Get all the news you need about Smart Buildings with the Memoori newsletter

Which research categories are you interested in?

“We’ve all seen the headlines: A major cyber attack on the US electric grid could cause over $1 trillion in economic impact,” says Yotam Gutman, VP Marketing at SecuriThings. “Nevertheless. to date, there have been no recorded cyber attacks on power facilities that have caused a major physical catastrophe or long blackout,” he points out.

The absence of catastrophic cyber attacks on our power systems is, of course, a good thing but it raises certain questions, namely – why hasn’t it happened yet?

Maybe no one is attacking. Not according to Energy Secretary Rick Perry, who officially states that these cyberattacks are “literally happening hundreds of thousands of times a day.” While an alert issued by the Department of Homeland Security and the FBI, states that “since at least March 2016, Russian government cyber actors targeted government entities and multiple US critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.”

Based on this we might be led to believe that our cyber security measures are simply up to the challenge. Not according to news agency GovTech, who suggests the fact we haven’t had a successful attack is more about luck than prevention. “CEOs, CIOs, and CISOs pay billions for cybersecurity solutions only to discover that, at best, these technologies solely help in gathering information after an attack rather than stopping the attack from occurring,” the agency said. The approach has even widely become known as “patch and pray.”

Putting aside theories of state issued fear mongering or some form of dependable luck, we are left with a puzzling situation. We’ve had ransomware attacks which have brought down telecom and healthcare systems, numerous data breaches that have given up the personal data of millions of people, even DDoS attacks that have taken some of the world’s biggest websites offline. Successful cyber attacks have become commonplace in our highly-connected digital society, so why have we not seen a catastrophic cyber attack on our power system yet?

The reason, according to Gutman, starts with the fact that power stations are physically secured from cyber attack, “they are generally not connected to outside networks, and they often use robust industrial protocols,” he says. “In recent times, power stations have also enjoyed large security upgrades that will continue to make hacking into them harder than it seems.”

Power stations are only one part of our energy system however, and while they might be relatively secure, the same cannot be said for our sprawling and increasingly connected grid. A cyber attack on Ukraine’s power grid in December 2016 plunged the northern part of the capital, Kiev, into darkness. This attack followed a similar one in December 2015, “it was the first attack in the energy sector,” said Michael John, director at the European Network for Cyber Security, a non-government group that focuses on the safety of Europe’s grids and infrastructure. “It demonstrated it is possible.”

Gutman acknowledges the vulnerabilities of the grid but his greater concerns lie elsewhere. “Lately, another element has entered the equation – that of consumption and its potential manipulation. IoT devices are being rapidly adopted and used everywhere by consumers, enterprises and governments. What if, instead of trying to hack a power plant, a nation-state hacked millions of smart devices connected to a power supply, and used them to manipulate the grid?” he asks.

Gutman is referring to two types of attack using connected devices. The first is what you might expect, gaining access to and switching on a huge number of devices at the same time to overwhelm the grid and cause a blackout. Such an attack would have some disruptive and financial implications, especially if used at crucial moments, but more than anything else it would be a statement and a show of force to its victims.

The second form of attack is much more sinister, less detectable and potentially much more impactful. In a society where connected devices become widely adopted, by hacking a huge number of devices attackers could increase the energy consumption of each device very slightly or in a way that is hidden to the users and the grid.

In doing so, the overall energy consumption of a city, region or entire country could be raised undetected for months or years. This would increase the financial burden on the economy from energy, slowly draining that economy over longer terms. This would not be a show of force but rather an attack designed to truly create economic suffering.

Approximately one quarter of all residential energy consumption today comes from devices sitting unused in an idle power mode. In the US that is equivalent to 50 large power plants’ worth of electricity and is estimated to cost bill payers more than $19 billion every year. The environmental cost is also hugely significant, an estimated 10% of carbon dioxide emissions in the US are said to be a direct result of these idle devices. These figures not only underline the impact that small power consumption increases of large numbers of individual devices can have on an economy but also highlight how such consumption increases may go unnoticed.

In fact, such a strategy may already be in motion today, albeit limited by the number of connected devices available, which is already quite significant. IHS forecasts that the IoT market will grow from an installed base of 15.4 billion devices in 2015 to 30.7 billion devices in 2020 and 75.4 billion in 2025. A 1% increase in energy consumption from even half these devices would represent an economy strangling strain on any country. Detection may be near impossible with our current approach to IoT cyber security, and the potential problem will only get more severe as we push towards our connected future.

“As the grid becomes “smarter” and our homes more connected, it is imperative that we employ robust security mechanisms,” says Gutman. “Not just for power generation, but for the entire supply chain in order to maintain a predictable, secured economy.”