Inherent Vulnerability of Demand Response Optimisation against False Data Injection Attacks in Smart Grids Thusitha Dayaratne, Carsten Rudolph, Ariel Liebman, Mahsa Salehi Faculty of Information Technology Monash University Melbourne, Australia {Thusitha.Dayaratne, Carsten.Rudolph, Ariel.Liebman, Mahsa.Salehi}@monash.edu Abstract—The transition of energy networks to so-called smart grids benefits from advancements in Internet of Things technol- ogy. Energy management systems enable efficient and effective demand response (DR) schemes optimising load distribution. The increased user involvements through such DR schemes creates a new vector for false data injection attacks (FDIA), where authentic users themselves inject false data. Unlike in most existing FDIAs, no breaches to communication or devices are needed to execute this type of FDIA. In this work, we depict that this new FDIA can impact any optimisation-based DR scheme. Further, we show that adversaries achieve financial benefits independently from the actual algorithm used for optimisation, as long as they are able to inject false demand predictions. Com- pared to traditional FDIAs, reliable security mechanisms such as proper authentication, security protocols, security controls or sealed/controlled devices cannot prevent this new type of FDIA. Additionally, we show that there is no straightforward solution and we highlight the need for highly reliable FDIA detection mechanisms to thwart this type of attacks. Index Terms—Demand response, False data injection attack, Inherent vulnerabilities, Smart grids I. I NTRODUCTION Serving peak demand with the ever increasing energy usage is extortionate since utility companies/energy providers need to operate reserve generation to maintain the demand-supply balance. The formation of Smart Grids and its descendant technologies such as Demand Response (DR) schemes try to shape these peak demands to ensure the operating efficiency and cost-effectiveness for utility companies while reducing emissions. Enhancing traditional power grids with the use of Information and Communication Technology enables a range of improved operational functionalities. These include more convenient and efficient energy management, compared to tra- ditional approaches. Many countries are augmenting existing power systems with Advanced Metering Infrastructures (AMI) which enables a two-way communication between utility providers and consumers as well as increase the overall system visibility. For example, the United Kingdom is planning to replace existing meters with Smart Meters (SM) by 2020 [1]. In addition, the Australian state of Victoria has completed a state-wide AMI roll-out of over two million SMs in 2016. Thus, the basis for smart energy networks is being laid. As soon as technology on the demand side in the form of energy management systems follows, demand response optimisation can be practically implemented in a large scale. Utility companies will then provide financial bene- fits/incentives to keep their users actively engaged in their DR systems. Commonly considered financial incentives include Real-Time Pricing (RTP), Day Ahead Pricing (DAP) and Time of Use (ToU) [2], [3]. These programs allow consumers to make more informed decisions about their usages and reduce their costs through reducing their peak demands, which in turn reduces the overall peak demand, helping utility com- panies to better utilize the existing grid infrastructure, obtain more accurate demand forecasts and reduce the need for increasing the reserved generation capacity. Users need to make intelligent decision to achieve the expected results rather than being passive participants in most of the DR systems. However, manually responding to the periodically (possibly every half an hour) changing incentive/pricing signal(s) to actively participate in DR systems is highly inconvenient to a user. Therefore, researchers have proposed distributed DR systems which use the Smart Meters (SMs) and Home Energy Management Systems (HEMSs) to assist consumers with deciding the best time for consuming electricity. These systems obtain information from the utility companies and schedule devices automatically for consumers in a way that satisfies consumption requirements and preferences of all customers and reduces their overall costs and the total peak demand [4], [5], [6]. Rapid advances in IoT-related technologies make a signif- icant impact on distributed/decentralized DR schemes which increased the number of DR schemes proposed in recent years. These DR schemes are capable of producing optimal or close to optimal solutions given the fact that these schemes receive 100% accurate and reliable data. Therefore, data integrity is vital in such distributed DR systems. Having complete, accurate and timely data can guarantee that all consumers will obtain the maximum benefits from these systems. Preserving data integrity is a valid assumption if we have a 100% secure system where a single entity (usually utility company) is 978-1-7281-4973-8/20/$31.00 c  2020 IEEE