromised by a smart hacker, who can cheat a bad-data detector during state estimation by injecting biased values into the sensor-collected measurements. This may result in false control decisions, compromising the security of the smart grid, and leading to financial losses, power network disruptions, or a combination of both. To overcome these problems, we propose a novel approach to cyber-attacks detection, based on an extremely randomized trees algorithm and kernel principal component analysis for dimensionality reduction. A performance evaluation of the proposed scheme is done by using the standard IEEE 57-bus and 118-bus systems. Numerical results show that the proposed scheme outperforms state-of-art approaches while improving the accuracy in detection of stealth cyber-attacks in smart-grid measurements.
The Internet of Things (IoT) creates a theoretical bridge between end users and the digital world. The IoT embodies a massive group of interconnected computing devices embedded with software, processors, and sensors capable of exchanging and transmitting data over network infrastructure. IoT technology has become prevalent among central domains such as healthcare, commerce, and home. However, the IoT can often be thought of as a double-edged sword, in that it both assists with advancements in the respective fields and poses a potential risk. The rapid expansion of the IoT raises concern, in many cases, security tends to lag behind innovation in the global marketplace. Moreover, the United States government has not established stringent regulations that oversee IoT devices. Our research analyzes critical devices and the associated vulnerabilities and highlights the need for implementation of rigorous security controls. Furthermore, our research evaluates attack vectors for IoT devices that encompass three central domains, including healthcare, commerce, and home. A synopsis of our contribution includes identification of vulnerabilities at the device-level; investigation of attacks and threats created due to known vulnerabilities; application of appropriate security controls to closeout vulnerabilities and minimize the possibility of threat occurring. Finally, specifically tailored case studies, designed to illustrate how our recommendations can be used to mitigate threats.
This work uses high resolution data from 130 electricity sub-meters to characterise a 12,500m2 commercial building as a virtual power plant (VPP) by assessing magnitude and duration of electrical loads suitable for demand response (DR). In 2018, the building had a peak hourly demand of 48 W/m2 and its electricity consumption (183.2 kWh/m2/yr.) was within low to medium range of air-conditioned UK portfolio. Deferrable loads from heat pumps, air handling units, lifts, lighting, circulating pumps and dry air coolers were used to illustrate building's DR capability over a maximum duration of 4 h per DR cycle. On average, deferrable loads form 46.4% of total building electricity consumption and across a 4-hour DR cycle can be characterised as having an initial power (and stored energies) of 28 kW (401 ± 117 kWh); 109 kW (571±82 kWh); and finally 138 kW (625±18 kWh) for 100%, 41.5% and 24.6% of time respectively. Following a DR event, the HVAC ability to restore original indoor climate was found to be at least twice as fast as climatic drift during the event. A linear regression model was found to be weak in using external temperature to predict the magnitude of aggregated deferrable loads.