More Web Proxy on the site http://driver.im/

research-article

Public Access

MaMIoT: Manipulation of Energy Market Leveraging High Wattage IoT Botnets

Authors:

Alvaro A. Cardenas,

Raheem BeyahAuthors Info & Claims

CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

Pages 1338 - 1356

https://doi.org/10.1145/3460120.3484581

Published: 13 November 2021 Publication History

Abstract

If a trader could predict price changes in the stock market better than other traders, she would make a fortune. Similarly in the electricity market, a trader that could predict changes in the electricity load, and thus electricity prices, would be able to make large profits. Predicting price changes in the electricity market better than other market participants is hard, but in this paper, we show that attackers can manipulate the electricity prices in small but predictable ways, giving them a competitive advantage in the market.

Our attack is possible when the adversary controls a botnet of high wattage devices such as air conditioning units, which are able to abruptly change the total demand of the power grid. Such attacks are called Manipulation of Demand via IoT (MaDIoT) attacks. In this paper, we present a new variant of MaDIoT and name it Manipulation of Market via IoT (MaMIoT). MaMIoT is the first energy market manipulation cyberattack that leverages high wattage IoT botnets to slightly change the total demand of the power grid with the aim of affecting the electricity prices in the favor of specific market players. Using real-world data obtained from two major energy markets, we show that MaMIoT can significantly increase the profit of particular market players or financially damage a group of players depending on the motivation of the attacker.

References

[1]

-. 2019. Bloomberg Terminal. https://en.wikipedia.org/wiki/Bloomberg_Terminal

[2]

. 2019. DDOS Attacks against Global Markets. https://www.akamai.com/us/en/multimedia/documents/secure/ddos-attacks-against-global-markets-white-paper.pdf

[3]

EJ Aladesanmi and KA Folly. 2015. Overview of non-intrusive load monitoring and identification techniques. IFAC-PapersOnLine, Vol. 48, 30 (2015), 415--420.

[4]

Sajjad Amini, Fabio Pasqualetti, and Hamed Mohsenian-Rad. 2016. Dynamic load altering attacks against power system stability: Attack models and protection schemes. IEEE Trans. Smart Grid, Vol. 9, 4 (2016), 2862--2872.

[5]

Manos Antonakakis et al. 2017. Understanding the Mirai botnet. In 26th USENIX Security Symp. 1093--1110.

[6]

Kankar Bhattacharya, Math HJ Bollen, and Jaap E Daalder. 2012. Operation of restructured power systems .Springer Science & Business Media.

[7]

Security Boulevard. 2018. Here's how anyone with $20 can hire an IoT botnet to blast out a week-long DDoS attack. https://securityboulevard.com/2018/08/heres-how-anyone-with-20-can-hire-an-iot-botnet-to-blast-out-a-week-long-ddos-attack/

[8]

Paul J Burke and Ashani Abayasekara. 2018. The price elasticity of electricity demand in the United States: A three-dimensional analysis. The Energy Journal, Vol. 39, 2 (2018).

[9]

Buyexerciser. 2020. Treadmill workout tips: How long should I run on the treadmill?

[10]

California Independent System Operator. 2019 a. California Independent System Operator. https://en.wikipedia.org/wiki/California_Independent_System_Operator

[11]

California Independent System Operator. 2019 b. Energy Market & Operation Data. http://oasis.caiso.com/mrioasis/logon.do

[12]

California Independent System Operator. 2019 c. Reliability Requirements. http://www.caiso.com/planning/Pages/ReliabilityRequirements/Default.aspx#Historical

[13]

Catalin Cimpanu. 2016. You Can Now Rent a Mirai Botnet of 400,000 Bots. https://www.bleepingcomputer.com/news/security/you-can-now-rent-a-mirai-botnet-of-400-000-bots/

[14]

Julie Creswell and Robert Gebeloff. 2014. Traders profit as power grid is overworked. The New York Times (2014).

[15]

Adrian Dabrowski, Johanna Ullrich, and Edgar R Weippl. 2017. Grid shock: Coordinated load-changing attacks on power grids: The non-smart power grid is vulnerable to cyber attacks as well. In Proc. of the 33rd Ann. Computer Security Applications Conf. (ACSAC). 303--314.

Digital Library

[16]

Scott DiSavino. July 2013. JPMorgan to pay $410 million to settle power market case. https://www.reuters.com/article/us-jpmorgan-ferc/jpmorgan-to-pay-410-million-to-settle-power-market-case-idUSBRE96T0NA20130730

[17]

Yury Dvorkin and Siddharth Garg. 2017. IoT-enabled distributed cyber-attacks on transmission and distribution grids. In North American Power Symp. (NAPS). 1--6.

[18]

Energy Efficiency and Renewable Energy Clearinghouse. 2020. Energy Use of Some Typical Home Appliances. http://sites.science.oregonstate.edu/ hetheriw/energy/quick/eff/EREC_Brief_Energy_Use_of_Some_Typical_Home_Appliances.htm

[19]

Timothy Egan. 2005. Tapes show Enron arranged plant shutdown. New York Times (2005).

[20]

We Energies. 2020. Appliance savings with Time-of-Use. https://www.we-energies.com/residential/acctoptions/tou_wi_shiftappli.htm

[21]

Maureen Farrell. July 2013. JPMorgan settles electricity manipulation case for $410 million. https://money.cnn.com/2013/07/30/investing/jp-morgan-electricity-fines/index.html

[22]

Laundry Butler for You. [n.d.]. How Much Laundry Does the Average Person Do?

[23]

GE. [n.d.]. GE Wi-Fi connect appliances. https://www.geappliances.com/ge/connected-appliances/

[24]

Dan Goodin. 2017b. Assessing the threat the Reaper botnet poses to the Internet-what we know now. https://arstechnica.com/information-technology/2017/10/assessing-the-threat-the-reaper-botnet-poses-to-the-internet-what-we-know-now/

[25]

Dan Goodin. 2018. New IoT botnet offers DDoSes of once-unimaginable sizes for $20. https://arstechnica.com/information-technology/2018/02/for-sale-ddoses-guaranteed-to-take-down-gaming-servers-just-20/

[26]

Dan Goodin. December 2017 a. 100,000-strong botnet built on router 0-day could strike at any time. https://arstechnica.com/information-technology/2017/12/100000-strong-botnet-built-on-router-0-day-could-strike-at-any-time/

[27]

Martin Holladay. 2013. Garage Door Openers Are Always On .

[28]

Bing Huang, Alvaro A Cardenas, and Ross Baldick. 2019. Not everything is dark and gloomy: Power grid protections against IoT demand attacks. In 28th USENIX Security Symp. 1115--1132.

[29]

imperva. 2019. Booters, Stressers and DDoSers. https://www.imperva.com/learn/application-security/booters-stressers-ddosers/

[30]

Rommel Joven and Evgeny Ananin. 2018. DDoS-for-Hire Service Powered by Bushido Botnet. https://www.fortinet.com/blog/threat-research/ddos-for-hire-service-powered-by-bushido-botnet-.html

[31]

John Kennedy. [n.d.]. https://www.siliconrepublic.com/enterprise/dragonfly-us-russia-energy-grid-hackers. https://www.symantec.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks

[32]

Daniel Sadi Kirschen and Goran Strbac. 2004. Fundamentals of power system economics. Vol. 1. Wiley Online Library.

[33]

Christoph Klemenjak, Christoph Kovatsch, Manuel Herold, and Wilfried Elmenreich. 2020. A synthetic energy dataset for non-intrusive load monitoring in households. Scientific Data, Vol. 7, 1 (2020), 1--17.

[34]

KrebsonSecurity. [n.d.]. Did the Mirai Botnet Really Take Liberia Offline? https://krebsonsecurity.com/2016/11/did-the-mirai-botnet-really-take-liberia-offline/

[35]

Robert M Lee, Michael J Assante, and Tim Conway. 2016. ICS Defense Use Case: Analysis of the cyber attack on the Ukrainian power grid. Electricity Information Sharing and Analysis Center, SANS ICS (2016).

[36]

Jessica Lietz. 2018. How Much Does the Hot Water Heater Affect an Electric Bill? https://homeguides.sfgate.com/much-hot-water-heater-affect-electric-bill-88704.html

[37]

Craig Lloyds. 2018. How Much Electricity Do All Your Appliances Use?

[38]

Bethany McLean and Peter Elkind. 2013. The smartest guys in the room: The amazing rise and scandalous fall of Enron .Penguin.

[39]

Amir-Hamed Mohsenian-Rad and Alberto Leon-Garcia. 2011. Distributed internet-based load altering attacks against smart power grids. IEEE Trans. Smart Grid, Vol. 2, 4 (2011), 667--674.

[40]

T Mulligan. 2002. How Enron Manipulated State's Power Market. Los Angeles Times (2002).

[41]

New York Independent System Operator. [n.d.]. Annual Report. https://www.nyiso.com/documents/20142/2223020/2018-Power-Trends.pdf/4cd3a2a6--838a-bb54-f631--8982a7bdfa7a

[42]

New York Independent System Operator. 2019 a. Energy Market & Operation Data. https://www.nyiso.com/energy-market-operational-data

[43]

New York Independent System Operator. 2019 b. Load Data. https://www.nyiso.com/load-data

[44]

Union of Concerned Scientists. [n.d.]. Electric Vehicle Charging Types, Time, Cost and Savings .

[45]

Office of Enforcement Federal Energy Regulatory Commission Washington, D.C. 2019. 2018 Report on Enforcement. https://www.ferc.gov/legal/staff-reports/2018/11--15--18-enforcement.pdf?csrt=4611620575164854265

[46]

Pennsylvania and New Jersey Independent System Operator. 2019. Energy Market. https://www.pjm.com/markets-and-operations/energy.aspx

[47]

Troutman Pepper. November 2017. FERC Approves $105 Million Settlement with Barclays for Market Manipulation. https://www.lexology.com/library/detail.aspx?g=79b6712f-2db8--415e-9a93--6307c086d5a6

[48]

Payless Power. 2019. HOW MANY WATTS DOES A REFRIGERATOR USE .

[49]

Radware. 2018. A Quick History of IoT Botnets. https://blog.radware.com/uncategorized/2018/03/history-of-iot-botnets/

[50]

Mohammad Shahidehpour, Hatim Yamin, and Zuyi Li. 2003. Market operations in electric power systems: forecasting, scheduling, and risk management .John Wiley & Sons.

[51]

Saleh Soltan, Prateek Mittal, and H Vincent Poor. 2018. BlackIoT: IoT botnet of high wattage devices can disrupt the power grid. In 27th USENIX Security Symp. 15--32.

[52]

Alireza Soroudi. [n.d.]. Power system optimization modeling in GAMS .Springer.

[53]

Statistica. 2019. Number of homes with smart thermostats in North America from 2014 to 2020 (in millions). https://www.statista.com/statistics/625868/homes-with-smart-thermostats-in-north-america/

[54]

HVAC Talk. 2019. How many hours should the AC run during the hottest days of the year?

[55]

US Energy Information Administration. 2019 a. U.S. energy facts explained. https://www.eia.gov/energyexplained/us-energy-facts/

[56]

US Energy Information Administration. 2019 b. Wholesale electricity prices were generally lower in 2019, except in Texas. https://www.eia.gov/todayinenergy/detail.php?id=42456#

[57]

US Energy Information Administration. 2020. 2018 Average Monthly Bill- Residential. https://www.eia.gov/electricity/sales_revenue_price/pdf/table5_a.pdf

[58]

Stylianos I Vagropoulos and Anastasios G Bakirtzis. 2013. Optimal bidding strategy for electric vehicle aggregators in electricity markets. IEEE Trans. Power Syst., Vol. 28, 4 (2013), 4031--4041.

[59]

Christian Vasquez. June 2020. 'Major vulnerability': EV hacks could threaten power grid. https://www.eenews.net/stories/1063401375

[60]

Whirlpool. 2020. How long do dishwashers run? https://www.whirlpool.com/blog/kitchen/how-long-do-dishwashers-run.html

[61]

Zhang Xu, Haining Wang, Zichen Xu, and Xiaorui Wang. 2014. Power Attack: An Increasing Threat to Data Centers. In Network and Distributed System Security (NDSS) Symp. 1--15.

[62]

Carter Yagemann, Simon P Chung, Erkam Uzun, Sai Ragam, Brendan Saltaformaggio, and Wenke Lee. 2020. On the Feasibility of Automating Stock Market Manipulation. In Annual Computer Security Applications Conference. 277--290.

[63]

Mark Zeller. 2011. Myth or reality -- Does the Aurora vulnerability pose a risk to my generator?. In 64th Ann. Conf. for Protective Relay Engineers. 130--136.

[64]

Kim Zetter. July 2018. Inside the Cunning, Unprecedented Hack of Ukraine's Power Grid. https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/

Cited By

Jahangir HLakshminarayana SPoor H(2024)Charge Manipulation Attacks Against Smart Electric Vehicle Charging Stations and Deep Learning-Based Detection MechanismsIEEE Transactions on Smart Grid10.1109/TSG.2024.340109015:5(5182-5194)Online publication date: Sep-2024
https://doi.org/10.1109/TSG.2024.3401090
Zhao YChen JZhu Q(2024)Integrated Cyber-Physical Resiliency for Power Grids Under IoT-Enabled Dynamic Botnet AttacksIEEE Transactions on Control Systems Technology10.1109/TCST.2024.337899332:5(1755-1769)Online publication date: Sep-2024
https://doi.org/10.1109/TCST.2024.3378993
Kulbacki MChaczko ZBarton SWajs-Chaczko PNikodem JRozenblit JKlempous RIto AKulbacki M(2024)A Review of the Weaponization of IoT: Security Threats and Countermeasures2024 IEEE 18th International Symposium on Applied Computational Intelligence and Informatics (SACI)10.1109/SACI60582.2024.10619778(000279-000284)Online publication date: 23-May-2024
https://doi.org/10.1109/SACI60582.2024.10619778
Show More Cited By

Index Terms

MaMIoT: Manipulation of Energy Market Leveraging High Wattage IoT Botnets
1. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Economics of security and privacy
  2. Systems security
    1. Distributed systems security

Recommendations

Do high-frequency fleeting orders exacerbate market illiquidity?

This paper investigates whether fleeting orders account for market illiquidity. By discussing relevant trading strategies, our study suggests that fleeting orders serve for market making and contribute to market liquidity. Moreover, fleeting orders do ...
Research on The Volatility Spillover Effect among Foreign Exchange Market Stock Market and Bond Market in China: Based on VS-MSV and CoVaR Models
ICITEE '19: Proceedings of the 2nd International Conference on Information Technologies and Electrical Engineering

According to the weekly return data of Shanghai composite index, China securities exchange index (net price) and SDR exchange rate index from December 2015 to May 2019, this paper respectively used the VS-MSV model to test the volatility spillover ...
Hybrid simulation and energy market based optimization of cement plants

This paper presents an approach for equipping a cement plant with a wind power plant, a battery storage and an optimized control in order to reduce electricity supply cost and carbon dioxide (CO2) emissions as cement manufacturing is a traditional ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

November 2021

3558 pages

ISBN:9781450384544

DOI:10.1145/3460120

General Chairs:
Yongdae Kim
KAIST, Republic of Korea
,
Jong Kim
POSTECH, Republic of Korea
,
Program Chairs:
Giovanni Vigna
University of California, Santa Barbara / VMware, USA
,
Elaine Shi
Carnegie Mellon University, USA

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 13 November 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

National Science Foundation

Conference

CCS '21

Sponsor:

SIGSAC

CCS '21: 2021 ACM SIGSAC Conference on Computer and Communications Security

November 15 - 19, 2021

Virtual Event, Republic of Korea

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

9
Total Citations
View Citations
1,004
Total Downloads

Downloads (Last 12 months)306
Downloads (Last 6 weeks)51

Reflects downloads up to 12 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Jahangir HLakshminarayana SPoor H(2024)Charge Manipulation Attacks Against Smart Electric Vehicle Charging Stations and Deep Learning-Based Detection MechanismsIEEE Transactions on Smart Grid10.1109/TSG.2024.340109015:5(5182-5194)Online publication date: Sep-2024
https://doi.org/10.1109/TSG.2024.3401090
Zhao YChen JZhu Q(2024)Integrated Cyber-Physical Resiliency for Power Grids Under IoT-Enabled Dynamic Botnet AttacksIEEE Transactions on Control Systems Technology10.1109/TCST.2024.337899332:5(1755-1769)Online publication date: Sep-2024
https://doi.org/10.1109/TCST.2024.3378993
Kulbacki MChaczko ZBarton SWajs-Chaczko PNikodem JRozenblit JKlempous RIto AKulbacki M(2024)A Review of the Weaponization of IoT: Security Threats and Countermeasures2024 IEEE 18th International Symposium on Applied Computational Intelligence and Informatics (SACI)10.1109/SACI60582.2024.10619778(000279-000284)Online publication date: 23-May-2024
https://doi.org/10.1109/SACI60582.2024.10619778
Maiti SBalabhaskara AAdhikary SKoley IDey SMeng WJensen CCremers CKirda E(2023)Targeted Attack Synthesis for Smart Grid Vulnerability AnalysisProceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security10.1145/3576915.3623155(2576-2590)Online publication date: 21-Nov-2023
https://doi.org/10.1145/3576915.3623155
Nafees MSaxena NCardenas AGrijalva SBurnap P(2023)Smart Grid Cyber-Physical Situational Awareness of Complex Operational Technology Attacks: A ReviewACM Computing Surveys10.1145/356557055:10(1-36)Online publication date: 2-Feb-2023
https://dl.acm.org/doi/10.1145/3565570
Singer BPandey ALi SBauer LMiller CPileggi LSekar V(2023)Shedding Light on Inconsistencies in Grid Cybersecurity: Disconnects and Recommendations2023 IEEE Symposium on Security and Privacy (SP)10.1109/SP46215.2023.10179343(38-55)Online publication date: May-2023
https://doi.org/10.1109/SP46215.2023.10179343
Fraune BWoltjen TSiemers BSethmann R(2023)Integration of Remote Attestation into IEC 618502023 IEEE Belgrade PowerTech10.1109/PowerTech55446.2023.10202741(1-7)Online publication date: 25-Jun-2023
https://doi.org/10.1109/PowerTech55446.2023.10202741
Zhai YYang JWang ZHe LYang LLi Z(2022)Cdga: A GAN-based Controllable Domain Generation Algorithm2022 IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom)10.1109/TrustCom56396.2022.00056(352-360)Online publication date: Dec-2022
https://doi.org/10.1109/TrustCom56396.2022.00056
Reijsbergen DMaw AVenugopalan SYang DTuan Anh Dinh TZhou J(2022)Protecting the Integrity of IoT Sensor Data and Firmware With A Feather-Light Blockchain Infrastructure2022 IEEE International Conference on Blockchain and Cryptocurrency (ICBC)10.1109/ICBC54727.2022.9805485(1-9)Online publication date: 2-May-2022
https://doi.org/10.1109/ICBC54727.2022.9805485
Mastroianni MPalmieri F(2022)Energy-aware Optimization of Data Centers and Cybersecurity Issues2022 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Computing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress (DASC/PiCom/CBDCom/CyberSciTech)10.1109/DASC/PiCom/CBDCom/Cy55231.2022.9927965(1-7)Online publication date: 12-Sep-2022
https://doi.org/10.1109/DASC/PiCom/CBDCom/Cy55231.2022.9927965

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents