In the Fall of 2016, a massive cyberattack took down large parts of the Internet, including major websites like Twitter, Netflix and Amazon, in the largest attack of its kind in history.

Unlike your run-of-the-mill cyberattack which uses personal computers or mobile phones, though, hackers in this case used millions of Internet-connected devices like printers, webcams, routers, security cameras and baby monitors to launch the attack.

Adam Hahn, an assistant professor in the School of Electrical Engineering and Computer Science at Washington State University, along with graduate student David Jonathan Sebastian-Cardenas, recently analyzed the threat that Internet-connected devices pose to a system that’s much more critical than a social media website: the national electric power grid.

Hahn and Sebastian-Cardenas modeled the threat posed by “smart devices” and “smart homes” connected to the Internet, which could be used by hackers to control and damage the power grid. They presented their work recently at the 2019 Northwest Cybersecurity Symposium.

There has been unprecedented growth in Internet of Things (IoT) technologies over the last decade. They’re used in an increasing array of devices from medical equipment to voice assistants to cars and homes.

“Inverters, thermostats, air conditioners, even toasters are now being connected to the Internet,” said Hahn. Smart buildings and smart homes can remotely control climate by sensing occupancy, external weather, and peoples’ comfort levels — all over the Internet.

This means that attackers could threaten operations of power grids by injecting malicious code into such devices, creating a huge change in their power demand, leading to load shocks and blackouts.

Sebastian-Cardenas and Hahn used real world usage and adoption information (from government databases) to simulate such attacks and see how they would impact power grids.

“Based on our research, we found that the future-growth of large-load controllers and smart inverters could pose a major threat to grid operations due to their rapid load changing capabilities,” said Sebastian-Cardenas.

While the researchers found that the chance of a debilitating attack was currently not high given the relatively low penetration of IoT technology today, the fast proliferation of these devices is worrying from a grid security point of view.

“Previous research on this topic mainly focused on power systems owned, maintained, and operated by utilities,” said Hahn. There was a need for modeling a power grid in a situation where there is increasing usage of IoT devices across a wide service area with a lack of supervised security policies, he added.

There is currently no regulation on how and what kind of devices are being sold. “The danger with smart devices is that anybody can install any device without the utility being aware” he said.

This adds to the risk of an attack in devices with poor security mechanisms.

“Utilities should require their users to install devices that satisfy a minimal set of security policies that prevent a large-scale attack on the power grid,” said Sebastian-Cardenas.

The threat is compounded when a single vendor supplies the majority of smart home devices, according to Hahn. When a large number of such devices are connected to servers in a central location, those servers can be attacked and used to take control of all the devices in one go.

For this reason, the researchers recommend that utilities work with governments to create policies that promote market diversity and limit the number of devices controlled by a single entity.

Other strategies to reduce the threat include creating risk-analysis frameworks and installing fail-safe modes in smart devices.

“For instance, in an air conditioner, you might want it to sense the physical world before allowing out of range values, or add delays to prevent instant load changes,” said Sebastian-Cardenas.

“We need to start preparing now as a nation to face this issue before it becomes a major threat,” said Hahn. “The risk landscape is always changing and we need to be on top of it.”

The work is part of a U.S. – India five-year project to help advance the development of the electric power grid, funded by the U.S. Department of Energy (DOE) and the Indian Ministry of Science and Technology.

WSU is the lead partner in the United States for this $30 million project which also includes institutions like MIT, Lawrence Berkeley National Lab and Texas A&M University.