Using Hacked IoT Devices to Disrupt the Power Grid

This is really interesting research: "BlackIoT: IoT Botnet of High Wattage Devices Can Disrupt the Power Grid":

Abstract: We demonstrate that an Internet of Things (IoT) botnet of high wattage devices -- such as air conditioners and heaters -- gives a unique ability to adversaries to launch large-scale coordinated attacks on the power grid. In particular, we reveal a new class of potential attacks on power grids called the Manipulation of demand via IoT (MadIoT) attacks that can leverage such a botnet in order to manipulate the power demand in the grid. We study five variations of the MadIoT attacks and evaluate their effectiveness via state-of-the-art simulators on real-world power grid models. These simulation results demonstrate that the MadIoT attacks can result in local power outages and in the worst cases, large-scale blackouts. Moreover, we show that these attacks can rather be used to increase the operating cost of the grid to benefit a few utilities in the electricity market. This work sheds light upon the interdependency between the vulnerability of the IoT and that of the other networks such as the power grid whose security requires attention from both the systems security and power engineering communities.

I have been collecting examples of surprising vulnerabilities that result when we connect things to each other. This is a good example of that.

Wired article.

Posted on September 11, 2018 at 6:25 AM • 32 Comments

Comments

meSeptember 11, 2018 6:48 AM

reason number 29834792837 not to buy an iot thing.

I like the idea of connecting things to the internet, but i really don't get why people does it with the current model.
for example:
take a thermostat, there is the old bimetallic that doesn't even need power to work, there is the electric one that can be weekly programmed.
and there is the iot one that cost much more.
other problem is that company can brick your device from remote at their will.
and other again is that for reason above they doesn't work if servers/internet doesn't work in that moment.

so given all this negative points and the only positive is "you can control thermostat from remote"
why would someone buy it?
this is what i really don't get, it's not only about security it's also about usability the "smart" thermostat to me seems an useless complication.

same goes for lights, i find much easier and faster to use classic switches than a mobile phone or any other thing.
i would never buy them, even if we ignore security problems.

CallMeLateForSupperSeptember 11, 2018 6:55 AM

Back in Aught Six, some young bucks at my uni plotted to bust 'em some water pipes by flushing MANY toilets simultaneously. Infrastructure held, in that case. This MadIoT thing is something else altogether.

Ade Naufal AmmarSeptember 11, 2018 7:34 AM

I think the research of the mentioned paper is well-represented on an anime movie called "Detective Conan: Zero the Enforcer". The kid solved the mysterious case that involved hacked IoT devices which lead to massive explosions on the IoT devices themselves.

Chris LSeptember 11, 2018 8:14 AM

The Information Security Forum (ISF) included this in their Threat Horizon 2020 report. Membership is required for the full report, although the abstract may be available to non-members.

Clive RobinsonSeptember 11, 2018 8:31 AM

They are quite late to the party,

    We demonstrate that an Internet of Things (IoT) botnet of high wattage devices-such as air conditioners and heaters-gives a unique ability to adversaries to launch large-scale coordinated attacks on the power grid.

For those who remember back to when the power utility companies who had failed to maintain and upgrade their assets pushed for US legislation to pull them out of the hole they had dug via "Smart Meters" and more importantly "Smart Grids".

One of the things the companies wanted above almost all else was the ability to control such power devices over the owners wishes, so they could avoid making the profit hurting maintanence and upgrades.

Back then I pointed out that such a Smart Meter / Grid network would get hacked and that the most likely use would be as a cascade weapon to bring the networks down...

Out side of engineers who have known for many decades, the problem which few other people understand is the cascade effect. It works in a similar way to a chain reaction and is almost as devestating. Especially the part of the effect that stops you bringing the power network back up...

Put simply the standard heating elements and most motors have an issue called "Start up in rush". That is they can briefly draw ten times as much from the network during start up than they do during normal operation. What power companies used to do was "over provision" on the idea that nobody was going to turn everything on at the same time. Broadcast entertainment and electric kettles demonstrated the falacy in that thinking. A major entertainment like the final of a footbal series gets televised, and because the networks want big money from advertisers they insist on add breaks. Now most people are not interested in adds but refreshments, so they all get up at more or less the same moment and dump a 10KW load onto the network. Even though the individual loads don't last very long just a few tens or hundreds of milliseconds, the shere number and slight spacing out in time means enough total inrush current to trip one or two second time delay overload circuit breakers. As they trip fail over causes other power sources to be switched in but... this time all those kettle heating elements come up together with a much more massive inrush current, causing other types of trips all of which work their way back up the network to the generators that slow causing frequency synchronisation issues and yet more current...

There are ways to deal with it but you kind of have to know it's going to happen and plan sometimes days in advance to have the right level of very expensive capacity up and waiting...

All this has been known for not just years but decades, hence mine and others concern about "Smart Grid" enabled products. The power utility companies did not get the legislation they wanted and adverse weather caused failires that forced some investment in the networks over shareholder profits, but by no means enough, so the issue has not gone away and our demand for power is still rising.

But hear we are now with something that is not as old the "Internet of everything" being effectively forced on everyone because the only profit that can now be made off of IoT etc is "selling user data"...

As our host @Bruce has noted you don't buy white or brown goods any longer, you buy a computer with the old style white/brown goods bits hung off of this computer. As the price differential has droped on microcontroler chips, you in effect get the communications hardware for free. Thus adding Internet connectivity is very very low cost hardware wise.

But the software is not cheap if you do it properly and few IoT vendors including large well known consumer electronics companies are going to spend the money, so they buy it in or in effect steal it. This code is full of bugs and it never gets supported... But... because the profit model now includes "user data" the products either will not function or will have limited function unless they are alowed to "Do an ET" to the Chinese etc "Mothership".

Which by the way also means your fridge is likeky to come with a microphone, so does your TV as well as a camera. Their argument is that they can give you an "Alexa type experience" all whilst every embarrassing thing you do is slurped up and sent of to China, waiting for some one to buy it or just demand it by law...

Yup "Welcome to the self made hell that is the electronic goldfish bowl we now live in"...

Oh and don't forget those actavists and hackers who want to be labled "Weapons of mass destruction using terrorists"[1] doing their thing, they are realy not the main threat... You need to also consider what happens when a Nation State like China cross refrences all that Internet traffic with say the OPM database...

Don't say you were not warned...

[1] The definition of WMD is realy not what you might think. The way it's worded in some legislation an accident that causes the death of two or more people is in effect the use of a WMD. Hence playing around and causing the power to trip in extream hot or cold weather will almost certainly cause deaths, thus you are now a WMD using Terrorist...

WinterSeptember 11, 2018 8:54 AM

This discussion is rather US centric. How is the in the rest of the world?

I would expect Japan and China to have their own worries towards each other. Same with the Koreas.

I do know that the EU sponsors a lot of research into the security and resilience of the power infrastructure. If anything, the attack against Ukraine was a wake-up call.

I do know that the European grid does experience less outages than the US grid. But I do not know whether this can be extrapolated to better resilience against targeted attacks.

Anyone who knows about this?

WeatherSeptember 11, 2018 9:10 AM

Clive Robinson
Mix that with one 25kw electric car ^*
With a average house here using 2kwh, and they expect electric car to actually go some were as a product,with a petrol car average 80kw,
Hopefully people want travel more than one hour a day,then its only double capacity for the grid

WeatherSeptember 11, 2018 9:29 AM

Winter
Not all generation is induction motor driven in Genny mode,by increasing the rated speed by 5%, with manually small setup from 1-500kw using gridtie inverters which come with low voltage ride through, if there's a lot of demand and the voltage drops,low load resistance, they don't disconnect, with the grid supplying a sync force to push against (induction motors of 5Mw) a problem will happen in the future if a large source goes offline,within 2 sec max(by law) the inverters(all) will turn off.
The starting price for 250kw setup to get consult to look at is quite high,and there is no way the lines company will go anywhere with out it.

WinterSeptember 11, 2018 9:50 AM

"a problem will happen in the future if a large source goes offline,within 2 sec max(by law) the inverters(all) will turn off."

Modern grids are working to handle large fluctuations due to solar and wind power. That sounds a lot like your scenario.

Rj BrownSeptember 11, 2018 9:58 AM

Back in the early 1980's I worked with a company that was developing energy management equipment. I authored a system patent for an energey management system that allowed the user to choose the operating schedule for large electricity consuming devices in his home. There was an 8 bit ID associated with each such device. The idea was that clustering algorithms could be applied to put theuser's desired schedule into a group similar to the schedules of other users, and that certain groups were reserved for hvac, other groups for hot water heaters, etc.

The system was expected to save the consumer a reasonable amount of money on theri electric bill, and allowed the power company to control these groups to load shed during periods of high demand. Since the power company benefitted from it, they were to pay for the installation. The user had the option to defeat the system for a period of time to allow for exceptional circumstances.

The problem here was that there was no security other than obscurity to protect the power company';s interface to the system. Hackers could have taken control of a number of such systems and then at a designated time launch an attack across multiple power companies by bouncing the power of these device on and off.

I brought this possibility to the attention of the management of the company I worked for, and they said "Don't tell anybody."

The system was actually beta tested by a large baby bell phone company, but the decided that their money would be better spent developing the ability to send video on demand to their customers.

Thus it languished and died.

RIP

MikeASeptember 11, 2018 10:37 AM

@CallMeLateForSupper -- Clive has already amply explained the "commercial break surge" for electricity. A similar issue has been known for water supply. And an even sharper spike can be observed in the "outflow" of the water/sewage system. If your Uni predated the 1960s, it's possible the plumbing had already been "hardened" against such attacks in the face of such failures, as major sporting events were joined by "Holy crap, there's a cop-car outside the dorm" followed by a surge of "herbal smoking product" into the sewers.

WeatherSeptember 11, 2018 10:37 AM

Winter
Sorry trying to say, you can't have a 1kw standalone sinewave inverter and connect a 2kw gridtie and expect the standalone to act a grid,it will letout the electronics life force.

Solar and wind use inverters, coal nuclear hydro use induction motors,if there's to much inverters and a large induction motor goes offline ,the inverters aren't going to start,unless you discount everyone, get the induction motor up and running, then connect the inverters then connect the consumer

I wouldn't want more than 30% wind,solar but that's a guesstimate

albertSeptember 11, 2018 10:58 AM

This sort of attack uses devices -outside- the power grids control network, which depends on successful attacks on several hundreds of devices. While reducing the attack surface of the ioT device is desirable (as discussed here several times), there are other ways to mitigate the threat.

High, short-time inrush currents can be reduced significantly by using Variable Frequency Drives. VFDs on fans and pumps have been used industrially for years, and can pay for themselves often within one year by reducing electricity costs. The blower on my High-Efficiency furnace is VFD-driven. The lights don't dim when it turns on:). Since VFDs already 'know' the input voltage and current, they can be built to adjust the slope of the speed ramp accordingly. VFDs are also immune to input frequency variations. And there's the added bonus of variable speed.

Fixing the ioT devices would be cheaper and easier. But where's the incentive?

. .. . .. --- ....

Clive RobinsonSeptember 11, 2018 11:23 AM

@ Winter,

Modern grids are working to handle large fluctuations due to solar and wind power.

One of my favourits when it comes to experiments in this area is variations on gravity based kinetic systems, in particulat the parallel railway tracks on long grades. The carriages are fild with high density mass and a generator that feeds directly into the tracks or overhead cables. When there is excess capacity the carriages take power to climb the grade where they then wait untill required.

On a command signal the carriages are released and as they pick up speed they use the equivalent of elctro breaking, but rather than dump into resistors it dumps into the power grid.

It obviously is a bit of a slow starter and only lasts a few minutes at most. But despite it's apparently high cost it is a more efficient way to do an intermediate "fill in" than most other technologies.

The big advantage of mechanical generation over chemical generation is that it is much more reliable. The simplest and thus most reliable being the kinetic type systems, the most well known type being hydro electric with a lake at the top of a mountain etc.

Fast fill ins can be done by massive battery packs that can respond in less than a quater of a mains cycle they can also in some cases take fast excess capacity of the grid. Then the intermediate systems done by things like the kinetic systems just to buy time to bring a fast generator online from standby in 20 secs or slower standby in 10-20 minutes, depending on what the loading changes are all about.

https://psmag.com/environment/a-low-tech-solution-to-a-hi-tech-problem-trains-that-generate-electricity

Clive RobinsonSeptember 11, 2018 12:06 PM

@ Weather,

I wouldn't want more than 30% wind,solar but that's a guesstimate

It depends on where you are and what is in the area in the way of load.

For instance North West Europe has some of the most reliable medium altitude winds in the world, whilst certain desert areas have some of the most reliable sunlight. As do some costal regions where combined wind / solar is being looked at for fully independent desalination plants, where you are mainly working on average power generated not peak or demand power generated.

There are many industrial processes that will work quite happily of of average power such as sewerage and other processes where "feed stock" can be "puddled" for quite long periods of time before being processed.

Untill recently there has been no incentive to design plant this way, however the financial savings for grid opperators could be enormous.

Likewise home hotwater systems are currently designed with only one hot water tank which needs carefull temprature regulation. Prototype systems using three tanks at different tempratures where the desired out flow temprature is done by mixing from the three tanks are quite happy to work from highly variable output from home wind and solar generators.

There are even experiments in man made hydrothermal systems where hot saline is pumped into underground heat reservoirs such as fractured rock and excess energy from summer still available in winter. Even ornimental ponds in gardens can have a very high energy storage potential at even quite small temprature grades.

Some one I know is living "up north" in a quite issolated area with their family, and has an experimental system that is in effect a big well insulated box below a large green house filled with crushed glass. Air from the top of the glass house rather than be vented is pumped into the box to heat the glass. When the sun is not shining and the temprature drops cool air from the green house is pumped into the glass and in this way the temprature is maintained and gives around an extra four months growing cycle which saves on food bills considerably. They also get a second growing season in winter when the snow on the ground increases the efficiency of the green house. This alows certain crops that do not need much in the way of light to be grown.

The trick is thus not to make wind/solar more reliable but make more of our systems that have been designed on the availability of reliable peak power to work with less reliable "average power". In many cases for homes the big energy systems are heating and hot water, the use of large heat reservoirs means cheap average power can be used much more effectively.

Jesse ThompsonSeptember 11, 2018 4:21 PM

We study five variations of the MadIoT attacks and evaluate their effectiveness via state-of-the-art simulators on real-world power grid models.

Yeah, punchline is in the stinger for that episode which I can't readily find online, but the principal still applies.

I'm pretty sure they could publish results like this with a forged method's section where the "state of the art simulators" are literally just some back of the napkin calculations and nobody would bother checking their work. :/

JG4September 11, 2018 4:37 PM


Thanks for the helpful discussion. There are a lot of ways to skin that cat. I think that I omitted this from a NakedCapitalism excerpt around 22 August:

https://qz.com/1355672/stacking-concrete-blocks-is-a-surprisingly-efficient-way-to-store-energy/

The figures of merit should include leakage rates, volumetric efficiency, overall safety, input and output rates, dollars per kW-hour stored, round-trip efficiency, and many more.

Can't recall if I posted a link to this before:

http://www.macrobusiness.com.au/2017/03/tesla-humiliates-nothing-australian-government/

It is easy to overlook the inflammatory title. The article has an excellent table showing relative costs of grid-scale storage.

This is a really clever approach to the problem of energy storage, as long as you don't mind a little risk.

https://www.ted.com/talks/donald_sadoway_the_missing_link_to_renewable_energy

I file these topics under Starfish Prime.

JedfSeptember 11, 2018 5:11 PM

@me:

. "you can control thermostat from remote -- why would someone buy it?"

I love it. I can change the temperature and fan setting while in bed or simply sitting on the couch. Or, change the settings for another room (e.g., bedroom) before going there. Forget to turn down the temp in the kitchen (or just confirm that you did so) after going to bed, no problem.

TonySeptember 11, 2018 6:41 PM

These high current IoT devices could also mitigate the problem if they were each programmed to wait a random number of seconds before executing a command to turn on or off. Then the attacker can't coordinate them to all switch at the same time.

Sed Contra September 11, 2018 6:46 PM

@dbCooper

(obligatory)

db, you actually used a gravity based system yourself at one time, as I recall.

TheoSeptember 11, 2018 8:24 PM

@albert

Many, probably most, Variable Frequency Drives are software controlled. While correct software can limit inrush currents, incorrect software can force inrush currents (and other unpleasantness) far worse than a dumb motor with a dumb switch.

So VFD are exactly the type of devices that are part of the problem if they can be remotely reprogrammed/configured/controlled. A VFD would need to be airgapped or firewalled to be part of the solution.

Many VFDs are connected to a micro controller that coordinates the entire device and has sufficient authority to tell the VFD to do really dumb things. That system micro controller is in turn subject to IoT type attacks if it is connected to the InterNet.

meSeptember 12, 2018 2:16 AM

@Weather
> Mix that with one 25kw electric car With a average house here using 2kwh

this!
when i read the paper they said "electric oven 4000W, water heater 5000W"

I don't know in the rest of the world but here, italy, the typical electric contract is 3500W and typical oven is 2000W.
you can have more if you pay more but almost nobody does this.
so as soon as you don't turn on oven+washing mashine (or dishwasher) you are fine.

Wesley ParishSeptember 12, 2018 5:05 AM

Long, long ago, in a galaxy far, far away, I read in a book by someone called W.E. Johns, about a man called James Bigglesworth, that there are three ways to down an aircraft.

One, you go for the engine.

Two, you go for the airframe.

Three, you go for the pilot.

W.E Johns may not have been much of an author; James Bigglesworth was not particularly believable as a character once you got past the wish-fulfillment; but it strikes me that W.E. Johns had all his ducks in line with vulnerability assessment.

So what are the layers of vulnerability we see in a power-grid IoT?

WeatherSeptember 12, 2018 5:25 AM

Centralized, decentralized,
Rapid pace of action
Load, source power
Timing, clock linked to lines frequency
Force of distance (gun instead knife)
Everyone has it
Chain reaction to other parts of society, probably the most links
Money,long time to recover
Pushing it, but deadly

RolingerSeptember 12, 2018 5:34 AM

Missed opportunity in calling it Manipulation of demand via IoT (MadIoT)

Surely it's always Increased Demand via IoT (IDIoT) :-)

albertSeptember 12, 2018 11:27 AM

@Theo,

Of course connecting to the Internet can cause problems. VFDs need only hardwired start/stop connections. Nothing we made had remote or local code update capability (the firmware was ROMed)*, but some models had CAN bus and other buses for control or configuration purposes. Configuring the units is done locally through the front panel, or via a PC hookup. Thus local access is needed to change anything. There's nothing wrong with isolated factory networks if you control physical access, which is something you have to do anyway.

ioTs are low hanging fruit. Without easy Internet access, you move into Stuxnet territory.

----------
* reprogrammable firmware in industrial products is asking for major trouble. Even without access of -any- kind, there's no guarantee that the firmware will maintain its integrity.
. .. . .. --- ....

albertSeptember 13, 2018 10:26 AM

@Tony,
"...to wait a random number of seconds before executing a command to turn on or off...."
Yes, I thought of that. It does put the onus on the ioT maker, whereas the VFDs already have the capability of slow ramp up/down.

That's why I was surprised at the fuss when James Mickens suggested firewalling ioT devices. Why not? The ioT manufacturers certainly aren't going to do anything about it. And why bother with regulation in the Trumpian Epoch?

Sometimes defense is the best defense.

. .. . .. --- ....

TheoSeptember 17, 2018 2:32 PM

@Tony,
"...to wait a random number of seconds before executing a command to turn on or off...."

Waiting a random number of seconds before turning something off will be perceived as a safety issue. In many cases a delay in an off switch IS a safety issue.

@Albert
"Of course connecting to the Internet can cause problems. VFDs need only hardwired start/stop connections."

Yes, you can do that if you are replacing a dumb motor and simple on/off switch. You will not get many of the advantages of VFD control, such as variable speed, or being able to monitor things like torque, speed or temperature. Monitoring enables proactive maintenance and soft shutdowns before blowing a thermal fuse or shear pin.

There are very compelling reasons to enable digital connections to a motor controller. I expect the vast majority will end up be networked to something. Making sure that something is not the internet is why I think airgaps and firewalls are more important parts of the solution than VFDs per se.

PeaceHeadSeptember 27, 2018 6:55 PM

*ASTERISK*

Everyone and their dog, and their dog's dog needs to archive this type of technique and all of the potential adjacent patents on this one. Archive it in myriads of formats and forms, preferably readable and accessible without the need or use of machines or electricity.

If you have waterproof paper made from recycled plastic bags, use that too and don't forget to use sharpie style ink unless you want that "dry erase" type of effect.

We need stuff like this (yesterday, today, and tomorrow) to be able to disable some types of rogue technologies.

*ASTERISK*

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.