Hackers Could Use IoT Botnets to Manipulate Energy Markets

[Karlston]

Hackers Could Use IoT Botnets to Manipulate Energy Markets

With access to just 50,000 high-wattage smart devices, attackers could make a bundle off of causing minor fluctuations.

Researchers calculated that by running an attack for three hours a day, 100 days a year, market manipulators could take home as much as $24 million per year.Photograph: George Rose/Getty Images

 

 

On a Friday morning in the fall of 2016, the Mirai botnet wrecked havoc on internet infrastructure, causing major website outages across the United States. It was a wake-up call, revealing the true damage that zombie armies of malware-infected gadgets could cause. Now, researchers at the Georgia Institute of Technology are thinking even farther afield about targets that botnets could someday disrupt—such as energy markets.

 

At the Black Hat security conference on Wednesday, the researchers will present their findings, which suggest that high-wattage IoT botnets—made up of power-guzzling devices like air conditioners, car chargers, and smart thermostats—could be deployed strategically to increase demand at certain times in any of the nine private energy markets around the US. A savvy attacker, they say, would be able to stealthily force price fluctuations in the service of profit, chaos, or both.

 

The researchers used real, publicly available data from the New York and California markets between May 2018 and May 2019 to study fluctuations in both the "day-ahead market" that forecasts demand and the "real-time market," in which buyers and sellers correct for forecasting errors and unpredictable events like natural disasters. By modeling how much power various hypothetical high-wattage IoT botnets could draw, and crunching the market data, the researchers devised two types of potential attacks that would alter energy pricing. They also figured out how far hackers would be able to push their attacks without the malicious activity raising red flags.

 

"Our basic assumption is that we have access to a high-wattage IoT botnet," says Tohid Shekari, a PhD candidate at the Georgia Institute of Technology who contributed to the research, along with fellow PhD candidate Celine Irvine and professor Raheem Beyah. "In our scenarios, attacker one is a market player; he’s basically trying to maximize his own profit. Attacker two is a nation-state actor who can cause financial damage to market players as part of a trade war or cold war. The basic part of either attack is to look at price-load sensitivity. If we change demand by 1 percent, how much is the price going to change as a result of that? You want to optimize the attack to maximize the gain or damage."

 

An attacker could use their botnet's power to increase demand, for instance, when other entities are betting it will be low. Or they could bet that demand will go up at a certain time with certainty that they can make that happen.

 

Unlike regular IoT botnets that are ubiquitous and available for hire on criminal forums, high-wattage botnets are not as practical to amass. None are known to be available for rent by would-be attackers. But over the past couple of years, researchers have begun investigating how they could be weaponized—one example looked at the possibility of mass blackouts—in anticipation that such botnets will someday emerge.

 

Meanwhile, the idea of energy market manipulation in general is not far-fetched. The US Federal Energy Regulatory Commission investigated 16 potential market manipulation cases in 2018, though it closed 14 of them with no action. Additionally, in mid-May, attackers breached the IT systems of Elexon, the platform used to run the United Kingdom's energy market. The attack did not appear to result in market changes.

 

The researchers caution that, based on their analysis, much smaller demand fluctuations than you might expect could affect pricing, and that it would take as few as 50,000 infected devices to pull off an impactful attack. In contrast, many current criminal IoT botnets contain millions of bots. Consumers whose devices are unwittingly conscripted into a high-wattage botnet would also be unlikely to notice anything amiss; attackers could intentionally turn on devices to pull power late at night or while people are likely to be out of the house. The idea is to maximize strategic moments that both capitalize on market conditions and help maintain a low profile. The researchers calculated that market manipulation campaigns would cause, at most, a 7 percent increase in consumers' home electric bills, likely low enough to go unnoticed.

 

For hackers, the rewards could be significant. The researchers calculated that by running an attack for three hours per day, 100 days per year, market manipulators could take home as much as $24 million a year. And a determined saboteur could use the same type of attacks to cause as much as $350 million per year in economic damage.

 

It's difficult to know, though, how such attacks would actually play out in practice. For example, the researchers assumed that one attacker attempting to launch botnet-driven market manipulation campaigns at a time in a given region. Multiple actors attempting the same scam in the same place could degrade their returns or make it more likely that they'd get caught. The research also assumes both the existence of high-wattage IoT botnets and that they would be consistent and predictable platforms.

 

Still, the fact that such attacks were relatively easy to conceive and model indicates that they could be crazy enough to work someday. The researchers emphasize that their goal is to promote prevention and defense before that happens. They suggest that high-wattage IoT devices should include some type of real-time monitoring that could flag suspicious use potentially consistent with a malware infection. And they suggest that energy markets revisit how much granular and constantly updating load data they need to release publicly. Limiting that access wouldn't make it impossible for attackers to get their hands on the data, but it would add a barrier to entry.

 

"It's an example of how the threat landscape changes in unexpected ways," says Beyah, who also cofounded the industrial-control security firm Fortiphyd Logic. "Who would have thought that my washing machine or stationary bike could be the foundation of a completely new type of attack?"

 

 

Hackers Could Use IoT Botnets to Manipulate Energy Markets