We live in a world where washing machines text us when a load of laundry is finished and refrigerators can email grocery lists; but for all the convenience, it turns out that these high-wattage appliances can potentially be marshaled into something very inconvenient indeed: A wide-scale attack on the power grid.
Academic research released at the Usenix Security Symposium this week shows how an Internet of Things (IoT) botnet of large, power-consuming home devices (such as the aforementioned washing machines and fridges, along with others like air conditioners, ovens and water-heaters) can carry out coordinated attacks on our power infrastructure. Attackers need only force the enslaved appliances to increase their power usage, thus overloading the energy grid.
The researchers – Saleh Soltan, Prateek Mittal and H. Vincent Poor from Princeton University – have dubbed the theoretical offensive “BlackIoT”, and have coined the threat to be a “manipulation of demand via IoT” attack, or MadIoT.
The team looked at different variations of MadIoT attacks, evaluating their effectiveness via simulators and real-world power-grid models. The simulations resulted in local power outages, and, in the worst cases, large-scale blackouts.
The team also stressed that the threat isn’t just of the catastrophic variety; the tactic can also be used to satisfy good, old-fashioned competitive greed. “The attacks can rather be used to increase the operating cost of the grid to benefit a few utilities in the electricity market,” the researchers wrote in their paper, released this week.
What the Attacks Look Like
The researchers identified three attack types, each with varying degrees of success when it came to manipulating the demand curve on the simulated grid. For instance, in the most basic attack, an attacker could switch on (or off) many high-wattage IoT devices at once – which can result in frequency instability.
“An abrupt increase (similarly decrease) in the power demands…results in an imbalance between the supply and demand,” the paper noted. “This imbalance instantly results in a sudden drop in the system’s frequency. If the imbalance is greater than the system’s threshold, the frequency may reach a critical value that causes generators tripping and potentially a large-scale blackout.”
For a power grid model of the Western System Coordinating Council (WSCC) utility, the attack using 90,000 air conditioners or 18,000 electric water heaters simulated a 30 percent increase in demand – which tripped all of the simulated generators.
Obviously, a slew of appliances that turn on at will is likely to trigger consumer alarm, which is why the Princeton team also looked at scenarios that might fly under the perception radar.
For instance, they demonstrated that even a small spike in power consumption can have significant effects.
“The grid operator has almost no control over the power flows after the response of the primary controllers,” the paper explained, which means that if a demand spike isn’t large enough to be caught and stabilized by those controllers, the energy flow will continue on to the grid, where it can combine with flows from other small spikes to reach critical mass for causing line failures; this also could result in cascading failures.
The simulations showed that an increase of only 1 percent in demand in the Polish grid during a summer peak could cause outage in 86 percent of the loads.
“These attacks…can cause failures in important high-capacity tie-lines that connect two neighboring independent power systems–e.g., of neighboring countries,” researchers noted.
The team also tested out attacks that increase operating costs. When demand outstrips supply, the typical arrangement is for power companies to buy additional electric power from reserve-generator operators – which usually have higher prices than the normal production prices. Running up demand can therefore be a competitive tool.
“Using the reserve generators can significantly increase the power generation cost for the grid operator but at the same time be profitable for the utility that operates the reserve generators,” the paper said.
A Future Threat
The attacks obviously would rely on an adversary having already gained access to connected appliances — which as we know from Mirai and its variants, is hardly a task requiring sophistication. However, for the attacks to be successful, it would require a botnet of many hundreds of thousands of connected appliances, all located within the same geographic area – and that’s an undertaking that would be restricted by opportunity and, of course, the install base of connected appliances.
These smart appliances aren’t yet in widespread deployment, after all, and where they are becoming common, sales tend to be focused in higher-income neighborhoods. Both of these factors could be obstacles to creating a large enough botnet in the target grid’s footprint to be effective.
Other limitations to real-world attacks include the fact that some appliances take a few seconds to warm up to full capacity—meaning that short spike attacks become more difficult; and, power grids may have mitigating controls that could combat the impact of imbalances.
So, it’s unlikely that a texting freezer is going to end up as the linchpin for a blackout anytime soon. However, the researchers noted that despite the fact the scenario is for now simply theoretical, given the rampant insecurity of IoT devices in general, it’s smart to think ahead to possible consequences.
“This work sheds light upon the interdependency between the vulnerability of the IoT and that of the other networks such as the power grid whose security requires attention from both the systems security and power engineering communities,” they said.