Hacking A/C Systems Remotely a Threat to the Grid
Warning over remote manipulation of office a/c systems to create a demand surge and grid shut down
According to WIRED magazine, researchers have highlighted the issue of remotely manipulating home and office air conditioners to create a surge and ultimately taking the power grid.
The hack targets remote shut-off devices that utility companies install on air conditioners to conserve energy during peak summer periods.
Many power companies offer discounts to customers if they agree to install the devices, which let the utility company remotely turn off their air conditioner when it’s hot outside and demand for power is high.
The devices, which can be installed on both central air conditioning systems as well as window-installed units, can be easily manipulated by hackers, say Vasilios Hioureas of Kaspersky Lab and Thomas Kinsey of Exigent Systems, who conducted their research as part of the Securing Smart Cities initiative.
The two presented their findings at the Kaspersky Security Analyst Summit.
The way the system works is that operators at regional power centers send a command via radio frequency that gets amplified through repeater stations installed throughout a city to reach the devices and shut down air conditioners.
But because the systems Hioureas and Kinsey examined don’t encrypt that communication and don’t use authentication to prevent unauthorized parties or systems from communicating with them, anyone in the vicinity who can emit a stronger signal than the one the utility company sends out through the repeater stations can manipulate the devices as well.
“Anyone with $50 can generate a signal that can trump a repeater [to take out a few air conditioners]; and anyone with $150 can generate that through an [amplifier] and presumably take out a whole neighborhood,” said Kinsey.
“And obviously you can scale that up as much as you want to [depending on the strength of your signal].”
A hacker could directly attack a group of homes or offices by taking advantage of the fact that unique IDs are assigned to groups of devices, allowing them to be singled out.
A hacker could cut air conditioners during a heatwave — creating a potentially fatal condition for the elderly and sick — or turn air conditioners on during peak energy periods, causing a surge that creates a widespread blackout.
According to another researcher, the hack could be even worse. If an attacker were to turn the air conditioners on and off repeatedly, they could create disturbances and imbalances in the grid that could trip breakers beyond the neighborhood they’re targeting and cause an even more widespread blackout.
“This is bad, and that’s why we need better security so that we don’t have the ability to manipulate the load,” said Eric Johansson, founder of Management Doctors, a security firm in Sweden that specializes in supervisory control and data acquisition (SCADA). “You shouldn’t be able to do this.”
Content for the European Spotlight is provided courtesy of Refrigeration and Air Conditioning Magazine, London. For more information, visit www.racplus.com.
Publication date: 12/5/2016