CERBERUS

CERBERUS is a cybersecurity platform that stops coordinated attacks in real time by detecting anomalies and automatically isolating compromised DERs and large loads before they destabilize the grid.

Comment

Track Chosen

Track 3: Smart Grid MLH Tracks: Vultr, Gemini, Auth0

Problem Statement

CERBERUS (Cyber Energy Reasoning & Behavior Evaluation for Resilient Utility Systems) is a grid-edge cybersecurity platform that secures power grids against behavioral and cyber-driven threats. Today, power grids support large, volatile power consumers like AI data centers, crypto mining facilities, and industrial loads. These large loads have brought a lot of instability and attack surfaces that existing monitoring tools are not ready to handle.

Findings from the NERC Large Loads Task Force warned that these large loads lack sufficient real-time monitoring, validation, and coordinated visibility at the grid edge. The reports highlight risks from rapid load ramps, inaccurate or spoofed telemetry, voltage sensitivity, and the potential for cascading disconnections.

Ideation and Development Process

We started the ideation process with a review of current tools in the cybersecurity of power grids. Then, we consulted with industry experts (hackathon mentors), iterating our initial idea based on their feedback. Furthermore, the NERC Large Loads Task Force findings also helped highlight large loads as a key pain point to focus on.

Solution Proposed and Intended Impact

CERBERUS can be thought of as a 3-headed guard dog (Greek Mythology), each head representing a layer of security defending our power grids from malicious attacks.

The first layer we have is a Random Forest Regression Model, trained on Vultr's servers, using UCI's dataset on electric power consumption. The model is trained on jitter signals, frequency deviations, entropy, and ramp rate, achieving an accuracy of 96%. This was achieved through supervised learning.

The second layer we have is a Hierarchical Density-Based Spatial Clustering of Applications with Noise (HDBSCAN) Model, an unsupervised learning algorithm suited for power-system telemetry where attack signatures and failure modes are previously unknown to datasets. Combined with the first layer of supervised learning, this system is able to detect 99.7% of attacks.

The third layer we have is a reasoning system powered by Gemini that further analyzes suspicious activity that were identified by the first 2 layers. Firstly, we have an AI agent called CERBERUS-FAST, which uses Gemini Flash to quickly analyze telemetry, historical behavior, grid topology, etc. Through analysis, CERBERUS-FAST reaches a verdict on whether the suspicious activity was a false positive (pass), potentially suspicious (escalate to CERBERUS-DEEP), or a malicious attack (quarantine). It then provides a real-time summary explaining its decision, allowing human grid operators to read and understand its thinking process. Higher severity events are escalated to CERBERUS-DEEP, which uses Gemini Pro to perform a deeper analysis on telemetry, environmental variables, grid topology, etc. CERBERUS-DEEP performs a similar analysis at a deeper level, providing more specific insight and more accurate verdicts. CERBERUS-DEEP either flags the event as a false positive (pass), potentially suspicious (escalate to human operator), or a malicious attack (quarantine).

With this 3-level system, CERBERUS aims to reduce the risk of cyber attacks, securing the grid edge. By combining supervised prediction, unsupervised anomaly discovery, and AI-powered reasoning, CERBERUS operationalizes the risks identified by the NERC Large Loads Task Force into deployable protections. For grid operators, this means fewer false alarms, faster root-cause analysis, and clear, explainable recommendations during high-pressure events.

Built With

Share this project:

Updates