Vulnerability of Energy Markets to IoT Botnet Attacks

At the recent Black Hat security conference, Georgia Institute of Technology researchers presented findings from their study of IoT botnets including how hackers could use them to disrupt energy markets.

Results indicate that hackers could manipulate high powered IoT botnets like smart thermostats, car chargers, and air conditioners to compromise any of the U.S.’s nine private energy markets. Hackers could deploy the botnet strategically to increase demand at certain times to force price fluctuations for profit or cause mass chaos.

High Powered Botnets Generate Substantial “Rewards”

Using publicly available data from the New York and California markets between May 2018 and May 201, researchers analyzed fluctuations in two markets:

• “Real-time markets,” which allow buyers and sellers to correct for unpredictable events (like natural disasters) and forecasting errors
• “Day-ahead markets,” which forecast demand

Armed with this data and several botnet models, researchers created two possible attack vectors that could alter energy prices. They also determined how far hackers could push attacks without raising alarms.

“Our basic assumption is that we have access to a high-wattage IoT botnet,” says Tohid Shekari, a Ph.D. candidate at the Georgia Institute of Technology. “In our scenarios, attacker one is a market player; he’s basically trying to maximize his own profit. Attacker two is a nation-state actor who can cause financial damage to market players as part of a trade war or cold war. The basic part of either attack is to look at price-load sensitivity. If we change demand by 1 percent, how much is the price going to change as a result of that? You want to optimize the attack to maximize the gain or damage.”

Although more difficult than regular IoT botnets to acquire, hackers who use high powered botnets can reap substantial rewards. Researchers estimate that running an attack for three hours each day, for one hundred days, would yield a $24 million payoff.

Protecting Energy Markets from Hackers

With a focus on promoting prevention and defense before such cyberattacks occur, researchers recommend:

• Equipping high wattage IoT devices with real-time monitoring
• Reevaluating the granular and constantly updated load data made public
• Limiting access to data to add barrier to entry
• Including real-time monitoring on high-wattage IoT devices to flag suspicious use potentially consistent with malware infections

“It’s an example of how the threat landscape changes in unexpected ways,” says Beyah, who also co-founded the industrial-control security firm Fortiphyd Logic. “Who would have thought that my washing machine or stationary bike could be the foundation of a completely new type of attack?”