IoT security: A grid attack may not necessarily be a catastrophic event
The power grid is composed of generation, transmission and distribution systems, all working in unison to provide uninterrupted power supply
We’ve all seen the headlines: “A major cyber attack on the U.S. electric grid could cause over $1 trillion in economic impact.” And, as attacks on power stations in Ukraine have demonstrated, such attacks could have disruptive potential.
Nevertheless, to date, there have been no recorded cyber attacks on power facilities that have caused a major physical catastrophe or long blackout. The reason for this is that power stations are physically secured, are generally not connected to outside networks, and use industrial protocols. In recent times, power stations have also enjoyed large security upgrades that will continue to make hacking into them harder than it seems.
For this reason, it is only logical that hackers will attempt to attack the grid and associated infrastructure further down the supply chain. The power grid is composed of generation, transmission and distribution systems, all working in unison to provide uninterrupted power supply.
Each of these components has its own challenges and security risks, and there are great efforts invested by authorities worldwide to secure them.
But lately, another element has entered the equation -- that of consumption and its potential manipulation. IoT devices are being rapidly adopted and used everywhere by consumers, enterprises and governments. What if, instead of trying to hack a power plant, a nation-state hacked millions of smart devices connected to a power supply, and used them to manipulate the grid? This would create spikes in local and regional power consumption that in turn could damage power transformation and carrying infrastructure.
Power companies try to balance consumption loads by forecasting peak consumption times, leveraging historical data, weather forecasts and prediction models. Today’s prediction models have become so refined that it is possible to predict the increased demand caused by households boiling kettles at half-time breaks during World Cup soccer matches. However, hacked devices don’t act in the same predictable manner as regular ones- Hacked devices can consume more power late at night when no one is expecting a surge in demand. Without standby power to cope with this demand, outages cannot be avoided. Smart kettles have already been demonstrated to have weak security and could easily be exploited for such “on/off” attacks (not to mention other power-devouring appliances like smart TVs, fridges and washing machines).
Blackouts are very dramatic and can cause immediate retaliation, but a nation can also hurt its enemy by subtly instigating economic warfare against its citizens. Connected domestic appliances consume notoriously high amounts of power. If hacked, they could be made to look as if they are in sleep mode or shutdown when in fact they are consuming costly energy, ultimately amounting to hundreds of dollars wasted.
Even today, about a quarter of all residential energy consumption is used on devices in idle power mode - the equivalent of 50 large power plants’ worth of electricity, costing more than $19 billion in electricity bills every year. The environmental cost is also massive: About 10 percent of US carbon dioxide emission is a direct result of this usage. Imagine the financial and environmental impact of attackers increasing this cost by just 10 percent by manipulating connected devices.
Even houses without smart devices could be vulnerable to cyber-attacks. Smart meters will eventually replace traditional meters and, even though they offer many benefits, they are also susceptible to hacking. This could lead to malfunction and incineration, or simple fraud and theft.
Smart vehicles continuously communicate with their environment, charged by the same power grid as other smart devices. Thus, electric vehicle charging patterns have an enormous impact on national power consumption. If electric vehicles are not charged sufficiently due to manipulation of the power station, peak demand could be as much as 8GW higher than it is today, along with the associated economic and environmental costs.
The scenarios described above may seem a little futuristic but are actually quite reasonable. As the grid becomes “smarter” and our homes more connected, it is imperative that we employ robust security mechanisms — not just for power generation, but for the entire supply chain in order to maintain a predictable, secured economy.
Author: Yotam Gutman is vice president of marketing for Securithings.