In modern energy systems, the battery management system (BMS) plays a critical role in monitoring and controlling lithium-ion batteries, ensuring their safe and efficient operation. Accurate state of charge (SOC) estimation is fundamental to the battery management system, as it directly impacts battery performance, lifespan, and safety. However, with the increasing digitization and networking of battery management systems, vulnerabilities in data transmission have become more exposed, making BMS susceptible to malicious attacks. Attackers can inject false data into sensor measurements, leading to significant deviations in SOC estimation. Such deviations may cause overcharging or over-discharging, potentially resulting in thermal runaway or even explosions. Therefore, developing robust defense mechanisms to protect the battery management system from malicious attacks while maintaining accurate SOC estimation is an urgent research priority. Traditional methods for attack detection often rely on threshold-based approaches, which are challenging to set due to factors like temperature variations and battery aging. Moreover, attack-resistant estimation algorithms may still suffer from performance degradation under intense or stealthy attacks. To address these issues, this paper proposes a novel defense scheme based on chaotic time/frequency hopping (TH/FH) spread spectrum. This approach aims to detect and mitigate malicious attacks without compromising SOC estimation accuracy, ensuring the reliability and security of the battery management system.
The core idea of our method is to leverage chaotic sequences to generate TH/FH signals with unpredictable frequency and duration variations. These signals are used to modulate and demodulate transmitted data in the battery management system, enabling attack detection through signal analysis and defense by filtering out attack components. By ensuring data authenticity, our scheme supports precise SOC estimation even under attack conditions. In the following sections, we first describe the lithium-ion battery model and SOC estimation algorithm, followed by the malicious attack model. Then, we detail the design of chaotic TH/FH signals and the attack detection and defense scheme. Finally, we present simulation experiments to validate the effectiveness of our approach. Throughout this paper, we emphasize the importance of securing the battery management system (BMS) against cyber threats, and we repeatedly refer to the battery management system (BMS) to highlight its central role in energy storage systems.
Problem Description: Battery Modeling and Attack Scenarios
To accurately estimate SOC in a battery management system, a precise mathematical model of the lithium-ion battery is essential. We adopt a second-order equivalent circuit model, which balances complexity and accuracy. The model includes resistors and capacitors to represent electrochemical dynamics, as summarized in the following equations. The state-space representation of the battery model is given by:
$$
\begin{aligned}
\dot{U}_1(t) &= -\frac{1}{R_1 C_1} U_1(t) + \frac{1}{C_1} I(t), \\
\dot{U}_2(t) &= -\frac{1}{R_2 C_2} U_2(t) + \frac{1}{C_2} I(t), \\
\dot{E}_{SOC}(t) &= -\frac{\eta_c}{C_{bat}} I(t), \\
U_{bat}(t) &= U_{OC}(E_{SOC}, T) – I(t) R_0 – U_1(t) – U_2(t),
\end{aligned}
$$
where \(U_1\) and \(U_2\) are polarization voltages, \(I\) is the battery current, \(U_{bat}\) is the terminal voltage, \(R_0\), \(R_1\), and \(R_2\) are resistances, \(C_1\) and \(C_2\) are capacitances, \(\eta_c\) is the Coulombic efficiency, \(C_{bat}\) is the rated capacity, and \(U_{OC}\) is the open-circuit voltage, which is a function of SOC and temperature \(T\). The open-circuit voltage is approximated by a sixth-order polynomial:
$$
U_{OC}(E_{SOC}, T) = \sum_{i=0}^{6} k_i(T) E_{SOC}^i,
$$
where the coefficients \(k_i(T)\) depend on temperature. Table 1 summarizes the identified polynomial coefficients at different temperatures, obtained through experimental data fitting. These parameters are crucial for the battery management system to model battery behavior accurately.
| T (°C) | \(k_0\) | \(k_1\) | \(k_2\) | \(k_3\) | \(k_4\) | \(k_5\) | \(k_6\) |
|---|---|---|---|---|---|---|---|
| 0 | 3.21 | 4.70 | -23.22 | 56.98 | -69.73 | 42.42 | -10.21 |
| 25 | 3.44 | 0.48 | 3.24 | -20.69 | 46.20 | -42.94 | 14.44 |
| 45 | 3.48 | -0.79 | 12.47 | -48.98 | 89.00 | -74.46 | 23.47 |
The model parameters \(R_0\), \(R_1\), \(R_2\), \(C_1\), and \(C_2\) are also temperature- and SOC-dependent. Using particle swarm optimization, we identified these parameters across different conditions. Table 2 provides a sample of parameter values at selected SOC and temperature points, illustrating their nonlinear variations. This nonlinearity complicates SOC estimation in the battery management system, especially under malicious attacks.
| SOC (%) | T (°C) | \(R_0\) (mΩ) | \(R_1\) (mΩ) | \(C_1\) (kF) | \(R_2\) (mΩ) | \(C_2\) (kF) |
|---|---|---|---|---|---|---|
| 50 | 25 | 2.1 | 1.5 | 12.3 | 0.8 | 45.6 |
| 80 | 45 | 1.8 | 1.2 | 15.7 | 0.6 | 50.2 |
| 20 | 0 | 2.5 | 2.0 | 10.1 | 1.2 | 40.3 |
For SOC estimation, we employ an extended Kalman filter (EKF) due to its ability to handle nonlinearities. The discrete-time state-space model is derived from the continuous equations. Let the state vector be \(x_k = [U_{1,k}, U_{2,k}, E_{SOC,k}]^T\), the input be \(u_k = I_k\), and the measurement be \(y_k = U_{bat,k}\). The discretized model is:
$$
x_{k+1} = F_k x_k + G_k u_k + \omega_k,
$$
$$
y_k = H_k x_k + D_k u_k + \nu_k,
$$
where \(\omega_k\) and \(\nu_k\) are process and measurement noises, assumed to be Gaussian. The matrices are defined as:
$$
F_k = \begin{bmatrix}
e^{-\Delta T / (R_1 C_1)} & 0 & 0 \\
0 & e^{-\Delta T / (R_2 C_2)} & 0 \\
0 & 0 & 1
\end{bmatrix}, \quad
G_k = \begin{bmatrix}
R_1 (1 – e^{-\Delta T / (R_1 C_1)}) \\
R_2 (1 – e^{-\Delta T / (R_2 C_2)}) \\
-\eta_c \Delta T / C_{bat}
\end{bmatrix},
$$
$$
H_k = \left[ -1 \quad -1 \quad \frac{\partial U_{OC}}{\partial E_{SOC}} \right], \quad
D_k = -R_0.
$$
The EKF algorithm recursively updates the state estimate as follows:
$$
\begin{aligned}
\text{Prediction:} & \quad \hat{x}_{k|k-1} = F_{k-1} \hat{x}_{k-1|k-1} + G_{k-1} u_{k-1}, \\
& \quad P_{k|k-1} = F_{k-1} P_{k-1|k-1} F_{k-1}^T + Q, \\
\text{Update:} & \quad K_k = P_{k|k-1} H_k^T (H_k P_{k|k-1} H_k^T + R)^{-1}, \\
& \quad \hat{x}_{k|k} = \hat{x}_{k|k-1} + K_k (y_k – H_k \hat{x}_{k|k-1} – D_k u_k), \\
& \quad P_{k|k} = (I – K_k H_k) P_{k|k-1},
\end{aligned}
$$
where \(P\) is the error covariance, \(Q\) and \(R\) are noise covariances, and \(K\) is the Kalman gain. This EKF forms the core of SOC estimation in the battery management system. However, in the presence of malicious attacks, the measurement \(y_k\) is compromised, leading to inaccurate estimates.
We model malicious attacks as false data injection into sensor measurements. The attacked measurement is:
$$
y_k^a = y_k + a_k,
$$
where \(a_k\) is the attack signal injected by an adversary. This signal can be constant, time-varying, or stealthy, aiming to bias SOC estimation without triggering alarms. For example, a constant current or voltage offset can gradually drift SOC estimates. The vulnerability of the battery management system to such attacks motivates our defense scheme.
Design of Chaotic Time/Frequency Hopping Signals
To defend against malicious attacks, we propose using chaotic TH/FH signals for secure data transmission in the battery management system. Traditional frequency hopping spreads signals across multiple frequencies at fixed intervals, but predictable patterns may be exploited by attackers. Our approach uses chaotic sequences to generate signals with unpredictable frequency and duration hops, enhancing security.
We generate chaotic sequences via a discrete hyperchaotic map. The map equations are:
$$
\begin{aligned}
z_1(k+1) &= -0.4 z_1(k) + e^{-z_2(k)} + 1.75 \sin^2(z_1(k)) z_2(k), \\
z_2(k+1) &= z_1(k) + z_2(k).
\end{aligned}
$$
This map exhibits complex dynamics suitable for generating random-like sequences. To quantize the sequences for frequency and duration mapping, we apply:
$$
Z_i = \left( \lfloor \theta \cdot (z_i – 10) \rfloor \mod K_q \right) + 1,
$$
where \(Z_i\) is the quantized value, \(\theta\) is a scaling factor, and \(K_q\) is the quantization modulus. The frequency and duration of the TH/FH signal are then determined as:
$$
w_{s,n} = W_{\text{fre}}(Z_1), \quad t_{s,n} = T_s \cdot Z_2 + T_{s,\text{min}},
$$
where \(w_{s,n}\) is the hopping frequency selected from a predefined set \(W_{\text{fre}}\), and \(t_{s,n}\) is the hopping duration with minimum value \(T_{s,\text{min}}\). The chaotic TH/FH signal is constructed as:
$$
s(w_{s,n}, t_{s,n}) = K_s \cos(2\pi w_{s,n} t + \phi_0), \quad \text{for } t \in [t_{s,k-1}, t_{s,k}),
$$
where \(K_s\) is the amplitude and \(\phi_0\) is the initial phase. The signal’s frequency and duration change chaotically over time, making it difficult for attackers to predict or replicate. This unpredictability is key to securing the battery management system.
Table 3 summarizes the parameters for chaotic TH/FH signal generation. These parameters are configured to ensure a wide hopping range and non-repetitive patterns, enhancing the defense capability of the battery management system.
| Parameter | Symbol | Value | Description |
|---|---|---|---|
| Scaling factor | \(\theta\) | 100 | Amplifies chaotic sequence |
| Quantization modulus | \(K_q\) | 8 | Number of frequency/duration levels |
| Frequency set | \(W_{\text{fre}}\) | {1, 2, …, 8} kHz | Available hopping frequencies |
| Minimum duration | \(T_{s,\text{min}}\) | 0.1 ms | Shortest hop time |
| Duration scaling | \(T_s\) | 0.05 ms | Multiplier for hop time |
| Signal amplitude | \(K_s\) | 1 V | Amplitude of TH/FH signal |
Attack Detection and Defense Scheme Based on Chaotic TH/FH Spread Spectrum
Our defense scheme integrates chaotic TH/FH signals into the data transmission pipeline of the battery management system. The process involves modulation, transmission, demodulation, and filtering, as illustrated in the block diagram. The key steps are outlined below.
First, at the transmitter side (e.g., sensor node), the measurement signal \(y(k)\) is modulated by the chaotic TH/FH signal \(s_{\text{in}}(w_{s,n}, t_{s,n})\):
$$
y_{\text{mod}}(k) = y(k) \cdot s_{\text{in}}(w_{s,n}, t_{s,n}).
$$
This modulated signal is then transmitted over the network. If an attacker injects a false signal \(a(k)\), the received signal becomes:
$$
y_{\text{net}}(k) = y_{\text{mod}}(k) + a(k) + N(k),
$$
where \(N(k)\) represents noise and interference. The attacker, unaware of the chaotic TH/FH pattern, cannot effectively tamper with the signal without detection.
At the receiver side (e.g., BMS controller), the signal is demodulated using a synchronized chaotic TH/FH signal \(s_{\text{out}}(w_{s,n}, t_{s,n})\), which is identical to \(s_{\text{in}}\) due to shared chaotic seeds. The demodulation is:
$$
y_{\text{dem}}(k) = 2 K_s^{-1} y_{\text{net}}(k) \cdot s_{\text{out}}(w_{s,n}, t_{s,n}).
$$
Substituting the expressions, we get:
$$
\begin{aligned}
y_{\text{dem}}(k) &= y(k) + y(k) \cos(4\pi w_{s,n} t + 2\phi_0) \\
&\quad + 2 K_s^{-1} \cos(2\pi w_{s,n} t + \phi_0) (N(k) + a(k)).
\end{aligned}
$$
The demodulated signal contains the original measurement \(y(k)\), high-frequency components from the TH/FH signals, and the attack signal mixed with a high-frequency carrier. Since the attack signal \(a(k)\) is typically low-frequency (e.g., constant or slowly varying), it is multiplied by a high-frequency term, shifting its spectrum.
To recover the original measurement, we apply a low-pass filter (LPF) with cutoff frequency \(f_{\text{LPF}}\) satisfying:
$$
f_{y,\text{o}} < f_{\text{LPF}} \ll f_{\text{min}},
$$
where \(f_{y,\text{o}}\) is the maximum frequency of \(y(k)\), and \(f_{\text{min}}\) is the minimum hopping frequency. The filtered output is:
$$
y_{\text{lp}}(k) = y(k) + N_{\text{lp}}(k),
$$
where \(N_{\text{lp}}(k)\) is residual noise, which can be handled by the EKF. Importantly, the attack signal \(a(k)\) is filtered out because it is modulated to high frequencies. Thus, the battery management system receives an attack-free measurement for SOC estimation.
For attack detection, we also analyze the modulated signal directly. By passing \(y_{\text{net}}(k)\) through the same LPF, we obtain:
$$
y_{\text{det}}(k) = a(k) + N_{\text{det}}(k),
$$
which approximates the attack signal plus noise. This allows the battery management system to detect anomalies by monitoring \(y_{\text{det}}(k)\) for deviations from zero. Detection thresholds can be set based on noise statistics, but our method reduces reliance on fixed thresholds due to the chaotic modulation.
The overall defense scheme ensures that even if attackers inject false data, the battery management system can filter them out and maintain accurate SOC estimation. Moreover, the chaotic TH/FH signals act as a cryptographic layer, preventing attackers from understanding or manipulating the transmission without the chaotic seeds. This dual functionality of detection and defense is crucial for securing the battery management system in adversarial environments.
Experimental Validation and Results
To validate our approach, we conducted simulations using MATLAB/Simulink. The battery model parameters were based on a commercial lithium-ion battery with a capacity of 50 Ah. We simulated two scenarios: (1) SOC estimation under malicious attacks without defense, and (2) SOC estimation with our chaotic TH/FH defense scheme. The goal is to demonstrate that our method detects and mitigates attacks without degrading SOC estimation performance.
In the first scenario, we applied constant current injection attacks of varying magnitudes during a discharge cycle at 45°C. The SOC estimation errors are summarized in Table 4. Without defense, attacks above 100 mA cause significant SOC deviations, exceeding 5% error, which is unacceptable for a battery management system. Smaller attacks (e.g., 1 mA) have negligible impact, but stealthy attacks can accumulate over time.
| Attack Magnitude | SOC Error (%) | Remarks |
|---|---|---|
| No attack | 1.8 | Baseline error due to model inaccuracies |
| 1 mA | 1.9 | Negligible increase |
| 100 mA | 5.8 | Significant deviation |
| 500 mA | 15.2 | Large error, risky for BMS |
In the second scenario, we implemented our chaotic TH/FH defense. The modulation and demodulation parameters were as in Table 3. We injected the same attacks and observed the SOC estimates and detection signals. Figure 1 shows the BMS architecture incorporating our defense scheme, highlighting the secure data flow.
With defense enabled, the SOC estimation errors remained near the baseline, regardless of attack magnitude. Table 5 compares the results for 100 mA and 500 mA attacks. The defense scheme successfully filtered out attack signals, preserving estimation accuracy. This underscores the effectiveness of our method for the battery management system.
| Attack Magnitude | SOC Error with Defense (%) | Attack Detected? |
|---|---|---|
| 100 mA | 1.9 | Yes |
| 500 mA | 2.0 | Yes |
We also tested non-persistent attacks, where short-duration current injections (e.g., 100 mA for 300 s) occur intermittently. Without defense, these attacks cause subtle SOC drifts that may go unnoticed. With our scheme, the detection signal \(y_{\text{det}}(k)\) clearly revealed the attack periods, as shown in Table 6. The battery management system can thus identify even stealthy attacks and log them for further analysis.
| Attack Interval | Attack Magnitude | Detection Signal Peak | Remarks |
|---|---|---|---|
| 500-800 s | 100 mA | 0.12 V | Clear spike during attack |
| 1800-2100 s | 200 mA | 0.25 V | Larger spike, easy to detect |
The chaotic TH/FH signals themselves were analyzed for randomness. We computed the autocorrelation and entropy of the frequency hopping sequence, confirming its unpredictable nature. This randomness ensures that attackers cannot easily replicate or jam the signals, providing long-term security for the battery management system.
Discussion and Implications
Our proposed method offers several advantages for securing the battery management system. First, it integrates seamlessly with existing BMS architectures, requiring only additional modulation/demodulation modules. Second, it does not compromise SOC estimation performance, as attacks are filtered out before reaching the estimator. Third, the chaotic TH/FH signals provide a lightweight cryptographic mechanism without intensive computational overhead, suitable for resource-constrained BMS hardware.
Compared to traditional threshold-based detection, our approach reduces false alarms because attacks are physically separated via frequency hopping. Moreover, the defense is proactive: even if attackers manage to inject false data, the modulation process inherently neutralizes their impact. This is particularly important for safety-critical applications where battery management system reliability is paramount.
Potential limitations include the need for synchronization between transmitter and receiver for chaotic TH/FH signals. However, this can be addressed using secure key exchange protocols or hardware-based synchronizers. Additionally, the method assumes that attackers cannot access the chaotic seeds; thus, seed management must be robust, possibly using physical unclonable functions (PUFs) in the battery management system.
Conclusion
In this paper, we presented a chaotic time/frequency hopping method for defending battery management systems against malicious attacks. By leveraging chaotic sequences to generate unpredictable TH/FH signals, we designed a spread spectrum scheme that modulates sensor data, detects attacks through demodulation analysis, and filters out attack signals to maintain accurate SOC estimation. Simulation results demonstrated that our method effectively mitigates both persistent and non-persistent attacks without sacrificing estimation performance. The battery management system (BMS) thus becomes more resilient to cyber threats, ensuring the safe and efficient operation of lithium-ion batteries. Future work will focus on implementing the scheme on hardware prototypes and exploring its integration with other BMS security measures, such as intrusion detection systems and blockchain-based data logging. Overall, our contribution highlights the importance of proactive defense mechanisms in modern battery management systems, paving the way for more secure energy storage solutions.