High-Wattage IoT Botnets Could Manipulate and Damage Energy Markets, New Research Shows

Botnets powered by high-wattage IoT devices such as ovens, hot-water heaters, air-conditioners, and other appliances could be hijacked to manipulate energy demand, and potentially inflict financial damage on deregulated energy markets, a new report warns.

Researchers from the Georgia Institute of Technology imagined an energy market manipulation cyberattack by turning compromised high-wattage IoT equipment on or off to artificially increase or decrease power demand.

By doing so, botnets leveraging energy-consuming devices could allow energy suppliers or providers with the means to alter prices, or provide nation-states with novel ways to cause financial damage to the electricity market of another country.

“If an attacker can slightly affect electricity market prices in their favor, it would be like knowing today what’s going to happen in tomorrow’s stock market,” said Tohid Shekari, a graduate research assistant at the Georgia Institute of Technology. “If the manipulation stays within a certain range, it would be stealthy and difficult to differentiate from a typical load forecasting error.”

In 2018, researchers from Princeton University published a paper detailing botnet attack models that leverage high-wattage IoT devices to cause energy grid disruptions and large-scale power outages. While the MadIoT model focused on simultaneously switching on and off compromised high-wattage devices to cause disruptions, the study showed that this type of attack does not guarantee success against power grid protection mechanisms that often respond to these disruptions.

“IoT Skimmer,” the attack model proposed by Georgia Tech researchers, uses a botnet of high-wattage devices to manipulate the electric market for profit or damage.

The attack “would be made possible by the deregulation of energy markets, which has created a system to efficiently supply electrical power,” researchers noted. “To meet the demand for electrical energy, utility companies must predict future demand and purchase power from the day-ahead wholesale energy market at competitive prices. If the predictions turn out to be wrong, the utilities may have to pay more or less for the energy they need to meet the demands of their customers by participating in the real-time market, which has more volatile prices in general.”

Georgia Tech researchers also assume that such botnets are already on the market, and that threat actors could start renting them via dark web marketplaces.

“If you consider all of the smart thermostats and internet-connected electric ovens, water heaters, and electric vehicle chargers that are already in use, there are plenty of devices to be compromised,” Shekaria dded. “Homeowners would likely never notice if the EV charger turns on when electricity demand is highest, or if the air conditioning cools a little more than they expected when they are not home.”

When speaking of countermeasures against such an attack, the team suggests integrated monitoring of the normal power use of high-wattage IoT-connected devices and restricting access to data on the expected energy demands.

“This energy demand information is really a data privacy issue, and we need to think long and hard about the balance between transparency and security,” said Raheem Beyah, the Motorola Foundation Professor in the School of Electrical and Computer Engineering and vice president for Interdisciplinary Research at Georgia Tech.

“There’s always a tension there, but limiting the amount of detail could make it more difficult for attackers who want to hide their manipulations to know what the normal variations are.”

Add Comment

Your email address will not be published. Required fields are marked *