• United States

Did IoT cyberattacks cause NY power transformers to explode?

Jan 03, 20195 mins
BotnetsCritical InfrastructureInternet of Things

MadIoT attacks cause blackouts with an IoT botnet of compromised appliances.

Officials blamed a power surge for the blackout on Dec. 28th that left LaGuardia airport in the dark for about 45 minutes, grounding flights. A look at the trend of power outages at American airports shows a disturbing pattern and possibly sinister cause.


Attacking an adversary’s infrastructure is asymmetrical warfare. It causes a lot of damage for a very small cost. Cyberattacks are an ideal weapon as they disguise who might be behind them, making retaliation much harder.  Attacks on the power grid for airports are especially devastating as they ground flights, stranding passengers and disrupting business nationwide. Just take a look at recent power outages:

The New York Times reported in March 2018 of possible Russian cyberattacks on US power plants. “Forensic analysis suggested that Russian spies were looking for inroads — although it was not clear whether the goal was to conduct espionage or sabotage, or to trigger an explosion of some kind.”

A Symantec report noted that a Russian hacking unit “appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems.”

BlackIoT: How to disrupt the power grid with an IoT appliance botnet

Princeton University researchers Saleh Soltan, Prateek Mittal, and H. Vincent Poor explained at the 27th USENIX Security Symposium how a botnet of high wattage appliances could do this. They explain how hackers could cause compromised appliances to turn on and off, creating an artificial demand for power, tripping generators and causing blackouts. What’s terrifying about this is that the attack vector is low-security home appliances rather than more secure power infrastructure.

Power grid operators typically assume that power demands are predictable. Consumers collectively behave similarly to how they did in the past and under similar conditions. However, with the proliferation of IoT devices and their poor security measures this isn’t a safe assumption. An IoT botnet of high wattage devices (such as air conditioners and heaters) lets adversaries launch large-scale coordinated attacks on the power grid. Such Manipulation of Demand via IoT (MadIoT) attacks use botnets to manipulate the power demand in the grid.

Many of these devices are controlled with mobile apps and home assistants such as Amazon Echo or Google Home. Hacker can manipulate the power demand and cause large scale black outs by compromising these home assistants. These MadIoT attacks manipulate power loads generated by devices that are much less well protected than the power grid’s Supervisory Control and Data Acquisitions (SCADA) system.

Even a small increase in demand may result in line overloads and failures. These initial line failures may consequently result in further line failures or as it is called, a cascading failure. An abrupt increase or decrease in the power demands by simultaneously switching on or off many high wattage IoT devices results in an imbalance between the supply and demand. This imbalance instantly results in a sudden drop in the system’s frequency. Generators trip and can causes a large-scale blackout if the imbalance is greater than the system’s threshold.

IoT security standards

The Princeton research paper explains that MadIoT attacks are hard to protect against because:

  1. The power grid operator only sees demand in aggregate from millions of users. This makes it hard to detect and disconnect the compromised appliances that are causing the artificial demand.
  2. An adversary can easily repeat the attack when the power is restarted. This could cause persistent blackouts.
  3. MadIoT is a ‘black box’ attack where detailed knowledge of a power grid isn’t needed. Just faking the demand is enough to cause overload situations.

One would expect the government to act quickly on IoT security guidelines in the face of such persistent and devastating cyberattacks. That isn’t the case. Matt Leonard reports in FCW how “Senators Mark Warner and Cory Gardner introduced the Internet of Things Cybersecurity Improvement Act of 2017. The bill prohibits agencies from acquiring IoT devices and sensors that aren’t patchable and that don’t have changeable passwords. So far, the bill hasn’t received a hearing or a vote in the Senate Homeland Security and Government Affairs Committee, which has jurisdiction over federal procurement and cybersecurity”.

The security recommendations from the IoT Security Foundation are a good framework for such guidelines. They advocate for a Hub-based security which factors in new IoT devices being installed. “The Hub device acts as a central point for trust and IoT environment management. It also makes use of existing security features – such as update mechanisms – and adds an additional layer of security to the IoT environment – such as traffic monitoring and lifecycle management. The Hub device achieves this by communicating with network elements such as routers, protocol bridges and IoT devices, aggregating information to offer support to home IoT administrators. It may also act as a gateway, enabling information sharing between the home IoT environment and other networks or entities, such as the IoT solution provider”.

This would potentially protect high wattage devices from being compromised by hackers to manipulate power demands and cause blackouts.

So, bringing down our essential electric grid may be made easier with all of our new interconnected devices. That’s how asymmetrical warfare works in the first place.


Deepak Puri is an IoT expert and the cofounder of DemLabs, a SF-based non-profit hub for technology innovation in support of democracy. Formerly he held executive positions at Oracle, Netscape and VMware.

The opinions expressed in this blog are those of Deepak Puri and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.