Smart connected appliances, should they be commandeered by attackers for use in a botnet, could result in everything from local power outages to severe wide-scale blackouts a team of Princeton University researchers contended at the USENIX Security Symposium.
The researchers ‑‑ Saleh Soltan, Prateek Mittal, and H. Vincent Poor ‑‑ demonstrated that an IoT botnet of Internet-connected high wattage devices provides potential attackers the ability to launch large-scale coordinated attacks on the power grid.
The researchers dubbed this class of attacks on power grids the Manipulation of demand via IoT attacks, or MadIoT. For this research, the team studied five types of MadIoT attacks and evaluated their effectiveness against simulators based on real-world power grid models.
According to the researchers, the results demonstrate that MadIoT attacks can create local power outages and, in the worst cases, large-scale blackouts.
Interestingly, the researchers found that MadIoT attacks can be used to increase the operating cost of the grid in an electricity market. “This work sheds light upon the interdependency between the vulnerability of the IoT and that of the other networks such as the power grid whose security requires attention from both the systems security and power engineering communities,” the team wrote in their abstract.
The research team also found that it doesn’t require, in comparison of typical botnet capacity, an especially large number of compromised systems. In their case a botnet of only 90,000 air conditioners and 18,000 electric water heaters could create problems in certain markets. The mode for causing issues would be as simple as turning machines on and off at coordinated times.
“This imbalance instantly results in a sudden drop in the system’s frequency,” the team wrote in their report. “If the imbalance is greater than the system’s threshold, the frequency may reach a critical value that causes generators tripping and potentially a large-scale blackout. For example, using state-of-the-art simulators on the small- scale power grid model of the Western System Coordinating Council (WSCC), we show that a 30% increase in the demand results in tripping of all the generators,” the team wrote.
The takeaway here is how interconnected these IoT devices and the power grid are, and what that means for their security and long-term stability. If high-wattage IoT devices can be compromised (they can), malicious actors can commandeer these devices to cause real-world power grid disruptions and blackouts and perhaps make it more challenging to successfully operate the grid.
The team provided the following guidance to the three main constituents:
Power systems’ operation: Power systems’ operators should rigorously analyze the effects of potential MadIoT attacks on their systems and develop preventive methods to protect their systems. Initiating a data sharing platform between academia and industry may expedite these developments in the future.
IoT security: As shown by both presented MadIoT attacks and the Mirai botnet, insecure IoT devices can have devastating consequences that go far beyond individual security/privacy losses. This necessitates a rigorous pursuit of the security of IoT devices, including regulatory frameworks.
Interdependency: Our work demonstrates that interdependency between infrastructure networks may lead to hidden vulnerabilities. System designers and security analysts should explicitly study threats introduced by interdependent infrastructure networks such as water, gas, transportation, communication, power grid, and several other networks.
The group hopes their work raises awareness of the significance of these MadIoT attacks to grid operators, smart appliance manufacturers, and systems security experts so that the power grid, and other networks, more secure against attack. “This is especially critical in the near future when more smart appliances with the ability to connect to the Internet are going to be manufactured,” they wrote.
One would hope such awareness would change the actions of IoT device makers as well as grid operators — but this is unlikely. Whether it was the rise of the cloud a decade ago, or increased eCommerce traffic in the late 1990s, or protecting digitized personal healthcare data — industry will be slow to act to mitigate the risk.