Cybercriminals may no longer need Stuxnet-like malware to infiltrate critical power grid infrastructure, only the IoT.
Researchers at Princeton University have released a report that warns cyber attackers could attack power grids using IoT –powered botnets made up of high wattage devices such as heaters and air conditioning units. The report, titled BlackIoT: IoT Botnet of High Wattage Devices Can Disrupt the Power Grid, describes how the researchers conducted a series of proof-of-concept attacks that allowed such access.
For example, they were able to conduct theoretical attacks that caused sudden generation tripping, disrupt grid re-starts, line failures, and cascades, and increase demand from the systems, all which can easily lead to outages, blackouts or even total grid failure. They call these attacks Manipulation of demand via IoT(MadIoT) attacks.
The researchers say this means attackers could no longer have any need for Stuxnet-like malware to take over devices and compromise critical infrastructure. The researchers were even able to increase operational costs for a target by manipulating energy consumption and could even do so to benefit a specific energy provider. Theoretically, cyber attackers could simultaneously turn on or off several high wattage IoT devices to cause frequency instability or a supply and demand imbalance.
“The MadIoT attacks’ sources are hard to detect and disconnect by the grid operator due to their distributed nature. These attacks can be easily repeated until being effective and are black-box since the attacker does not need to know the operational details of the power grid. These properties make countering the MadIoT attacks challenging,” the researchers said in the report.
The report recommends that grid operators immediately begin preparing for such attacks by doing everything possible to ensure their systems can handle drastic load changes. They also urged IoT device makers to do more research on IoT vulnerabilities and make more of an effort to ensure their devices are secure.