Botnet of smart air conditioners and water heaters could bring down the power grid

If "smart" appliances that connect to the internet were to be used in a botnet, it could cause large-scale blackouts of the power grid, researchers warn.

candle laptop blackout

If smart appliances that can be remotely controlled over the internet were to be compromised and used in a botnet, attackers could cause local power outages or even large-scale blackouts, according to a presentation given by Princeton University researchers at the USENIX Security Symposium.

This new class of attacks was dubbed MadIoT (Manipulation of demand via IoT) by researchers from Princeton’s Department of Electrical Engineering. Instead of directly attacking the supply side of the power grid, attackers could enslave high-wattage IoT devices in a botnet to manipulate the demand side of the grid.

While Wi-Fi-enabled high wattage appliances can make life handy, such as being able to remotely kick on the AC or oven before you arrive home after work – either via an app or home assistant such as the Echo’s Alexa or Google Home – devices remotely controlling the appliances could be used by attackers to manipulate the power demand.

After considering that air conditioners, space heaters, electric water heaters and electric ovens use between 1,000 to 5,000 watts of power, the researchers came up with three attack types which were tested on state-of-the-art simulators of real-world power grid models. The results ranged from causing local power outages to large-scale blackouts.

Attacks that resulted in frequency instability

They determined that it would take a botnet of 90,000 air conditioners and 18,000 electric water heaters to disrupt the power demand in a targeted geographical area such as was tested against a grid model of the Western System Coordinating Council utility. Attackers could cause sudden spikes of power, such as by switching on all the botnet-controlled appliances at the same time. Switching them all off at the same time could also cause frequency instability.

The sudden increase or decrease in power demands caused an imbalance between supply and demand. They explained in the research paper (pdf), “This imbalance instantly results in a sudden drop in the system’s frequency. If the imbalance is greater than the system’s threshold, the frequency may reach a critical value that causes generators tripping and potentially a large-scale blackout.”

If the attack caused a blackout, then the grid operator would restart the system with a “black start” process that divides the grid into smaller “islands” and separately restores power to each island. Attackers could kick up the IoT botnet as soon as an “island” comes back up, causing the power grid to blackout again.

Although it may seem hard to believe that many high-wattage appliances could be in a botnet, they pointed out that more than 600,000 infected IoT devices were used in the Mirai botnet. As we have seen over and again, having baked-in, top-notch security in rarely a priority as manufacturers rush to put out “smart” connected and remotely controllable devices. It would take but several hundred compromised devices to disrupt a grid restart; the researchers estimated that could be accomplished with a botnet of only 100 to 200 high-wattage appliances.

Attacks to cause cascading power failures

The researchers warned that even a “small increase in the demands may result in line overloads and failures.” Using a model of the Polish power grid, they determined it would take only a one percent increase in demand to cause a cascading grid failure that resulted in “236 line failures and outage in 86% of loads. Such an attack by the adversary requires access to about 210,000 air conditioners, which is 1.5 percent of the total number of households in Poland.”

Attacks to increase operating costs

Attackers could hone in on specific utilities to increase operating costs as opposed to damaging infrastructure. The researchers wrote, “We show by simulations that a 5% increase in the power demand during peak hours by an adversary can result in a 20% increase in the power generation cost.”

They described MadIoT attacks as “easily repeatable” by attackers but “hard to detect” by grid operators. The researchers warned that the risks of these type of attacks will only increase in the future as more manufacturers come out with “smart” appliances with the ability to connect to the internet.

The same Princeton University researchers, Saleh Soltan, Prateek Mittal, and H. Vincent Poor, also published a paper (pdf) about protecting the grid against an IoT botnet of high-wattage devices.

SUBSCRIBE! Get the best of CSO delivered to your email inbox.