When power demand peaks—say, during a heat wave when millions of people crank on air conditioning—it’s common for utilities to ask customers to try to use power at different times of day to help prevent blackouts. They even can offer incentives to help manage the load. In California, for example, the utility PG&E suggests that customers program their laundry machines to run at night when they’ll put less strain on the grid, and offers a discount on electricity rates at less popular times. Those incentives can work. But a new study looks at how people with nefarious motives could use the same approach to deliberately cause blackouts.
Instead of encouraging customers to conserve energy when the grid is under strain, hackers could offer fake incentives that were timed specifically to take down the grid. “An adversary can tailor a disinformation message that looks like a legitimate message, albeit with some small details changed, from the power utility,” says Jimmy Chih-Hsien Peng, an electrical and computer engineering researcher at National University of Singapore and one of the authors of the paper. “It’s like trying to spot a fake [dollar bill] with an incorrect serial number. A consumer can easily assume this message is just another one of those usual messages sent by the utility, and be convinced. A utility usually sends these messages hours beforehand, so it is indeed possible for the disinformation to reach enough consumers, and synchronize their actions to cause a major disruption to the power grid.”
The study modeled a hypothetical scenario in London where attackers would contact owners of electric cars, who use relatively large amounts of electricity to charge their vehicles. By surveying more than 5,000 people to ask if they would take advantage of a particular offer (a 50% discount on their electricity rate between 8 p.m. and 10 p.m.) the researchers estimated how likely it was that EV owners would act on the fake messages. “Our surveys showed that people are willing to not only follow-through on such notifications, but also forward them to their friends, thereby amplifying the attack,” they write in the paper. If enough people respond, it could overload the grid and cause widespread blackouts. As EV ownership grows, the grid becomes more vulnerable, although the researchers found that if EV ownership grows beyond 20%, the grid will be better equipped to handle the charging.
It’s a type of attack that utilities may not have yet considered as a possibility. “Attacks on the power grid have always been a concern for governments, and the literature overwhelmingly focuses only on physical and cyber threats,” says lead author Guru Raghav. “We, however, focus on behavioral vulnerabilities that have not been considered previously, and cannot be mitigated by traditional cybersecurity solutions.”
Some utilities are beginning to test programs to charge electric cars automatically at the best time for the grid. But it’s likely that customers will still be able to override those programs if they want to charge at another time, making this kind of attack feasible.
It’s challenging, they say, for utilities to prevent something like this from happening, though the more the grid is updated to improve overall capacity, the more widespread blackouts could be avoided. “As we discuss in the paper, educating consumers about potential disinformation in the energy context could be one of the most foolproof ways to protect against this type of behavior manipulation attacks,” says Raghav. “However, we cannot assume that consumers will ever be fully immune to disinformation. Our models do show that the attack impact significantly depends on the overloading capacity of the power lines; this means that timely capacity upgrades of the grid assets, e.g., distribution lines and transformers, would be a proactive solution in mitigating the impact of such an attack and also in discouraging potential attackers.”