USENIX Security '18 – BlackIoT: IoT Botnet of High Wattage Devices Can Disrupt the Power Grid

oh it's my pleasure to be here to talk about our work on how an IOT buttons of high wattage devices can disrupt the normal operation of the power grid and cause a larger scale blackout is a joint work with retic natal and Vincent or also from Princeton University so as you all know power systems are one of the most essential infrastructure systems the National Academy of Engineering named electrification as d greatest engineering achievement of 20th century on top of computers and the Internet these systems consist of different components first are generators that convert energy from natural resources into electricity then there are high voltage transmission networks that deliver electricity from generators to distribution system of a town or city and then there are distribution networks that provide electricity in various voltage levels to industrial commercial and residential consumers or lots the term powered with is mainly point to transmission network and all the other components are usually lumped into components within these transmission network to show you an example here is North America transmission network which is the largest running machine in the world it consists of consists of about 70,000 lines and fifty-five thousand buses if you're not family return buses we can think of it as the nodes that are in this network this beside these power grid physical infrastructure these systems are controlled and monitored by SCADA systems that are supervisory control and data acquisition system that are shown to be able narrable to cyberattacks in the past couple of years the most infamous of these examples are the cyberattack on the Ukrainian SCADA system that employed about 200,000 people in December 2015 in another recent report has been shown that attacks on the SCADA systems in the in the smaller scale more pervasive in the u.s. creed it mentioned in the report that hackers are developing a penchant for attacks and energy infrastructure because of the impact the sector has on people's lives in another recent report by Department of Homeland Security it has been indicated the hikers could get access to the SCADA system of us power grid and they got to the point where they could have shown switches and disrupt power flows inspired by all of this event and motivated by all of these there has been a lot of effort to improve the cybersecurity of our system however most of the security words has been under partly physical infrastructure as well as on its control network and they were all based on the assumption that the power demand can be predicted reliably on early and daily basis based on the historical data as well as data such as weather data however with the growth in the number of Wi-Fi enable high wattage IT devices such as air conditioners and water heaters we were wondering is this is still a safe assumption or not to answer this question let's look at some of the numbers here's the table shows the power usage of most common appliances in the households these days that are there nowadays there are also Wi-Fi enabled on top we have air conditioners that consume about 1 kilowatt instant power and the bottom we have more energy hungry devices such as electric water heaters and a tree ovens that consume about 5 kilowatt of instant power if you look at one of the largest botanist in the past couple of years the Mirai botanist discussed over 600,000 BOTS and multiply this by electric with the consumption of electric water heaters we'll see that a mirror size buttons are water heaters can change the demand instantly in an area by about 3 gigawatts to just give you a sense of what does it mean it is similar for an attacker to get access to the largest quantity for nuclear power plant in the Paraguay so based on this in this work we introduced a new trend that be called manipulation of the demand via IOT devices or mad IOT attacks and we demonstrate that high wattage RT devices once compromised they give an adversary a unique capability to manipulate the demand in the power grid and potentially Casablanca to illustrate this be a figure here is the small figure of the power grid and here are the highest devices that are connected to the power grid via distribution network and adversary that can get access to these high voltage RT devices and if they're sufficiently many it can manipulate the demand in the power grid by synchronously turning these devices on and off such an attack will have several consequences on the normal operation of the power grid in particular here is the frequency response of the power system to such an attack as you all know in North America power system operating sixty Hertz so before any attack the frequency should be around sixty Hertz with a small fluctuation at time zero the attacker increased the demand instantly which subsequently result in the frequency of the systems to drop this drop in the frequency of the system is due to the change in the rotating speed of generators with rotors that compensate for the extra demand with their inertia and if this drop in the frequency is significant it caused the protection relay to disconnect the generators from the grid in order to protect the hardware that as a result it may cause outages so the first consequences of mad IOT attack is the frequency stability in the system however if this drop in the frequency is not significant and the system have enough inertia it can compensate for the extra demand for a short amount of time until the primary controller of these generators start operating the primary controllers then increase the power input to the generators in order to increase the generation and compensate for the extra demand and they can stabilize the frequency within several seconds however since this change in the power supply and demand are not prepared are not planned by the system operator they can result in several line failures and this line failures can initiate the cascading failures that may lead to a larger scale blackout therefore the second consequence of these attacks can result in the blackout as well finally if these attacks do not result in any damage to the network since the system operator needs to compensate for the demand through deploying more generation they may lead to increasing the operating cost of degree which is the third consequence of these events to go into details of any of the these consequences we did several simulations and several cases here are present some of the work that we've done here so we've done some simulations and a wc9 bus system which is a small system but it's the benchmark in power community we analyzed two cases one when the attacker increased the demand by 20% and when the adversary increased the demand by 30% and because there are two cases when the grid has low inertia and when it has a high inertia meaning it has enough generator to temporary compensate for the extra demand for example you will see that when the system have low inertia twenty percent load increase may lead the frequency of the system to heat this critical under frequency generation tripping area which caused the generators to get disconnected from the gear and from the grid and cause blaka we also observed that 30 percent load increase in the grid lead both cases to reach this critical area and caused large-scale blackout so effectiveness of an attack on the frequency of the system depends on the attack scale as well as the system total inertia at the time of an attack and sufficiently large simultaneous increase in the demand can result in significant and drop in the frequency of the system and cause generation tripping as I told you earlier if these dropping the frequency doesn't result in the freaking under frequency generation tripping it may result in line failures for analyze this we study a case in Polish pre-2008 grade and we look at the case in which the demand only increase by 1% for such an attack the attacker requires about two hundred thousand or smart aces and we observe that after such an attack there would be several initial line failures and after these line failures there get removed from degree through protection relay and therefore they result in several other line failures that are in the second step and such a cascade of line failures may develop four five stages and result in a 263 line failures and eighty-six percent of it therefore only a 1% increase in the demand in Polish pre-2008 can initiate this critical cascading like failure we did we repeated these simulations on the snapshot of Polish May 2004 and saw that for causing the same level of damage this time the attacker needs to at least increase in map by 10% which requires a two million aces which is a significant number to show you why there is this vibe pierogi 2004 is more robust against these type of attacks we look at the histogram of the Polish grid lines power flow to their capacity ratio in summer 2004 and summer 2008 and we observe that there are more lives that are operating near their capacity in summer 2008 compared to summer 2004 which describes why the system is more vulnerable to this type of attacks therefore it is important how saturated the power lines are at the time of an attack this can provide some insight that how we can protect the grid again this cycle but however what we observed here is that attacks resulting in cascade in line failures in general require fewer number of pots than the attacks resulting in critical frequency disturbances another way an attacker can result in line is to attack tie lines tie lines are usually their high-capacity lines that connect neighboring states or neighboring countries and do it and they're usually carrying large amount of power flow that are exported from a state order imported an attacker can cause failures in these tie lines by increasing the demand in the receiving end of this tie lines and decreasing the demand in descending we look at the hypothetical scenario which connects five countries for example and we observe that by increasing the demand by 1.5 percent in the yellow area and decrease in Mumbai backed by 5% in the blue area we can cause line failures in both of these tie lines after such a failure this can result in a huge imbalance between power supply and demand in the both areas and trigger frequency stability or another set of cascading life failures if you look at the history of the black house it is similarly somehow to the case to scenario that happened in Italy in 2003 that started with a failure in a tie line and soon the initial failure triggered other failures in other tie lines and in Italy that resulted in a larger scale back at that time that time and finally as I said earlier if the attack doesn't result in any damage to the agreed it can result in the increase in the operation cost of degree or the adversary's attack maybe for the benefit of the particular player in the electricity market rather than damaging the infrastructure Network we did several simulations but they to cut the story short we observed that in some situation it's only 5% increase in the demand can result in 20% increase in the operating costs which is a significant amount to give you a summary of the number of bus required to cause these damages here we assume that all the bus are air conditioners that because they consume one kilowatt and we show this botnet size by BOTS per megawatt therefore we normalize them by the size of degree on the top we see that two Kazakh frequency drop significant number of bots are required however for causing line failures and increasing the operating cost of the grid much fewer number of bots are required in this research we only use publicly and freely available the test screens not to reveal any vulnerabilities of real treats therefore these numbers may may be quite different for different ways with different characteristics for a bit different inertia and different topology therefore more detailed analysis and the effect of matter attack should be should be performed by system operators to detect the robustness or vulnerability of the whole system moreover as you can see for causing critical frequency drops substantial number of RIT devices are required and since they should all be in the same geographical area there might not be easily achievable by an attacker however with the growing number of IT devices it is easier to achieve these numbers few years from now in order to see how we can protect the grid again these type of attacks I should mention some of the unique properties of these attacks that make them very hard to defend against first property is that these attacks are indirect meaning that the attacker doesn't need to get access to the SCADA system and it can attack the grid only using the IOT devices second it is very hard to detect and disconnect these devices for the system operator because they are distributed and the system operator doesn't have access to the data of these IOT devices third they are easy to repeat therefore the attacker can repeat these attacks until they are successful and fourth is that they are black black box meaning the adversary doesn't need to know the underlying topology of the grid or the detailed operational properties of the grid and because of the third property it can just repeat these attacks until they are successful at certain time and the final property that can be solvable is that the power which currently are not prepared to defend against these type of attacks and these type of attacks are not part of their contingency list so these can lead to some ideas on how we can protect degrees but at least increasing their preparedness against these type of attacks for doing so the first thing is that the system operators can improve the frequencies that will tell their systems by account for these type of attacks and operate their system such that they have enough inertia and they would there wouldn't be a critical frequency drop in their systems they can also use devices that provide visual in Asia such as fly wheels and batteries to increase the total inertia of system at a lower cost the line failures can also prevent it if they operate their system and the operating point so I said no lines get overloaded after such an attack however it requires solving a non-convex problem however in a recent work we developed new tools to find such an operating point efficiently in polynomial time which is the paper which is available archived on our car finally they can remove sensitive online data such as partial on the tie lines in order to prevent attackers to use these data in order to make their attacks more success to conclude we believe that protecting the grid against mad RIT attacks requires effort from both persistent community as well as system security communities we believe that parses operators should rigorously analyze the effect of potential attacks on their systems and with the help of researchers developed new mate methods to protect the grid against this type this type of attacks from the IOT security perspective we show that Institute RIT devices can have devastating effects that can go beyond the individual security and privacy losses therefore rigorous pursuit of security of our T devices including regulatory flame frameworks are needed and finally we show the interdependency between infrastructure networks may lead to hidden vulnerabilities therefore system designers and security analysts should explicitly study treads entry introduced by interdependent processor networks the future with this out like to thank you all and would be happy to hear your questions thank you [Applause] hi bill Cheswick University of Pennsylvania thank you for an appalling new threat model the Internet of high-wattage things one of the loads that could be turned on that isn't on your list yet but probably will be in the coming years is charging electric cars which often do not get a full charge you charge three quarters of the way and they would not notice or mind if the charger was turned on for an extra for a minute all of a sudden and so it'd be nice if the auto guys were even more secure than they're supposed to be now but absolutely so it's a huge headache for power system operators the electric cars as it is even in the distribution network assuming that all the cars going to the met like the stadium to watch a football and they all want to charge their devices yeah or they bought the cars they instantly overload the distribution network it doesn't even get to the transmission network which is a great comment it should be conservative hello I'm Jun ano from China I undergraduate so I'm very curious about the controller in the power R networks because the frequency must be synchronized so did you take some considerations on the controller so we considered some but we didn't get into details of the asynchronous consequence of these type of attacks that may really significance make these attacks more significant because you know after these frequency disturbances these generators may run into a synchronous frequency but again it's another type that may lead to the black house but we didn't get a chance to look at them more carefully but it's a great question expert yeah and I also wonder that I notice that in our daily life um we turn down air conditioners it requires several times to do for us too so this can now lead you and a yeah so what did you do is a question so we also mentioned this is part of the things that make attacks on the frequency of the system harder but this delay doesn't prevent line failures because they're essentially just increases the demand there are unplanned so basically you change the power flow on the grid so it doesn't change the second and third consequence of these attacks but you are right for the frequency ACS might be very difficult to be used but water doesn't have this because there is no so I think I think the main reason here is that they're distributed it doesn't really overflow your internal circuitry but as they aggregate and they reach to the transmission network they increase the load Betina City so in the distribution level they don't trigger any circuit breakers because there are the normal usage that can be using the very hot summer day the distribution network can already handle those power usage but if it is not very hot day and you instantly know turning all of those it is where it is unexpected sure so we can take one last question hey I'm from Georgia Tech and I have a question about the feasibility of such attacks usually inside the power system is less than 30 or 40 percent so changing the power demand in 20 percent with the residential customers it's very hard I was curious so if you want to for example change the 20% of the total demand by only the residential customers you have to change the residential consumption by 100 percent so we totally agree in this sense for the causing frequency and disturbances it's very difficult the power grids are already protected again losing a single generator for example but you can add to these some of the IOT that are using the industrial level for the automation so if those can also be considered they can increase the possibility of these attacks we're happy that they are not feasible at this current moment as is for frequency disturbances but we believe that in the future there would be more ways to increase it again using industrial factories you can use all of those devices and the line failures again they require much less number of devices which is 1% which is feasible using these devices we can take this offline if you are National Science Foundation I had two quick questions sure the first question is in your simulation of the power grid that you did did you just supply a step increase in the load or did you actually consider the transient behavior so we did this helped increasing the load but we also did the step so when you do the step by step increase the drop in the frequency is not as significant which is what we expected but if you do this step which is hard to again get this is what we did in the frequency analysis okay so normally in AC will have a transient behavior my second question is that in a smart grid there's a lot of energy storage systems which is controlled by the power company that grid operator so as you're adding load they'll be controlling those two shared load yeah so did you consider that so this is this was a trick that we also mentioned in the paper so we don't believe that low shedding is the best strategy here because then the attacker can turn off those devices and cause a frequency overshoot if you look at the paper we believe that it's better to operate the grid in an operating point that doesn't get or load in any sense that doesn't require load shedding because load shedding can complicate [Applause]

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *