Botnet of Smart Power-Consuming Appliances May Cause Widespread Power Outages.
Digital technology has revolutionized the way we use appliances and perform day-to-day chores. Nowadays, our air conditioners are smart enough to be turned off or on remotely, washing machines send us a message to notify about finished laundry and refrigerators email us the grocery list. But, are there any risks associated with such highly digitized smart appliances? Princeton University’s researchers Saleh Soltan, H. Vincent, and Prateek Mittal claim that there are many adverse consequences associated with smart IoT devices especially the high-wattage ones.
According to their findings [PDF], which will be disclosed at the Usenix Security Symposium this week, if a botnet of large-sized, power-consuming IoT home appliances is created, it is possible to launch coordinated attacks on the national power grid. In fact, using smart IoT appliances like air conditioners, refrigerators, ovens, washing machines and water heaters, etc., can carry out massive, widespread outages in the country.
This threat has been dubbed by researchers as BlackIoT and they claim it to be an exploitation of the demand through IoT. Basically, instead of attacking the supply side, the attackers would be looking to attack the demand side. This is why they have termed the threat as a manipulation of demand via IoT or MadIoT.
The only thing an attacker would need to attack the national power grid is an army of enslaved heavy-wattage IoT appliances because these devices consume more power so it will easily overload the energy grid.
A number of variations of MadIoT were assessed by the researchers to analyze their effectiveness through simulated models and real-world energy grid models. They found out that not only these appliances if compromised, can cause local power outages but large-scale blackouts too. Moreover, using the same tactic, attackers can increase the grid’s operating cost. This would claim researchers, “benefit a few utilities in the electricity market.”
The findings of their research on the zombie network of smart high-wattage IoT appliances have been detailed in a paper released this week.
In the paper, researchers mentioned that there can be three types of attacks launched via compromised IoT appliances. Firstly, the attacker can launch most basic type of attack in which many power-consuming IoT devices would be turned on and off at ones to cause frequency instability by generating an imbalance between the demand and supply.
“If the imbalance is greater than the system’s threshold, the frequency may reach a critical value that causes generators tripping and potentially a large-scale blackout,” wrote researchers in the paper.
For instance, in the Western System Coordinating Council power grid model, if an attack is launched using 90,000 air conditioners or 18,000 electric hot-water heaters, this would lead to a 30% increment in demand. This is approx. three times higher than the average demand. Since the grid operator cannot control power flows so, a demand increment that cannot be stabilized by the controllers will lead to line failures.
“These attacks…can cause failures in important high-capacity tie-lines that connect two neighboring independent power systems–e.g., of neighboring countries,” researchers explained.
Another type of attack is to increase operating costs; using the reserve generators, which electric supply companies turn to for buying additional electric power, attackers can cause an increase in power generation cost for the grid operator.
Thirdly, attackers can cause massive outages. If the increase in demand is higher than a threshold, wrote researchers, then the system’s frequency will significantly drop even before the primary controllers can react,
“This consequently may result in the activation of the generators’ protective relays and loss of generators, and finally a blackout.”
However, researchers believe that as long as the supply is stable and equivalent to the demand, the energy grid will remain unaffected. Yet, compromised IoT devices could be devastating. Stricter security and framework regulations for IoT devices is certainly the need of the day.