The primary security concern with regard to internet-of-things (IoT) devices has largely been focused on individual security and privacy, but researchers at Princeton University found another substantial way an attacker could compromise IoT devices and use them to disrupt the power grid.
At last week’s 27th USENIX Security Symposium in Baltimore, Maryland, researchers presented their findings that high-wattage IoT devices, dubbed BlackIoT, pose a significant risks to power grids.
This new type of attack on the actual power grid is distinctly different from threats to SCADA systems, according to the recently released white paper, BlackIoT: IoT Botnet of High Wattage Devices Can Disrupt the Power Grid. Researchers proposed that an attack could happen if an malicious actor exploited high-wattage IoT devices for manipulation of demand via IoT attacks, resulting in local power outages and large-scale blackouts.
“An Internet of Things (IoT) botnet of high wattage devices – such as air conditioners and heaters – gives a unique ability to adversaries to launch large-scale coordinated attacks on the power grid,” researchers wrote.
“In particular, we reveal a new class of potential attacks on power grids called the Manipulation of demand via IoT (MadIoT) attacks that can leverage such a botnet in order to manipulate the power demand in the grid,” they wrote.
Attacks could result in frequency instability, line failures and cascading failures, all of which could increase operating costs.
“Overall, our work sheds light upon the interdependency between the vulnerability of the IoT and that of other networks such as the power grid whose security requires attention from both the systems security and the power engineering communities. We hope that our work serves to protect the grid against future threats from insecure IoT devices,” they wrote.
The scenario presented in their findings is alarming yet not surprising to some industry experts. “This is directly analogous to an internet DOS [denial-of-service] attack, where an army of poorly protected computers flood a website with traffic,” said Ray DeMeo, co-founder and COO, Virsec.
“While we might hope IoT devices are built with adequate security, we should assume they are vulnerable. Smart grid technology will have to become smarter in a hurry to detect this new type of abuse."