In 2020, we’re sadly used to hearing how disinformation campaigns are being waged to influence people’s thinking, spread fake news, and further political agendas But the same tactics aren’t solely a threat in terms of long-term social manipulation, scientists warn.
In a new study, researchers demonstrate that weaponised disinformation campaigns could also hypothetically be exploited to execute relatively immediate attacks on critical infrastructure – using coercive methods to manipulate citizens into unwittingly wreaking havoc on the places they live.
It sounds like pretty alarmist stuff, but such is the world we live in: The research is inspired by real events that have already happened.
“Despite high levels of security, human operators proved to be the weakest link during the Stuxnet attack on the Iranian nuclear program, unwittingly introducing malware into the facilities,” the authors, led by electrical engineer Gururaghav Raman from the National University of Singapore, explain in their new paper.
“Another attack of this kind that drew concern from governments worldwide was the Ukrainian power grid cyberattack of 2015. In this incident, attackers deliberately cut off the power supply for 230,000 residents for several hours using operator credentials harvested through one particular form of disinformation, namely, spear-phishing.”
But you wouldn’t necessarily have to leverage specialised workers in sensitive strategic facilities to pull off an attack on this kind of level, Raman and his team say.
With the right kind of social engineering methods, manipulating the masses themselves into perpetrating a critical infrastructure attack is something that could hypothetically be done today, without any physical intrusions of conventional cyber-attack techniques.
“The main contribution of this analysis is to assess whether an adversary could attack the power distribution system not by targeting its hardware or software infrastructure, but by focusing entirely on manipulating individual consumers’ behaviour,” the researchers explain.
In the study, the team simulated how Greater London might cope if a weaponised disinformation campaign were employed to entice enough citizens to alter their energy-usage patterns, such that London’s power grids would become overloaded, resulting in mass blackouts on a city scale.
In this very hypothetical experiment, the researchers modelled a scenario where the grid is heavily loaded to the point where power distribution lines can only sustain a small percentage increase in peak demand at a particular time.
Depending on how well the infrastructure is maintained (or not) in the future, the researchers say a small surge in electricity usage would likely only result in a small blackout affecting a minority of consumers.
In a worst-case scenario, though, if the grid isn’t updated and maintained for several years, even a small surge might be enough to bring the entire grid down, hypothetically.
How would such an attack work?
All it might take would be a fake electricity discount, offered to a small percentage of initial recipients. In the scenario, these people all receive an SMS alert saying they can enjoy a 50 percent discount off their electricity rate during the peak time of 8 pm to 10 pm, and encouraging them to spread the word.
The team says this disinformation could then propagate through social networks, and as more and more people become exposed to the message, more and more strain could be put – hypothetically, at least – on the power grid.
Based on an online survey of over 5,000 respondents – indicating how they might respond to the electricity discount, and whether they would forward it to family or friends – and a number of different propagation models, the researchers estimate that somewhere between 3.2 and 26.8 percent of people receiving the offer would ‘follow through’ to the disinformation, altering their behaviour because of their exposure to the message.
In some circumstances, that could be enough to bring down significant portions or all of a city’s power grid, the researchers say. Of course, there are numerous limitations to this kind of research, which the team acknowledges.
The survey responses they received are not necessarily indicative of how people would act in real life, and electricity systems in the real world are not as simplified as the team’s modelling suggests.
Nonetheless, it’s an inspired hypothesis, highlighting what could be dangerous but little-understood vulnerabilities stemming from the scourge of disinformation – a menace that doesn’t necessarily always crawl along slowly in the background, but could perhaps strike quickly.
“Our surveys showed that people are willing to not only follow-through on such notifications, but also forward them to their friends, thereby amplifying the attack,” the researchers write.
“We demonstrated that an adversary can cause blackouts on a city scale, not by tampering with the hardware or hacking into the control systems of the power grid, but rather by focusing entirely on behaviour manipulation.”
The findings are reported in PLOS One.