Hijacking internet-connected devices to provoke harmful oscillations in an electrical network: A feasibility assessment

Abstract

Internet-connected devices will represent an increasing proportion of the load served by electric power systems. As these devices could conceivably be hijacked and controlled remotely by a malicious actor, they could represent a new threat vector against the dynamic security of a power system. Such attack strategies have not been considered in the existing literature on power system cybersecurity. As an initial scoping exercise, the present case study explores whether such devices could be remotely hijacked and then maliciously power-cycled at particular frequencies to deliberately provoke harmful oscillations in an electrical grid. To gauge the broad feasibility of this novel style of attack, dynamic simulations are performed on two representative test power systems, at differing levels of attacker and defender resources. These simulations show that power-cycling just 1% of consumer loads at a system's resonant frequency may sometimes provoke harmful electromechanical oscillations throughout a national grid. This novel simulation exercise, therefore, implies that cybersecurity vulnerabilities at the consumer side could jeopardise the physical integrity of a nation's entire electricity supply.