Researchers: IoT Botnets Could Influence Energy PricesPaper Describes How Connected Devices Could Be Used to Manipulate Markets
High-wattage IoT devices and appliances, such as connected refrigerators, air conditioners and heaters, could be turned into massive botnets by malicious actors and used to influence energy prices, according to an academic study released at Black Hat 2020.
In their presentation, "IoT Skimmer: Energy Market Manipulation through High-Wattage IoT Botnets," researchers from the Georgia Institute of Technology describe how an "IoT Skimmer" - which consists of thousands of connected devices - could cause price fluctuations or create financial damage by targeting utility firms.
To achieve this, threat actors would need to infect at least 500,000 IoT devices with malware, such as Mirai, the researchers note. The attackers could then artificially increase or decrease power demand within a certain area by regularly switching these devices on and off, the researchers say.
"Using a botnet to increase or decrease power consumption by just 1% would be enough to manipulate prices and be extremely hard to detect," says Raheem Beyah, a professor at Georgia Institute of Technology, who presented the research at Black Hat 2020 this week along with PhD candidate Tohid Shekari.
The researchers note that these tactics could be adopted by competitive companies to financially damage another utility. Or a nation-state actor could use the approach to remotely target firms in other countries to cause economic losses.
The researchers stress, however, that this type of attack has not been seen in the wild.
The analysis was based on data collected from electricity markets in California and New York, the paper notes. The researchers looked at two hypothetical attack scenarios: hacking by a nation-state actor or economic mischief carried out by a competitive firm.
Because energy utilities purchase power from generators to meet anticipated customer demand, the researchers note that hackers could seek to create demand volatility and thus influence prices paid.
"Creating erroneous demand data to manipulate forecasts could be profitable to the suppliers selling energy to meet the unexpected demand, or the retailers or utilities buying cheaper energy from the real-time market," according to the Georgia Tech researchers.
Assuming that the next step for the attackers would be to cause demand fluctuations, the researchers then looked at the feasibility of using IoT botnets to create volatile power demand.
Because the attackers would need at least 50,000 high-wattage IoT devices to compromise an electric utility, the researchers note that threat actors might rent botnets, IoT botnet services or distributed denial-of-service attacks at reasonable prices on the darkweb.
The researchers note that a malicious market player in the U.S. could generate $24 million in yearly profit, while a determined nation-state hacker could cause a loss of $350 million per year to U.S. electrical utilities.
The researchers note that detection and prevention, using a real-time IoT monitoring database, is the key to avoiding IoT Skimmer attacks. Another crucial step for energy utilities is to prevent the public sharing of market data.
While the research paper is based on theoretical scenarios, real-word attacks targeting utilities and other firms have been increasing.
In June, security firm Proofpoint reported that several U.S. energy providers were targeted by a spear-phishing campaign attempting to spread a remote access Trojan called FlowCloud (see: US Energy Utilities Targeted by FlowCloud Malware).
In March, the European Network of Transmission System Operators, which represents over 40 electricity transmission operators throughout the continent, revealed that hackers penetrated its IT network (see: Hackers Target European Power Association).