If the Front Door's Locked, Try the Side Door: Power Grids Vulnerable to Demand-Side DoS Attack
Fans of Bruce Willis and the Die Hard franchise will recall that a major plot-point in the 2007 fourth installment, Die Hard 4: Live Free or Die Hard was to disrupt the power grid of the Eastern United States to conceal the theft of billions of dollars from the US Social Security Administration. The antagonists hit a snag in their plan when they learned that a power transit point key to their plan was completely air gapped and physical access to the site was required to bring it down. Under the disguise of an FBI security check, the bad guys broke in and began flipping switches to bring down the power grid. Fast-forward to 2018 where there are more IoT devices on the planet than people (Gartner estimates that there were 8.4 billion internet-connected devices at the end of 2017 and the United Nations estimates 7.6 billion people).
Governments and private organizations have invested billions of dollars protecting the US power grid by fortifying both physical and cyber defenses to protect against potential attack. In the same year that Die Hard 4 was released, the Idaho National Laboratory conducted the Aurora Generator Test aimed to demonstrate to government officials the vulnerability of physical devices (such as power generation generators) to cyberattacks. The test successfully demonstrated that disabling safety protocols and issuing commands that would cause the generator to spin out-of-sync could physically destroy it and most of the US power grid along with it. Since giant power generating generators are generally built to order and not sitting in inventory in a warehouse, it would take months or years to restore the power grid to a pre-attack state. An attack against a Saudi Arabian gas processing plantattempted to do just that, but failed when the written code did not match the version of hardware it was running on. As a traditional way of thinking about defense, security engineers focused on protecting the supply of power: power plants (generation) and transit infrastructure (distribution). At the Usenix Security conference this week, a group of Princeton University security researchers presented an attack model that poses an equally credible threat, but focuses on the demand-side of the power grid.
Like the internet itself, internet-connect devices (commonly referred to as IoT) were not developed or designed with security in mind. Security in IoT has always been an afterthought, as evidenced by the countless vulnerabilities exposed over the last few years. From a casino’s smart fishtank thermometer leaking high-roller personal data to a compromised IP camera spying on the Trump-Putin summit in Helsinki, IoT is in great need of a security overhaul. Microsoft has become a thought leader on this front after introducing Azure Sphere, a completely secure IoT ecosystem that starts with the very silicon that IoT devices run on. As long as consumers continue to buy insecure IoT devices because they’re uninformed or inexpensive, the IoT security problem will be around for years to come. The Princeton researchers modeled an attack that would start with creating a botnet totaling thousands of remotely compromised high electricity draw devices such as water heaters, air conditioners, and space heaters. Internet-connected versions of all of these devices exist today and adoption is thought to significantly increase over time.
Using a software simulation, the security researchers determined that the power grid serving a state as large as California (38 million people) or country such as Canada could only absorb an unexpected one percent increase in power demand before a cascading effect could potentially take down most of the grid. Power grids thrive on the stability of supply and demand and an unexpected slight drop in supply or increase in demand could have a significant impact. Ironically, this cascading effect is due to security protections built into the power grid. If a section of the power grid detects an overload, it will shut itself off to protect the physical infrastructure. Switching off these lines puts more load on the remaining lines potentially causing a chain reaction. Armed with this information, researchers determined that it could take as few as tens of thousands of water heaters or a hundred thousand air conditioning units to cause a catastrophic power failure. This number is closer to reality as the Mirai botnet compromised 600,000 vulnerable IoT devices and the Reaper botnet is thought to have compromised over 1 million devices.
No level of power supply-side protection (e.g. physical guards, firewalls, multi-factor authentication) can guard against a sudden spike in electricity demand. I got to see first hand what this sudden demand in electricity did during the energy crisis in California of 2000 and 2001 where brownouts and rolling blackouts were common due to fixed supply verses unprecedented demand for electricity. Thankfully, power grid engineers and security researchers believe that there are not enough internet-connected high-drain devices available today to generate the required demand-side pull to cause a major disruption. This threat model should serve as a warning for future IoT security consideration as well as taken into account for modeling power consumption forecasting. A less catastrophic version of this attack could remotely switch on devices in one area while shutting down devices in a neighboring area to cause a large enough imbalance in power consumption to take down a smaller part of the power grid.
Protecting the demand-side of the power grid is akin to protecting an organization’s users instead of the traditional networks; securing the power grid and the network of the future will require a paradigm shift of thinking. Ensuring IoT devices are secure as well as the networks they run on is a simple way to block any type of botnet or remote compromising activity.