Air-conditioned apocalypse: blackout scenario of the grid using smart climate instruments

Sci-fi films sometimes show various situations involving cybercriminals. That they will break the work of the transport network of the big city, then the power supply of the whole region will be turned off. And this is not entirely fiction, since it is not so difficult to influence the operation of the power grid.

Information security specialists described a cybercriminal scenario that allows you to arrange a local apocalypse with power supply. And for that, you don't need to blow anything up. It is enough to create a botnet that will attack Iot devices like smart air conditioners, thermostats, etc. If thermostats and air conditioners are turned on in the houses or apartments of the whole region, then there is not enough energy for all of them and there will be interruptions in energy supply.

It is clear that thousands and thousands of devices will have to be turned on, because many grids are now quite reliable. But the most reliable network with redundancy of everything and everything will not withstand the enormous load that “energy vampires” are capable of providing - air conditioners, heaters, water heaters, etc. By the way, it is possible to influence the operation of the energy network with the help of “industrial” viruses, which are being introduced into automated control systems of distribution substations.
')
A report on the detailed calculations of the energy apocalypse was made at the Usenix Security conference last week. In the calculations, the experts decided to operate with the scale of the whole country or state, where about 38 million people live. Each household does not have to be hacked - it will be enough to take control over tens of thousands of water heaters or hundreds of thousands of air conditioners.

“Power systems are stable as long as they can provide for the needs of the region that is supplied with electricity,” says Sahe Soltan, the author of the report mentioned above. “If you have a botnet that has infected hundreds of thousands of devices, you can manipulate them as you need them,” the expert continued.

The result is a failure in the system with subsequent blackouts. By the way, besides air conditioners and water heaters, smart tea kettles with coffee makers will do - they also consume a lot of electricity. According to the authors of the scenario using IoT devices, attackers can and will increase the load on the network at the most inappropriate time for municipal services, and they will do this with different frequency, changing the load level as well.

It is worth noting that the scenario is purely conceptual, since nothing was said about the vulnerabilities of the smart technology that could be exploited by intruders. On the other hand, experts in the field of information security have long been saying that IoT systems are protected very weakly. Their developers are mostly concerned about the design and functions of devices, and not about security. By the way, back in 2016, the Kaspersky Analyst Summit conference was about the vulnerability of one of the smart air conditioner models. In addition, information has already been published on hacking a variety of systems - from refrigerators to aquariums.

In order to study the possible influence of the attackers on the energy networks, the researchers used the software packages MATPOWER and Power World. With it, experts were able to verify the scale of the influence of botnets of different levels on energy networks. And the problems can be very significant. For example, 86% of power grids in Poland can be put out of action by an unexpected increase in total energy consumption by 1%. This can be achieved by simultaneously switching over 210,000 air conditioners or 42,000 water heaters.

For a botnet, such a number of devices is not a problem, because the largest systems like Mirai included hundreds of thousands of devices at the peak of their performance. In the case of Mirai, it was a question of routers and IP cameras, but the fact remains that large-scale infections of smart devices are quite a real thing.

Information security researchers say creating a botnet from smart air conditioners, refrigerators, and heaters can be a task that cannot be done right now. The fact is that the smart devices themselves are not so much, but over time they will become much more, since the home appliances produced now by leading manufacturers somehow relate to IoT. A botnet of this kind is only a matter of time, there is practically no doubt that someone will try to make a real attack. It is possible that smart air conditioners and heaters will be hacked for a different purpose - for example, for mining any cryptocurrency, rather than creating blackouts.

But if hackers seriously take up such networks and decide to disrupt the power supply of a particular region, this can be done relatively simply. Moreover, the grid operator, who will look for the cause of the problem, can be confused, gradually increasing the energy consumption of some regions and reducing it in others. Thus, the total load on the network will be very large, but the cause will be difficult to find, since the dynamics of changes in energy consumption will be difficult. And even to understand that this is the work of the intruders, it can be difficult - after all, you never know, suddenly the residents of a city became hot due to weather changes and they decided to turn on the air conditioners.

The only way to avoid the realization of such a scenario is to draw attention to the need to protect smart devices. As mentioned above, usually IoT device developers do not pay attention to the need to protect