Hackers could knock out electricity with net-connected devices, utility group warns

21 April 2017. By Magnus Franklin.

A hacking attack on Internet-connected household appliances could send a devastating demand surge through power grids and knock out electricity for days or even weeks, says a trade association for critical-infrastructure providers.

The upshot would be "panic" and "public disorder," as cash machines shut down and mobile networks fail, says Duncan Botting of the European Utilities Telecom Council, which lobbies for the communication needs of utilities.

"Anarchy is six to 18 hours away, if you lose critical services," warns Botting, the director of the EUTC.

The vulnerability of networks is becoming increasingly clear as equipment ranging from refrigerators to automated factories join the "Internet of Things," a catchall term for machine-to-machine communications. At a time when cyberattacks have already hijacked webcams to shut down Internet servers, policymakers are engaged in heated debates on how to protect IoT devices from such assaults.

'At the forefront'

"Electricity is going to be at the forefront of everyone's ability to do anything" once sensors and connected devices become pervasive, the EUTC's Botting told a conference* in Brussels this week.

Many IoT devices are "an integral part of the power system," he said. "If someone took control of that load in a way for which it was not designed," the electricity network would "sit down," he said.

Getting the grid up and running again would take five to seven days, he said, comparing the situation to a week-long blackout caused by a flood at a power substation.

Speaking on the sidelines of the conference, Botting described how a hacking attack might affect heat pumps, which are used to transfer energy to warm or cool buildings.

"A heat pump uses, what, three kilowatts," he said. That's about the same amount of power used in a hot-water kettle.

If tens of thousands of Internet-connected heat pumps were hijacked and turned on at the same time, a surge in power demand could knock out the grid, he said. Any device that consumes power from the mains could pose a threat, if coordinated in sufficient numbers, Botting said.

Cost versus security

Security always comes at a cost, and the challenge will be to make connected devices hacker-proof without making them unaffordable.

Leading figures in the technology industry have suggested that security requirements should be split into categories. A nuclear power plant would obviously need more protection than sensors that detect when it's dark and switch on street lamps. A household thermostat connected to a smart meter would have different security and privacy implications than sensors telling a factory manager when a robot needs maintenance.

But Botting's comments suggest that the boundary between these categories could prove fluid. It might be necessary to consider this complexity, particularly when designing energy systems.

The European Commission is set to unveil principles for how to approach IoT security as part of a broader cybersecurity strategy in September.

The EU has already adopted new cybersecurity rules that impose new obligations on power utilities and other "critical infrastructure" operators, requiring them to alert authorities to incidents ranging from natural disasters to targeted attacks.

These initiatives all have an important part to play in keeping doomsday scenarios from becoming a reality, Botting suggested.

* "Eighth Annual Internet of Things European Summit," Forum Europe, Brussels, April 19 and 20, 2017