At the Black Hat security conference on Wednesday, the researchers will present their findings, which suggest that high-wattage IoT botnets—made up of power-guzzling devices like air conditioners, car chargers, and smart thermostats—could be deployed strategically to increase demand at certain times in any of the nine private energy markets around the US. A savvy attacker, they say, would be able to stealthily force price fluctuations in the service of profit, chaos, or both.
The researchers used real, publicly available data from the New York and California markets between May 2018 and May 2019 to study fluctuations in both the "day-ahead market" that forecasts demand and the "real-time market," in which buyers and sellers correct for forecasting errors and unpredictable events like natural disasters. By modeling how much power various hypothetical high-wattage IoT botnets could draw, and crunching the market data, the researchers devised two types of potential attacks that would alter energy pricing. They also figured out how far hackers would be able to push their attacks without the malicious activity raising red flags.