TACK­LING NET­WORK THREATS ESET on ad­dress­ing IT threats

As far-fetched as it may sound, the an­swer to this ques­tion is a def­i­nite yes, ac­cord­ing to re­searchers, who have demon­strated that net­works of elec­tri­cal grids and smart home ap­pli­ances could make for a dan­ger­ous mix, ex­plains ESET’s se­cu­rity writer Toma

Channel Middle East - - Channel Awards -

Cy­ber­crim­i­nals could rope in­ter­net­con­nected house­hold ap­pli­ances into a bot­net in or­der to ma­nip­u­late the de­mand side of the power grid and, ul­ti­mately, cause any­thing from lo­cal out­ages to large-scale black­outs, ac­cord­ing to a study from a team of aca­demics at Prince­ton Uni­ver­sity.

Their re­search fo­cused specif­i­cally on pow­er­hun­gry do­mes­tic ap­pli­ances like elec­tric ovens, space heaters and air con­di­tion­ers that can be con­nected to the in­ter­net and are of­ten con­trolled via mo­bile ap­pli­ca­tions or smart home hubs. They didn’t high­light any spe­cific se­cu­rity flaws in any par­tic­u­lar de­vices, but en­vis­aged a sce­nario in­volv­ing their com­pro­mise in some way by hack­ers.

The un­der­ly­ing – and un­usual – threads of the proof-of-con­cept at­tacks are that threat ac­tors could cause the dis­rup­tion with­out com­pro­mis­ing the grid’s su­per­vi­sory con­trol and data ac­qui­si­tion (SCADA) sys­tems. Also, rather than tak­ing aim di­rectly at the net­work’s sup­ply side, the at­tacks – nick­named ma­nip­u­la­tion of de­mand via IoT (MadIoT) – would tar­get the de­mand.

The sources of MadIoT at­tacks are “hard to de­tect and dis­con­nect by the grid op­er­a­tor due to their dis­trib­uted na­ture,” wrote the re­searchers. More­over, the at­tacks can be eas­ily re­peated while re­quir­ing no knowl­edge of the grid’s op­er­a­tional de­tails on the ad­ver­sary’s part.

The re­searchers tested the plau­si­bil­ity of the new type of at­tack on “state-of-the-art sim­u­la­tors on real-world power grid mod­els.” The threat is de­scribed in a pa­per called “Black­IoT: IoT Bot­net of High Wattage De­vices Can Dis­rupt the Power Grid”, was also pre­sented at a re­cent USENIX se­cu­rity sym­po­sium.

Be­fore we dive into the ins and outs of MadIoT, a bit of an aside: ac­tual at­tacks aimed at elec­tric­ity sup­ply in­ter­rup­tion aren’t un­heard of. Ukraine, for one, has ex­pe­ri­enced two at­tack-in­duced black­outs in re­cent years.

ESET re­searchers have an­a­lysed sam­ples of mal­ware known as In­dus­troyer that was prob­a­bly to blame for an hour-long out­age that hit parts of Kiev and nearby ar­eas in De­cem­ber 2016. That piece of ma­li­cious code was found to be ca­pa­ble of con­trol­ling elec­tric­ity sub­sta­tion switches and cir­cuit breakers di­rectly, in­clud­ing in some cases lit­er­ally switch­ing them off and on.

Back to MadIoT now. In a nut­shell, the aca­demics came up with three broad at­tack sce­nar­ios:

First, its at­tacks that re­sult in fre­quency in­sta­bil­ity due to abrupt in­creases or de­creases in the power de­mands of high-wattage in­ter­net-con­nected de­vices by si­mul­ta­ne­ously turn­ing many of them on or off. The en­su­ing im­bal­ance be­tween sup­ply and de­mand trig­gers a sud­den drop in the sys­tem’s fre­quency.

“If the im­bal­ance is greater than the sys­tem’s thresh­old, the fre­quency may reach a crit­i­cal value that causes gen­er­a­tors trip­ping and po­ten­tially a large-scale blackout,” wrote the aca­demics.

A sim­u­la­tion on a power grid model of a US-based util­ity showed that a 30% in­crease in de­mand was enough to cause the trip­ping of all the gen­er­a­tors. “For such an at­tack, an ad­ver­sary re­quires ac­cess to about 90 thou­sand air con­di­tion­ers or 18 thou­sand elec­tric water heaters within the tar­geted ge­o­graph­i­cal area,” the pa­per stated.

Sec­ond, threat ac­tors could cause line fail­ures by re­dis­tribut­ing de­mand for power, the ul­ti­mate re­sult be­ing cas­cad­ing grid fail­ures. This would be done by in­creas­ing the de­mand in some places, for in­stance by switch­ing on the ap­pli­ances within one IP range, and by re­duc­ing the de­mand in

other ar­eas by turn­ing ap­pli­ances off within an­other IP range.

The au­thors used sim­u­la­tions to show that an in­crease of only 1% in de­mand in one par­tic­u­lar sec­tor of the Pol­ish grid re­sults in a cas­cad­ing fail­ure with 263 line fail­ures and out­age in 86% of the loads. “Such an at­tack by the ad­ver­sary re­quires ac­cess to about 210 thou­sand air con­di­tion­ers which is 1.5% of the to­tal num­ber of house­holds in Poland,” reads the pa­per.

In the third sce­nario, the de­mand curve could be ma­nip­u­lated with an eye to­wards in­creas­ing the oper­at­ing cost of the grid to the ben­e­fit of se­lected util­i­ties on the elec­tric­ity mar­ket. For in­stance, by forc­ing the de­mand for power to go above the pre­dicted value, ad­ver­saries could force the grid’s op­er­a­tor to pur­chase ad­di­tional power and at higher cost from a re­serve gen­er­a­tor – ob­vi­ously to harm the for­mer while ben­e­fit­ting the lat­ter. In this case, the at­tack would be driven by fi­nan­cial mo­tives, rather than with the aim of dam­ag­ing the in­fra­struc­ture.

Ar­guably, MadIoT at­tacks bear some re­sem­blance to dis­trib­uted de­nial-of-ser­vice (DDoS) at­tacks, where de­vices con­scripted into a bot­net in­un­date a tar­get such as a web­site or server with so much traf­fic that the ser­vice be­comes un­avail­able. A se­ries of DDoS at­tacks that were car­ried out by a bot­net of 600,000 hacked IoT de­vices on Au­gust 21, 2016 and caused wide­spread dis­rup­tion of le­git­i­mate in­ter­net ac­tiv­ity in the US is a fit­ting ex­am­ple.

One lim­i­ta­tion of MadIoT at­tacks is that, un­like in DDoS at­tacks, the com­pro­mised bots would need to be lo­cated within the bound­aries of a power sys­tem in a par­tic­u­lar area, rather than scat­tered across the world.

A fu­ture threat?

“[O]ur work sheds light upon the in­ter­de­pen­dency be­tween the vul­ner­a­bil­ity of the IoT and that of other net­works such as the power grid whose se­cu­rity re­quires at­ten­tion from both the sys­tems se­cu­rity and the power en­gi­neer­ing com­mu­ni­ties,” ac­cord­ing to the aca­demics, who went on to sketch out a set of rec­om­men­da­tions to the rel­e­vant stake­hold­ers.

Most im­por­tantly, grid op­er­a­tors should make sure that their in­fra­struc­ture is ready to with­stand abrupt load changes. At the same time, IoT de­vice man­u­fac­tur­ers should con­duct rig­or­ous test­ing of their ap­pli­ances for vul­ner­a­bil­i­ties, thus mak­ing sure that the de­vices aren’t sit­ting ducks for cy­ber­at­tacks.

A few weeks ago, a dif­fer­ent team of re­searchers iden­ti­fied and an­a­lysed se­cu­rity flaws in the firmware of sev­eral com­mer­cial in­ter­net-con­nected ir­ri­ga­tion sys­tems that could en­able at­tack­ers to re­motely turn wa­ter­ing sys­tems on and off at will. The re­searchers warned of a po­ten­tial at­tack that – us­ing a “bot­net” of in­ter­net-con­nected ir­ri­ga­tion sys­tems that water si­mul­ta­ne­ously – could im­pact a city’s water sys­tem to the point of ac­tu­ally drain­ing its re­serves.

TO­MAS FOLTYN, SE­CU­RITY WRITER, ESET.

Newspapers in English

Newspapers from UAE

© PressReader. All rights reserved.