Back to news

August 14, 2018 | International, C4ISR

HOW HACKED WATER HEATERS COULD TRIGGER MASS BLACKOUTS

WHEN THE CYBERSECURITY industry warns about the nightmare of hackers causing blackouts, the scenario they describe typically entails an elite team of hackers breaking into the inner sanctum of a power utility to start flipping switches. But one group of researchers has imagined how an entire power grid could be taken down by hacking a less centralized and protected class of targets: home air conditioners and water heaters. Lots of them.

At the Usenix Security conference this week, a group of Princeton University security researchers will present a study that considers a little-examined question in power grid cybersecurity: What if hackers attacked not the supply side of the power grid, but the demand side? In a series of simulations, the researchers imagined what might happen if hackers controlled a botnet composed of thousands of silently hacked consumer internet of things devices, particularly power-hungry ones like air conditioners, water heaters, and space heaters. Then they ran a series of software simulations to see how many of those devices an attacker would need to simultaneously hijack to disrupt the stability of the power grid.

Their answers point to a disturbing, if not quite yet practical scenario: In a power network large enough to serve an area of 38 million people—a population roughly equal to Canada or California—the researchers estimate that just a one percent bump in demand might be enough to take down the majority of the grid. That demand increase could be created by a botnet as small as a few tens of thousands of hacked electric water heaters or a couple hundred thousand air conditioners.

"Power grids are stable as long as supply is equal to demand," says Saleh Soltan, a researcher in Princeton's Department of Electrical Engineering, who led the study. "If you have a very large botnet of IoT devices, you can really manipulate the demand, changing it abruptly, any time you want."

The result of that botnet-induced imbalance, Soltan says, could be cascading blackouts. When demand in one part of the grid rapidly increases, it can overload the current on certain power lines, damaging them or more likely triggering devices called protective relays, which turn off the power when they sense dangerous conditions. Switching off those lines puts more load on the remaining ones, potentially leading to a chain reaction.

"Fewer lines need to carry the same flows and they get overloaded, so then the next one will be disconnected and the next one," says Soltan. "In the worst case, most or all of them are disconnected, and you have a blackout in most of your grid."

Power utility engineers, of course, expertly forecast fluctuations in electric demand on a daily basis. They plan for everything from heat waves that predictably cause spikes in air conditioner usage to the moment at the end of British soap opera episodes when hundreds of thousands of viewers all switch on their tea kettles. But the Princeton researchers' study suggests that hackers could make those demand spikes not only unpredictable, but maliciously timed.

The researchers don't actually point to any vulnerabilities in specific household devices, or suggest how exactly they might be hacked. Instead, they start from the premise that a large number of those devices could somehow be compromised and silently controlled by a hacker. That's arguably a realistic assumption, given the myriad vulnerabilities other security researchers and hackers have found in the internet of things. One talk at the Kaspersky Analyst Summit in 2016 described security flaws in air conditioners that could be used to pull off the sort of grid disturbance that the Princeton researchers describe. And real-world malicious hackers have compromised everything from refrigerators to fish tanks.

Given that assumption, the researchers ran simulations in power grid software MATPOWER and Power World to determine what sort of botnet would could disrupt what size grid. They ran most of their simulations on models of the Polish power grid from 2004 and 2008, a rare country-sized electrical system whose architecture is described in publicly available records. They found they could cause a cascading blackout of 86 percent of the power lines in the 2008 Poland grid model with just a one percent increase in demand. That would require the equivalent of 210,000 hacked air conditioners, or 42,000 electric water heaters.

The notion of an internet of things botnet large enough to pull off one of those attacks isn't entirely farfetched. The Princeton researchers point to the Mirai botnet of 600,000 hacked IoT devices, including security cameras and home routers. That zombie horde hit DNS provider Dyn with an unprecedented denial of service attack in late 2016, taking down a broad collection of websites.

Building a botnet of the same size out of more power-hungry IoT devices is probably impossible today, says Ben Miller, a former cybersecurity engineer at electric utility Constellation Energy and now the director of the threat operations center at industrial security firm Dragos. There simply aren't enough high-power smart devices in homes, he says, especially since the entire botnet would have to be within the geographic area of the target electrical grid, not distributed across the world like the Mirai botnet.

But as internet-connected air conditioners, heaters, and the smart thermostats that control them increasingly show up in homes for convenience and efficiency, a demand-based attack like the one the Princeton researchers describes could become more practical than one that targets grid operators. "It's as simple as running a botnet. When a botnet is successful, it can scale by itself. That makes the attack easier," Miller says. "It's really hard to attack all the generation sites on a grid all at once. But with a botnet you could attack all these end user devices at once and have some sort of impact."

The Princeton researchers modeled more devious techniques their imaginary IoT botnet might use to mess with power grids, too. They found it was possible to increase demand in one area while decreasing it in another, so that the total load on a system's generators remains constant while the attack overloads certain lines. That could make it even harder for utility operators to figure out the source of the disruption.

If a botnet did succeed in taking down a grid, the researchers' models showed it would be even easier to keepit down as operators attempted to bring it back online, triggering smaller scale versions of their attack in the sections or "islands" of the grid that recover first. And smaller scale attacks could force utility operators to pay for expensive backup power supplies, even if they fall short of causing actual blackouts. And the researchers point out that since the source of the demand spikes would be largely hidden from utilities, attackers could simply try them again and again, experimenting until they had the desired effect.

The owners of the actual air conditioners and water heaters might notice that their equipment was suddenly behaving strangely. But that still wouldn't immediately be apparent to the target energy utility. "Where do the consumers report it?" asks Princeton's Soltan. "They don't report it to Con Edison, they report it to the manufacturer of the smart device. But the real impact is on the power system that doesn't have any of this data."

That disconnect represents the root of the security vulnerability that utility operators need to fix, Soltan argues. Just as utilities carefully model heat waves and British tea times and keep a stock of energy in reserve to cover those demands, they now need to account for the number of potentially hackable high-powered devices on their grids, too. As high-power smart-home gadgets multiply, the consequences of IoT insecurity could someday be more than just a haywire thermostat, but entire portions of a country going dark.

https://www.wired.com/story/water-heaters-power-grid-hack-blackout/

On the same subject

  • Contract Awards by US Department of Defense - January 13, 2021

    January 14, 2021 | International, Aerospace, Naval, Land, C4ISR, Security

    Contract Awards by US Department of Defense - January 13, 2021

    ARMY Regeneron Pharmaceuticals Inc., Tarrytown, New York, was awarded a $2,625,000,000 firm-fixed-price contract for 1.25 million courses of a monoclonal antibody therapeutic (a combination of casirivimab and imdevimab) for COVID-19. Bids were solicited via the internet with one received. Work will be performed in Tarrytown, New York, with an estimated completion date of Jan. 11, 2022. Fiscal 2022 research, development, test and evaluation (Army) funds in the amount of $2,625,000,000 were obligated at the time of the award. U.S. Army Contracting Command, Newark, New Jersey, is the contracting activity (W15QKN-21-C-0014). (Awarded Jan. 12, 2021) International Business Machines Corp., Bethesda, Maryland, was awarded a $17,758,596 modification (P00094) to contract W52P1J-17-C-0008 for services and solutions to support and maintain the General Fund Enterprise Business System Financial System Army-wide. Work will be performed in Bethesda, Maryland, with an estimated completion date of Jan. 15, 2022. Fiscal 2021 operation and maintenance (Army) funds; and 2020 and 2021 research, development, test and evaluation (Army) funds in the amount of $17,758,596 were obligated at the time of the award. U.S. Army Contracting Command, Rock Island Arsenal, Illinois, is the contracting activity. NAVY Data Link Solutions LLC, Cedar Rapids, Iowa (N00039-21-A-1001); and DRS Laurel Technologies Partnership, Johnstown, Pennsylvania (N00039-21-A-1002), are each awarded $150,000,000 firm-fixed-price blanket purchase agreements (BPAs) for electronic equipment cabinets. These BPAs cover the production of up to 150 units per contractor along with the associated program management, testing and logistics support to deliver the units. Units will be manufactured in Cedar Rapids, Iowa; and Johnstown, Pennsylvania, with an expected completion date of January 2023. The total potential value of these BPAs is $150,000,000 per vendor. The total length of the ordering period is 24 months. Fiscal 2021 other procurement (Navy) funds will be obligated on a delivery order level issued under the BPA at the time of placement of individual delivery calls. These BPAs were negotiated using the procedures defined under Federal Acquisition Regulation 13.5 for individual orders less than $15,000,000. The Naval Information Warfare Systems Command, San Diego, California, is the contracting activity. General Electric Aviation, Lynn, Massachusetts, is awarded a $101,470,782 firm-fixed-price, cost-plus-fixed-fee modification (P00015) to previously awarded contract N00019-18-C-1007. This modification procures 21 T408-GE-400 turboshaft engines and associated engine, programmatic and logistics services in support of CH-53K Lot Five low rate initial production aircraft. Work will be performed in Lynn, Massachusetts, and is expected to be completed in December 2024. Fiscal 2021 aircraft procurement (Navy) funds in the amount $101,470,782 will be obligated at time of award, none of which will expire at the end of the current fiscal year. The Naval Air Systems Command, Patuxent River, Maryland, is the contracting activity. MN-BMCD SE JV, Tampa, Florida, is awarded a maximum-value $60,000,000 firm-fixed-price, indefinite-delivery/indefinite-quantity, architect-engineering contract for professional architectural and engineering services in support of waterfront projects in the Naval Facilities Engineering Systems Command (NAVFAC) Southeast area of responsibility (AOR). The work to be performed provides for preparation of professional architectural and engineering services for preparation of design-bid-build documents and design-build requests for proposals for various project types in support of waterfront and marine facilities at Department of Defense (DOD) and non-DOD activities in the NAVFAC Southeast AOR. Future task orders will be primarily funded by operation and maintenance (Navy) and military construction (Navy) funds. Work will be performed at various Navy and Marine Corps installations in the NAVFAC Southeast AOR including, but not limited to Florida (30%); Georgia (30%); Andros Island, Bahamas (10%); Guantanamo Bay, Cuba (10%); South Carolina (5%); Louisiana (5%); Mississippi (5%); and Texas (5%), and is expected to be completed by February 2026. An initial task order to conduct a site engineering investigation and concept design workshop for P-021 lighterage wharf and lift-launch pier at Marine Corps Support Facility Blount Island, Florida, is included with the award and is expected to be completed by April 2021. Fiscal 2021 military construction (Navy) funds in the amount of $202,780 will be obligated at time of award and will not expire at the end of the current fiscal year. This contract was competitively procured via the Navy Electronic Commerce Online website, with two proposals received. The Naval Facilities Engineering Systems Command, Southeast, Jacksonville, Florida, is the contracting activity (N69450-21-D-0002). Chatmon-VJR JV LLC,* La Place, Louisiana, is awarded a maximum-value $49,000,000 indefinite-delivery/indefinite-quantity contract for roofing projects at various military installations in the metropolitan San Diego, California, area, including Naval Base Coronado, Naval Base Point Loma, Naval Base San Diego, and Marine Corps Air Station Miramar. No task orders are being issued at this time. The work to be performed is for repair, removal and replacement of roofing systems at various military installations in the metro San Diego area. Projects may include, but are not limited to, roofing services with minimal design requirements for new minor construction, facility repair, rehabilitation and alterations for a broad range of renovation and construction work. Future task orders will be primarily funded by operation and maintenance (Navy) funds. Work will be performed in San Diego, California, and is expected to completed by January 2026. Fiscal 2021 operation and maintenance (Navy) funds in the amount of $5,000 will be obligated at time of award and will expire at the end of the current fiscal year. This contract was competitively procured via the Navy Electronic Commerce Online website, with seven proposals received. The Naval Facilities Engineering Systems Command, Southwest, San Diego, California, is the contracting activity (N62473-21-D-2601). Essex Electro Engineers Inc.,* Schaumburg, Illinois, is awarded a $46,638,225 firm-fixed-price indefinite-delivery/indefinite-quantity contract. This contract provides for the production and delivery of up to a maximum quantity of 575 land-based mobile electric power plant units to provide 120KVA 115 VAC 400 Hz/270VDC/28VDC electric power to support general aircraft maintenance for all Navy aircraft platforms. Work will be performed in Schaumburg, Illinois, and is expected to be completed in January 2027. No funds will be obligated at the time of award; funds will be obligated on individual orders as they are issued. This contract was competitively procured as a small business set-aside and five offers were received. The Naval Air Warfare Center, Aircraft Division, Lakehurst, New Jersey, is the contracting activity (N68335-21-D-0049). Team Corp., Burlington, Washington, is awarded a $26,417,062 firm-fixed-price contract. This contract provides 24 environmental testing systems that simulate the effects of climatic, induced thermal, dynamic and loads environments. The environmental testing systems support the development, design, environmental qualification, airworthiness, product improvement and failure investigations of Department of Defense weapon and target systems. The scope of this requirement is to design, manufacture, test and install the environmental testing systems. Support services include lead system integration, building and laboratory design specifications support, project management, equipment installation and training. Work will be performed in Burlington, Washington (50%); and China Lake, California (50%), and is expected to be completed in January 2024. Fiscal 2020 other procurement (Navy) funds in the amount of $26,417,062 will be obligated at time of award, none of which will expire at the end of the current fiscal year. This contract was not competitively procured pursuant to Federal Acquisition Regulation 6.302-1. The Naval Air Warfare Center, Weapons Division, Point Mugu, California, is the contracting activity (N68936-21-C-0032). DEFENSE LOGISTICS AGENCY Puerto Rico Apparel Manufacturing Corp.,** Mayaguez, Puerto Rico, has been awarded a maximum $12,775,524 modification (P00026) exercising the second one-year option period of one-year base contract SPE1C1-19-D-1127 with four one-year option periods for various types of coats and trousers. This is a firm-fixed-price, indefinite-delivery/indefinite-quantity contract. Location of performance is Puerto Rico, with a Jan. 15, 2022, ordering period end date. Using military services are Army and Air Force. Type of appropriation is fiscal 2021 through 2022 defense working capital funds. The contracting activity is the Defense Logistics Agency Troop Support, Philadelphia, Pennsylvania. San Antonio Light House for the Blind,*** San Antonio, Texas, has been awarded a maximum $8,295,000 firm-fixed price, indefinite-delivery/indefinite-quantity contract for trousers. This is a one-year base contract with two one-year option periods. Location of performance is Texas, with a Jan. 13, 2022, ordering period end date. Using military services are Army and Air Force. Type of appropriation is fiscal 2021 through 2022 defense working capital funds. The contracting activity is the Defense Logistics Agency Troop Support, Philadelphia, Pennsylvania (SPE1C1-21-D-B101). *Small business **Economically disadvantaged woman-owned small business in historically underutilized business zones ***Mandatory source https://www.defense.gov/Newsroom/Contracts/Contract/Article/2471330/source/GovDelivery/

  • Short-range air defense is making a comeback

    September 21, 2020 | International, Aerospace, C4ISR, Security

    Short-range air defense is making a comeback

    Brig. Gen. Shachar Shohat (ret.) Recent events in the Middle East have led some to wonder how countries, including Israel, can protect their own strategic installations. Israel's adversaries, such as Hezbollah chief Hassan Nasrallah, have threatened to strike sensitive Israeli targets. Saudi Arabia absorbed a painful strike in September 2019 when an Iranian drone swarm combined with cruise missiles struck oil fields, causing heavy damage. The attack on Saudi Arabia is the latest tangible example of the evolving threat: precision-guided, sophisticated enemy air attacks. Each country designates its own strategic sites for special defense. They range from nuclear power plants to air force bases to Olympic stadiums. And the hardening of defenses around strategic sites was especially prominent until around three decades ago. At that time, attackers using close-range munitions had to approach a given site in order to attack it. Visual contact was often required, and simple air-to-ground munitions would suffice for an attack. Defense systems of that time were similarly simplistic. Air force bases might be protected by a 40mm anti-aircraft cannon, for example, in order to prevent a direct attack on a runway. That same concept would be applied to any sites deemed critical by a state. In addition to being limited in range, though, such defenses required many munitions and high numbers of personnel. The 1980s and 1990s witnessed a revolution in the world of weaponry. Precision, long-range (standoff) munitions entered the battle arenas, and close-range air defenses became largely obsolete. Once attackers no longer needed proximity to their targets, close-range defenses could neither hit the longer-range munitions nor their launchers. But over the past decade, we have seen the addition of GPS-guidance systems to those munitions. The advent of this technology, combined with the overall revolution of the '80s and '90s, has heightened the need for states to return to close-range air defenses — but in a new configuration. Additional systems are now in the pipeline. Small, affordable interceptor missiles and laser beam defenses are the answers to the new categories of close-range threats seen around the world, including gliding bombs, cruise missiles and drones. In 2019, the Iranians proved that if they have intelligence on their target and the ability to send munitions to the “blind spot” of radars, attacks can be successful. That attack should serve as a “wake-up call” for countries around the world. If states want to protect strategic sites, radars that look in every direction, 360 degrees, 24 hours a day, are needed. Effective new defense systems must now be multidirectional in their detection of incoming threats, a response to the enemy's ability to turn, steer and evade radar coverage and detection. That coverage must be combined with multiple layers of defense, including defense mechanisms very close to the asset being defended. Examples of what is now needed for strategic sites' defenses are already evident in the realm of military vehicles. The Israel Defense Forces installed the Trophy defense system on a growing number of tanks and armored personnel carriers as a result of a series of incidents in Lebanon and Gaza. Airframes also need such systems, as the downing of an Israeli transport helicopter by Hezbollah in the Second Lebanon War demonstrated, as do ships — and so too do strategic assets. The age-old military axiom asserts that lines of defense will always be breached. As such, we must develop the maximum number of opportunities for interception possible. Longer-range air defense systems, such as the Patriot, David's Sling or the S-400 can intercept threats at tens or hundreds of kilometers away. But today, because state enemies can bypass long-range defenses, countries must always have the ability to directly intercept the actual munitions. Without close-defense capabilities forming part of a country's multilayer defense systems, strategic sites are simply not adequately protected. In the context of multilayer defense development and deployment around strategic sites and sensitive targets, Israel has taken on the role of global leader. In 2020, short-range air defenses are making a comeback, and this time they are set to remain as a permanent fixture. Retired Brig. Gen. Shachar Shohat served as a chief commander of the Israel Air Defense Forces and a publishing expert at The MirYam Institute. https://www.defensenews.com/opinion/commentary/2020/09/18/short-range-air-defense-is-making-a-comeback/

  • Israel and Slovakia sign €560m defence contract for BARAK MX system

    December 29, 2024 | International, Aerospace

    Israel and Slovakia sign €560m defence contract for BARAK MX system

    The International Defense Cooperation Directorate of the Israel Ministry of Defense (IMOD), SIBAT, has concluded a defence deal with Slovakia.

All news