Science fiction movies often depict various situations related to cybercriminals’ activity. These can include predicaments where threat actors disrupt the transportation system of a large city or cause power outages in entire regions. In fact, this is beyond science fiction these days – impacting the power grid isn’t that difficult.
The only viable way to avoid a scenario like that is to focus on protecting smart devices and critical infrastructure. Manufacturers tend to neglect the security facet of their IoT contrivances. One of the best ways to protect IoT is using VPN services. It is possible to configure VPN connection on most routers. That way all smart appliances will be connected to the secure and encrypted network. In addition, it is desirable to change default passwords and update all software on regular basis.
Information security specialists have described hackers’ tactics aimed at wreaking local havoc with power supply. There’s no need to blow things up to do it. All it takes is creating a botnet that targets specific IoT devices, such as smart air conditioners, connected thermostats and the like. The logic is simple: to remotely turn on these devices in all buildings of any given region and thus cause power outages.
It’s clear that crooks have to switch on tens of thousands of these smart home appliances in one hit for the attack to be successful because many power grids have sufficient capacity to withstand abnormally high consumption nowadays. However, even the most enduring network will fail to cope with the enormous load caused by a plethora of “power vampires” – air conditioners, heaters, etc. By the way, this type of a sabotage can also be accomplished by means of specially crafted malware that zeroes in on SCADA systems of power suppliers.
Security researchers have provided the details of a hypothetical power grid apocalypse in a report presented at the Usenix Security conference in mid-August. The attack surface in their calculation is a whole country or region with about 38 million inhabitants. There’s no need to hack into every single household – it suffices to take control of tens of thousands of water heaters or hundreds of thousands of air conditioners.
“Power grids are stable as long as supply is equal to demand. If you have a very large botnet of IoT devices, you can really manipulate the demand, changing it abruptly, any time you want,” says Saleh Soltan, a co-author of the above-mentioned report.
The outcome is a system disruption and blackouts ensuing from it. Incidentally, in addition to air conditioners and water heaters, smart kettles and coffee machines are also juicy targets for hackers, because they consume a great deal of power as well. The authors of the study suppose that malefactors will be increasing network load during periods when municipal services are least prepared; moreover, the frequency of the attacks and impact level will vary.
It’s noteworthy that this is a purely conceptual scenario as it doesn’t point out any specific vulnerabilities of smart devices that hackers might exploit. On the other hand, poor security of IoT systems has been the talk of the town for quite a while now. Vendors mainly focus on the design and features rather than the security of their devices. By the way, researchers had described a vulnerability of smart air conditioners at Kaspersky Security Analyst Summit that was held back in 2016. Besides, a vast variety of connected appliances – from fridges to aquariums – have been reportedly hacked over the past years.
In order to estimate the possible impact of such attacks, the analysts used MATPOWER and Power World software. This allowed them to check how badly different types of botnets could affect power grids of different sizes. The adverse effect can be huge. For instance, 86% of Poland’s power lines may suffer a blackout due to a 1% increase in energy consumption. This can be achieved by turning on 210,000 air conditioners or 42,000 water heaters simultaneously.
Controlling such a large number of IoT devices is a normal thing for a botnet. Major botnets like Mirai are known to have enslaved hundreds of thousands of smart appliances at their peak performance. In the case of Mirai, the bots included routers and CCTV cameras for the most part, but the fact remains that mass infections of smart devices are a real issue.
Some security analysts argue that forming a botnet of smart air conditioners, fridges and heaters can be an unfeasible objective at this point. The thing is, there aren’t enough connected devices out there; however, their number will be constantly increasing over time as most home appliances made by major manufacturers nowadays can be considered to be elements of the Internet of Things in one way or another.
The emergence of such a botnet is a matter of time, and it’s almost beyond doubt that someone will attempt to orchestrate an attack like that. Perhaps, hackers will compromise smart conditioners and heaters for a different reason, for example, for cryptocurrency mining rather than causing blackouts.
Nevertheless, if high-profile cybercriminals end up targeting critical infrastructure and decide to disrupt the power grid in a specific region, they probably won’t find it too hard to run an attack of that sort. Furthermore, they can confuse the grid operator by slightly increasing power consumption in certain locations while reducing it in others.
This way, the overall network load will be huge, but the scattershot dynamics of power usage will make it hard to determine the source of the problem. It may even be problematic to figure out that it’s hackers to blame – who knows, maybe people in a certain city suddenly started feeling hot due to a weather change and decided to turn on their air conditioners at the same time.