Wednesday, January 2, 2019

IDG Contributor Network: Did IoT cyberattacks cause NY power transformers to explode?

Officials blamed a power surge for the blackout on Dec 28th, 2018 that left LaGuardia airport in the dark for about 45 minutes and grounding flights. A look at the trend of power outages at American airports shows a disturbing pattern and possibly sinister cause.

Background

Attacking an adversary’s infrastructure is asymmetrical warfare. It causes a lot of damage for a very small cost. Cyberattacks are an ideal weapon as they disguise who might be behind them, making retaliation much harder.  Attacks on the power grid for airports are especially devastating as they ground flights, stranding passengers and disrupting business nationwide. Just take a look at recent power outages:

The New York Times reported in March 2018 of possible Russian cyberattacks on US power plants.
“Forensic analysis suggested that Russian spies were looking for inroads — although it was not clear whether the goal was to conduct espionage or sabotage, or to trigger an explosion of some kind.”

A Symantec report noted that a Russian hacking unit “appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems.”

BlackIoT: How to disrupt the power grid with an IoT appliance botnet

Princeton University researchers Saleh Soltan, Prateek Mittal, and H. Vincent Poor explained how a botnet of high wattage appliances could do this at the 27th USENIX Security Symposium. They explain how hackers could use compromised appliances to turn on and off creating an artificial demand for power, tripping generators and causing blackouts. What’s terrifying about this is that the attack vector is low security home appliances rather than more secure power infrastructure.

Power grid operators typically assume that power demands are predictable: consumers collectively behave similarly to how they did in the past and under similar conditions. However, with the proliferation of IoT devices and their poor security measures this isn’t a safe assumption. An IoT botnet of high wattage devices (such as air conditioners and heaters) lets adversaries launch large-scale coordinated attacks on the power grid. Such Manipulation of Demand via IoT (MadIoT) attacks use botnets to manipulate the power demand in the grid.

Many of these devices are controlled with mobile apps and home assistants such as Amazon Echo or Google Home. Hacker can manipulate the power demand and cause large scale black outs by compromising these home assistants. These MadIoT attacks manipulate power loads which are much less protected than the power grid’s Supervisory Control and Data Acquisitions (SCADA) system.

Even a small increase in the demands may result in line overloads and failures. These initial line failures may consequently result in further line failures or as it is called, a cascading failure. An abrupt increase or decrease in the power demands by simultaneously switching on or off many high wattage IoT devices results in an imbalance between the supply and demand. This imbalance instantly results in a sudden drop in the system’s frequency. Generators trip and can causes a large-scale blackout if the imbalance is greater than the system’s threshold.

IoT security standards

The Princeton research paper explains that MadIoT attacks are hard to protect against because:

  1. The power grid operator only sees demand in aggregate from millions of users. This makes it hard to detect and disconnect the compromised appliances that are causing the artificial demand.
  2. An adversary can easily repeat the attack when the power is restarted. This could cause persistent blackouts.
  3. MadIoT is a ‘black box’ attack where detailed knowledge of a power grid isn’t needed. Just faking the demand is enough to cause overload situations.

One would expect the government to act quickly on IoT security guidelines in the face of such persistent and devastating cyberattacks. That isn’t the case. Matt Leonard reports in FCW how “Senators Mark Warner and Cory Gardner introduced the Internet of Things Cybersecurity Improvement Act of 2017. The bill prohibits agencies from acquiring IoT devices and sensors that aren't patchable and that don't have changeable passwords. So far, the bill hasn't received a hearing or a vote in the Senate Homeland Security and Government Affairs Committee, which has jurisdiction over federal procurement and cybersecurity”.

The security recommendations from the IoT Security Foundation are a good framework for such guidelines. They advocate for a Hub based security which factors is new IoT devices being installed. “The Hub device acts as a central point for trust and IoT environment management. It also makes use of existing security features – such as update mechanisms – and adds an additional layer of security to the IoT environment – such as traffic monitoring and lifecycle management. The Hub device achieves this by communicating with network elements such as routers, protocol bridges, and IoT devices, aggregating information to offer support to home IoT administrators. It may also act as a gateway, enabling information sharing between the home IoT environment and other networks or entities, such as the IoT solution provider”.

This would potentially protect high wattage devices being compromised by hackers to manipulate power demands and cause blackouts.

So, bringing down our essential electric grid may be made easier with all of our new interconnected devices.  Asymmetrical warfare.

Will Congress, agencies advance IoT security?

So far, no U.S. agency or entity has taken the lead on developing standard or guidelines for IoT security.
Sen. Mark Warner (D-Va.), along with Sen. Cory Gardner (R-Colo.), introduced the Internet of Things Cybersecurity Improvement Act of 2017. The bill prohibits agencies from acquiring IoT devices and sensors that aren't patchable and that don't have changeable passwords. So far, the bill hasn't received a hearing or a vote in the Senate Homeland Security and Government Affairs Committee, which has jurisdiction over federal procurement and cybersecurity.

Federal agencies must “consider that IoT presents challenges in achieving those [cybersecurity] outcomes or there are challenges that IoT may present in achieving security controls -- and we wanted to highlight those,” Katerina Megas, program manager for NIST's Cybersecurity for Internet of Things program, told FCW at the Internet of Things Global Summit on Oct. 4.

Cyberattacks Put Russian Fingers on the Switch at Power Plants, U.S. Says
The U.S. has gone on record saying Russia was behind recent power plant failures. Forensic analysis suggested that Russian spies were looking for inroads — although it was not clear whether the goal was to conduct espionage or sabotage, or to trigger an explosion of some kind.

In a report made public in October, Symantec noted that a Russian hacking unit “appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to do so.”

“I see 2018 as a ramp-up to 2020,’’ said Laura Rosenberger, the director of the Alliance for Securing Democracy at the German Marshall Fund. Ms. Rosenberger, a former State Department official, has been leading one of the most comprehensive efforts to track and expose foreign influence in American elections.

The security challenges facing IoT devices are much more difficult to deal with. There are many ways an adversary can access a smart appliance. An adversary can directly get access to the device, or get access to the mobile phone, tablet, or a thermostat that controls that device, or with the ubiquity of digital home assistant devices such as Amazon Alexa or Google Home, an adversary can control smart appliances by getting access to these devices. Any of these devices can be a breaching point for an adversary. Hence, coherent security measures are needed to protect almost all the devices within a home network against an adversary. Thus, in the IoT side, more research is required to study the vulnerability of IoT devices and networks, and to protect them against cyberattacks.

We have revealed a new class of attacks on the power grid using an IoT botnet called Manipulation of demand via IoT (MadIoT) attacks. We have demonstrated via state-of-the-art simulators that these attacks can result in local outages as well as large scale blackouts in the power grid depending on the scale of the attack as well as the operational properties of the grid.

BlackIoT: IoT botnet of high wattage devices can disrupt the power grid

Authors: Saleh Soltan, Prateek Mittal, and H. Vincent Poor, Princeton University

Abstract: We demonstrate that an Internet of Things (IoT) botnet of high wattage devices–such as air conditioners and heaters–gives a unique ability to adversaries to launch large-scale coordinated attacks on the power grid. In particular, we reveal a new class of potential attacks on power grids called the Manipulation of demand via IoT (MadIoT) attacks that can leverage such a botnet in order to manipulate the power demand in the grid.

Power grid security standards are all based on the assumption that the power demand can be predicted reliably on an hourly and daily basis [62]. Power grid operators typically assume that power consumers collectively behave similarly to how they did in the past and under similar conditions (e.g., time of the day, season, and weather). However, with the ubiquity of IoT devices and their poor security measures (as shown in [12]), we demonstrate that this is no longer a safe assumption.

There has been a recent trend in producing Wi-Fi enabled high wattage appliances such as air conditioners, water heaters, ovens, and space heaters that can now be controlled remotely and via the Internet [3] (for the power consumption of these devices see Table 1). Even older appliances can be remotely controlled by adding Wi-Fi enabled peripherals such as Tado◦ [8] and Aquanta [2]. A group of these devices can also be controlled remotely or automatically using smart thermostats or home assistants such as Amazon Echo [1] or Google Home [4]. Hence, once compromised, any of these devices can be used to control high wattage appliances remotely by an adversary to manipulate the power demand. In this paper, we reveal a new class of potential attacks called the Manipulation of demand via IoT (MadIoT) attacks that allow an adversary to disrupt the power grid’s normal operation by manipulating the total power demand using compromised IoT devices (see Fig. 1). These attacks, in the extreme case, can cause large scale blackouts. An important characteristic of MadIoT attacks is that unlike most of previous attacks on the power grid, they do not target the power grid’s Supervisory Control And Data Acquisitions (SCADA) system but rather the loads that are much less protected as in load-altering attacks studied in [11, 41].

This article is published as part of the IDG Contributor Network. Want to Join?

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Let's block ads! (Why?)


Thanks to Deepak Puri (see source)

No comments:

Post a Comment