1(630)802-8605 Ravi.das@bn-inc.net

In my podcast interviews, I have started to ask my guests what they think about the Internet of Things, or IoT for short. In fact, I think I have a show in which I will be interviewing a dedicated expert in this field, sometime in December.  The reactions that I get when I ask this questions is often mixed. But, the common denominator in the end is that nobody really seems to be too excited about it.

Everybody has their reasons for this, but primarily from a Security standpoint, the IoT brings a lot a of vulnerabilities with it.  Also, the main reason for this is that everything is connected together – and, I mean everything from both the virtual and physical world.  With this extra connectivity, the attack surface for the Cyber attacker also increases that much more.

Cyber security experts are especially worried what this will mean to our Critical Infrastructure – when you take into consideration that household items such as air conditioners, heaters and washing machines could enable Cyber attackers to launch a large-scale, coordinated attack on the United States power grid.

Now even, there is the latest Cyber security threat to emerge from all of this, and this is called the “Manipulation of Demand via IoT”, or “MadIoT” for short.  In this kind of threat, botnets are used to covertly manipulate the demand for power, which could result in total power outages, and even total blackouts for long periods of time.   Not sure what a Botnet is? You can search for it here on this blog site, and podcast site, where I even interviewed an expert all about it.

It is important to note that this kind of Cyber attack will not affect the supply side of electric power; but rather the demand side for it. How is this possible?  Well, the assumption is usually made in the energy industry that customers will typically follow the same pattern of behavior in terms of demand for power.  Meaning, the past usage is a fairly good indicator of present as well as future usage.  And, it is the demand side which contains the Critical Infrastructure Assets (such as the power lines and the power plants), not the supply side, which  is often the common belief.

In turn, many of these assets have legacy Security systems built around them, which means that they can easily be hacked into the Cyber attacker. Just one small attack here can have a cascading effect on the entire power system, which could be catastrophic at all levels.  In fact, Cyber security researchers have even modeled three types of attack scenarios, which are as follows (which have been established by the Western System Coordinating Council (WSCC):

*It would take about 90,000 air conditioners and 18,000 electric water heaters to disrupt the power demand in a large city, such as that of Chicago or NYC;

*Even just a slight increase in fake power demand can have a detrimental effect.  For example, an increase of only 1% in demand would lead to a cascading shutdown of 263 line failures and outages for 86% of customers in a large city. In this particular instance, about 210,000 air conditioners would have to be impacted;

*In the worst case scenario, a 5% increase in fake power demand during peak hours by a Cyber attacker will result in a 20% increase in the costs associated with power generation. This kind of Cyber attack would be used for financial gain rather than inflicting physical damage to Critical Infrastructure. In fact, this is very similar to the scenario when Cryptominers greatly escalated the cost of electric power, which resulted in an 18 month halt on any type or kind of Cryptomining activities.

My thoughts on this?

Household appliances are items that we take everyday for granted.  Even when I look at the microwave and oven set in my apartment, the thought of the IoT interconnectivity has never even entered my mind, until now.

It is not just one appliance that can do damage, but many are needed, as it was demonstrated in the above mentioned attack scenarios.  But keep in mind that it is not just the appliances that are the target of the Cyber attacker; rather, it is its connection to many other devices which are the ultimate target.

Even just one break in this linkage can leave the door open for the Cyber attacker to launch a Malware which can literally spread like wildfire. But apart from this direct kind of threat, the Cyber attacker can also manipulate the power demand of electricity, even spiking it to the point of total failure of the national power grid.

Or, just like the Cryptojackers, the Cyber attacker can hack into these appliances and anything that depends upon an electrical source in your home, and literally suck the power out of them, thus greatly driving up the cost of electricity not just for you, but for everybody else as well.

This is a prime example of how the Cyber attacker is shifting their tactics from the hey days of merely stealing passwords to now launching very sophisticated attacks for huge financial gains.  Of course, the fact now that IoT will one day become the norm, the vendors of these appliances are now being hounded down to increase the levels of Security in them.

But quite honestly what can be done?  I mean, I am looking at my kitchen now, and looking at the same oven and microwave. I have no idea as to how they can be further protected.  It is also very important to keep in mind that the industrial controls used in manufacturing companies are also at grave risk in this regard.  Just like the stove and microwave, there is really not much more you can do to protect them.

All of this was designed many years ago, when the thought of Cyber attacks were completely far fetched and just a dream. Now, reality is starting to sink in. You cannot simply rip out the legacy Security systems that are already in place at these businesses and corporations, you have to add new layers of Security in order to fortify them even further.  But, you have to make sure that whatever is added will be interoperable to the legacy stuff that is already there.

Honestly, I really do love technology, but I am still old fashioned in some ways at heart. I don’t like the idea of having an IoT in my home, much less than the thought of having all of he electrical appliances which my wife and I have being connected to other appliances of other people that we do not even know of.

Finally, the study which detailed this new Cyber threat posed to the IoT can be seen here at this link:

https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-soltan.pdf

Believe it or not, there are already some Security standards which have already been established for the IoT, and more details on them can be found at this link:

https://www.iotsecurityfoundation.org/best-practice-guidelines/