Modeling Cyber Attacks on Power Grid Consumers: A Comprehensive Threat Analysis and Risk Assessment Framework

Abstract

This thesis examines the risks associated with coordinated cyber-attacks on smart home and IoT devices, with a particular focus on their potential to disrupt power grids through distributed load manipulation. Simulations of attacks targeting high-wattage devices, such as Electric Vehicles (EVs), electric ovens, water heaters, and air conditioners, demonstrate that a moderate percentage of compromised devices can rapidly escalate into localized or widespread blackouts. The severity of these disruptions is influenced by factors such as device type, geographic distribution, seasonal aspects, and the level of coordination.The feasibility of large-scale IoT compromises is well-documented, as evidenced by historical incidents such as the Mirai botnet attack, in which hundreds of thousands of devices were exploited to launch DDoS attacks. More recently, the discovery of backdoors in the widely used ESP32 Wi-Fi/Bluetooth chip has further underscored the systemic vulnerabilities within IoT ecosystems. Given that this chip is embedded in over a billion devices, these weaknesses not only expose critical security gaps but also reinforce the plausibility of highly coordinated cyber-attacks. Such findings highlight the significant risk of these threats, demonstrating that large-scale attacks of this nature are not just hypothetical but a realistic concern for power grid stability.To mitigate these risks, this thesis proposes a security framework that integrates established methodologies, including the ISO/SAE 21434 standard, MITRE ATT&CK, and STRIDE models. By utilizing key elements from these approaches, the thesis introduces a structured methodology for threat modeling and risk assessment, significantly enhancing the identification and mitigation of vulnerabilities in smart home systems. The findings demonstrate a measurable reduction in risk levels, underscoring the effectiveness of the developed security strategy.