It’s a mad, mad, mad IoT world - protecting America’s power grid from common household appliances

It's a mad IoT world and cybersecurity professionals are deeply concerned.

Of all the nightmare scenarios that keep cybersecurity experts up at night, none has proven more durable or scarier than the one where “bad actors” co-opt smart appliances—toasters, TVs, washing machines, microwaves and other common appliances connected by the Internet of Things (IoT) to create a botnet powerful enough to bring down the national power grid.

The fear is not unfounded. In 2014, hackers stole personal data on millions of Target customers by exploiting a loophole in one the company’s HVAC providers.  Two years later, hackers created a nasty piece of IoT malware called Murai that scans for insecure routers, cameras, DVRs, and other IoT devices which are still using their default passwords and then adds them into a botnet network, which is then used to launch DDoS attacks on websites and Internet infrastructure. That attack briefly shut down Netflix and the New York Times.  Most recently, a casino was hacked via a thermometer in an aquarium in the lobby. (That's NOT fake news.)

But, could hackers really create an IoT botnet large enough to take down America’s massive power grid and plunge the entire country into darkness and chaos?

Princeton University’s researchers Saleh Soltan, H. Vincent, and Prateek Mittal say that while it is probably not practical anytime soon, it could, indeed, happen—provided (and this is a big if at the moment) the attacker can gain access to thousands of devices in one localized area. If a botnet of large-sized, high-wattage IoT home appliances (air conditioners, refrigerators, ovens, washing machines, and water heaters) were created, it would be possible to launch coordinated attacks on the national power grid that would lead to massive, widespread outages in the country.

According to their somewhat counter-intuitive findings [PDF], the most dangerous attacks on the electrical infrastructure will come from the demand side of the national grid, not the supply side.  Instead of going after generating plants or transmission lines, most of which are more robustly protected, the attackers could co-opt and enslave an army of ordinary heavy-wattage IoT appliances that demand so much power that the process overloads the energy grid. The researchers termed the threat as a manipulation of demand via IoT or MadIoT.

The researchers analyzed the effectiveness of a number of MadIoT variations of simulated models and real-world energy grid models. They found out that not only can these appliances, if compromised, cause local power outages but large-scale blackouts too. Using the same tactic, attackers can increase the grid’s operating costs in favor of some companies at the expense of others.

Soltan and his team looked at three possible categories of potential malicious demand manipulation:

• Attacks that result in frequency instability on the grid by suddenly spiking demand. An abrupt increase or decrease in the power demands-–potentially by synchronously switching on or off many high wattage IoT devices–-results in an imbalance between the supply and demand. This imbalance instantly results in a sudden drop in the system’s frequency. As demand increases, the line frequency of the electrical grid—the oscillation of alternating current over the wire—decreases. A sudden surge in demand could cause a corresponding dramatic drop in frequency, taking generators offline. The team wrote:

This imbalance instantly results in a sudden drop in the system’s frequency. If the imbalance is greater than the system’s threshold, the frequency may reach a critical value that causes generators tripping and potentially a large-scale blackout. For example, using state-of-the-art simulators on the small- scale power grid model of the Western System Coordinating Council (WSCC), we show that a 30 percent increase in the demand results in tripping of all the generators.

What would an attacker need to successfully launch such an assault?  Soltan and his team say it would require access to about 90,000 air conditioners or 18,000 electric water heaters within the targeted geographical area.

• Attacks that cause line failures and result in cascading failures. The team found that an attack focused on unbalancing supply across a grid could cause line failures as power is moved from one part of the grid to another. Using a model of the Polish power grid from the peak of summer in 2008, the researchers found that an increase of only 1 percent in demand would have resulted in a cascading grid failure with 263 line failures—and outages for 86 percent of customers.

Such an attack by the adversary requires access to about 210,000 air conditioners which is 1.5 percent of the total number of households in Poland.

• Attacks that affect the cost of operation. Based on their simulations, Soltan, Mittal, and Poor calculated that just a five-percent increase in power demand during peak hours created by an attack could result in an increase of power costs of 20 percent. This type of attack might be driven by financial incentives (say, a rival utility from whom the targeted utility would have to buy additional resources) rather than a desire to cause damage.

Soltan et al point out some of the properties that make countering the MadIoT attacks challenging. The attacks’ sources are hard to detect and disconnect by the grid operators due to their distributed nature. They can be easily repeated and refined until they become effective and are black-box since the attacker does not need to know the operational details of the power grid.

The takeaway here is how interconnected these IoT devices and the power grid are, and what that means for their security and long-term stability. If high-wattage IoT devices can be compromised (they can), malicious actors can commandeer these devices to cause real-world power grid disruptions and blackouts and perhaps make it more challenging to successfully operate the grid.

My take

It is unlikely that a BlackIot botnet attack of sufficient scale to cause massive blackouts is possible - yet. There aren't enough high-powered smart devices in use within the geographic area of a targeted electrical grid.  But as internet-connected air conditioners, heaters, and other high-wattage devices increasingly show up in homes, a demand-based attack like the one the Princeton researchers describes could become not only likely but more practical than one that targets grid operators.

This is entirely predictable. Smart devices may, arguably, be making our daily lives more convenient but there is certain to be a price to be paid unless we seriously overhaul our security infrastructure to protect against the unpredictable consequences of a world where billions of ordinary, easily compromised devices are connected.  Will the high tech industry get ahead of the curve or will it be as unprepared as it was for the security challenges of eCommerce in the 1990s or the cloud in the 2000s?  I suspect we know the answer to that already.