Juntao Chen, Ph.D., an assistant professor in the computer and information sciences department, was recently awarded a $200,000 National Science Foundation grant to study modern electric power systems and strengthen their defenses against cyberattacks.
“Power failures can lead to great economic loss and greatly impact on our daily lives,” said Chen, who was awarded the grant last December. “My goal is to improve people’s lives by ensuring the security and resiliency of our energy system.”
Electric power systems are a critical component of society that provide power to our homes, businesses, and devices. But when they fail, they can have devastating consequences, said Chen. Disastrous events have previously shut down the electric grid and left millions of people without power, including the 2019 Manhattan blackout and the 2021 Texas power crisis.
Thanks to advances in technology, many electric power systems now use energy devices that can be controlled remotely through smartphone apps and other Internet-based devices. These devices, known as Internet of Things (IoT)-enabled energy devices, can be found in solar panels, wind generation systems, and electric vehicles, said Chen. They can also be found in commonly used household appliances like air conditioners, water heaters, and electric ovens.
A Weakness with Potentially Devastating Consequences
The original goal of using IoT-enabled energy devices was to improve operational performance through greater reliability and sustainability, said Chen. However, he said that these devices are weak in one critical area—cybersecurity.
“IoT-enabled energy devices are easy to hack because they are not built with a high level of security. These devices have limited capabilities, and they are incapable of running sophisticated encryption and authentication mechanisms, which our computers have,” Chen said. “These devices are also often operated under factory settings with a default password, so it can be relatively easy to hack them.”
Hackers can compromise devices in a coordinated manner, said Chen. The attacker first gains control of a group of IoT-enabled energy devices and then forms an IoT botnet—a network of infected devices that can launch a large-scale attack and disrupt the normal operations of an entire power energy system.
“This can disrupt the supply-and-demand chain of energy suppliers and consumers. It can also create a power surge that makes our electric grid more unstable and potentially lead to a power failure that causes economic loss and human injury,” Chen said. “The cyberattack initially leads to a local power failure. An energy supplier will try to restore the power, but the power failure could propagate and lead to a major blackout due to the highly complex and dynamic nature of grid operations.”
Increasing Protection in the Field and at Home
In a two-year-long project, Chen and his team of graduate and undergraduate students will conduct a comprehensive study of modern electric power systems, analyze the behavior of potential hackers, and develop defensive strategies to protect the power systems from cyberattacks. Their overarching goal is to create cost-effective mechanisms to improve the security and resiliency of electric power systems under IoT botnet attacks. Collectively, these mechanisms can serve as a guide for grid operators who are responsible for protecting the electrical power system, said Chen.
Right now, everyday people can protect their personal IoT devices from cyberattacks by taking one simple step—changing their devices’ default passwords, said Chen.
“Many people ignore this step and leave their devices in a very vulnerable situation. An attacker can guess their passwords very easily and have complete control over their devices,” Chen said. “We also need to regularly patch and update the software systems on our devices, just like we do with our smartphones.”
Chen said that his team’s research results will be integrated into a new course at Fordham called Artificial Intelligence for Cybersecurity. The course, which will provide students with cross-disciplinary training in cybersecurity, artificial intelligence, and informatics, will potentially be offered in 2023.
“What excites me most is the nature of this project,” said Chen. “This is a societal problem that will potentially have a lot of impact on our daily lives.”