Weirder Than Science Fiction: Botnets Threaten The Grid

Viewers of vintage science fiction movies know that many types of monsters have menaced humans on the silver screen. Super-sized ants, scorpions, and reptiles kicked butt and made human lives miserable. But even hardcore sci-fi fans haven’t thought of a botnet of smart appliances taking down the electrical grid. That’s right, appliances and devices such as ovens, washing machines, and air conditioners.

Bot-herded appliances have not gone on the rampage—yet. However, plausible what-if scenarios are moving from college engineering departments to IT security conferences. The situations might be bizarre, but the potential impact on business and society is real.

Botnet attacks: taking down the electrical grid
Computer security professionals and electrical engineers don’t see imminent danger. But several factors that make black bot scenarios possible are lining up. The factors include:

Rapid growth of internet-connected devices. If appliance botnet attacks occur, we have the growth of the Internet of Things (IoT) to thank. The IoT refers to the billions of internet-connected physical devices located around the world. They collect, share, and communicate data without human effort.

How many IoT devices are there? If you can connect a physical object to the internet and control it that way, it’s an IoT device. By that count, Gartner calculates around 8.4 billion IoT devices were in use in 2017.

Demand-side cyber-attacks. We’re all too familiar with attacks on the supply or availability of IT resources. Think DDoS and ransomware attacks, which overwhelm or capture services from potential users.

Enter the manipulation of demand Internet of Things (MaDIoT) attack. In this class of demand-side exploits, hackers control a botnet of many thousands of hacked consumer IoT devices. Not just any devices, but the power-hungry ones, such as ovens, washing machines, and air conditioners.

In a security nightmare scenario, coordinating enough of these appliances in a demand-side attack can disturb sensitive electrical grids and bring them offline.

Three ways to bring down the grid
In simulations, researchers at Princeton discovered, not one but three ways that a botnet attack could bring down a local electrical grid or hamper operations. These include:

Creating a sudden spike in demand. A sudden increase in demand can cause a corresponding dramatic drop in frequency, taking generators offline.

In the simulations of Princeton IT security researchers, this scenario required access to about 18,000 electric water heaters or 90,000 air conditioners within the targeted area. The attack caused a 30-percent increase in demand across the grid, and all generators went offline.

Create cascading failures. Creating large imbalances in demand across a grid can cause lines to fail as power moves throughout the grid. These imbalances create other failures, and so on.

Damage utility operations. Malicious attempts to raise power demand can exceed the allotment a utility has under its contract with a regional electricity provider.

The Princeton researchers simulated an attack that increased power demand by 5 percent during peak hours. The result: a 20-percent rise in power costs.

However, these attack scenarios make assumptions that might not be realistic. Let’s review them to see if they hold up to scrutiny.

Botnet attacks are closer than you think
The premise of the Princeton research is simple. A regional power grid could be taken down by hacking and controlling a decentralized and relatively unprotected class of targets: high-wattage appliances installed in smart homes.

But, what’s the status of the elements needed to make the scenario real? Here’s our review:

Cheap processors and global connectivity.
STATUS: They exist today. Controlling tens of thousands of appliances requires cheap processors and readily available internet connections. Processors are so affordable and energy-efficient, that they’re almost disposable.

These low-power chips are available in broadband, internet, cellular, and wireless networks. Also, the adoption of IPv6 should provide ample IP addresses for current and future IoT devices.

Software that can orchestrate large-scale botnet attacks.
STATUS: It’s available today.A successful botnet attack requires more than many appliances in each location. Hackers must infect and control tens of thousands of machines.

The big question: can hackers pull off such a complex operation? First, there’s the issue of cross-platform infections. A sophisticated botnet script can attack IoT devices that operate on nine different platforms.

Next, the problems of secrecy and control. Botnets such as Reaper can run complex attack scripts that exploit flaws in the code of vulnerable devices. Botnet commanding controlling infrastructure makes it challenging to detect infections and easy to control operations of hundreds of thousands of devices.

Many high-wattage appliances connected to the IoT and the grid.
STATUS: Not here yet but coming soon. The Princeton simulations assume that high-wattage appliances will connect to the IoT. Currently, stand-alone, connected appliances and home-automation hubs are not common. However, many power-hungry appliances with built-in connectivity are entering the market.

Not so crazy after all
Far from being a nutty idea, demand-side cyber-attacks are possible—some would say likely. Perhaps now’s the time to take inventory of our convenience-based IoT devices and decide how to secure them from stealth attacks on our infrastructure.