We have seen what insecure, poorly managed IoT fleets can do to the internet. In October 2016 a Mirai-based botnet composed of compromised cameras, routers and other consumer devices generated a DDoS wave that impacted major internet properties by overwhelming DNS infrastructure. That event is not a cautionary tale about websites alone. It is a blueprint for how low-cost, widely distributed devices can be turned into a weapon against physical infrastructure.
The threat vector I will lay out is straightforward. Attackers compromise large numbers of internet-connected, high-wattage loads and consumer energy devices: WiFi air conditioners, smart water heaters, EV chargers, and commercial HVAC systems. Those devices are attractive because many are reachable from the internet, they draw significant power on short notice, and their control interfaces are often weakly secured or unmanaged. Academics have modeled exactly this class of attack, called a load-altering attack or LAA, and shown that coordinated toggling of thousands to hundreds of thousands of such loads can produce dangerous frequency and voltage excursions in regional grids.
Scenario, step 1: Recon and compromise. The attacker assembles a botnet by scanning for exposed management ports and default credentials, by exploiting known firmware vulnerabilities, and by buying access to already-compromised devices on criminal markets. Mirai and its successors proved how quickly large pools of devices can be taken under control when basic hygiene is missing. The toolset for this step is low cost and well documented.
Scenario, step 2: Target selection. Rather than blind activation, the adversary focuses on topologically sensitive nodes in a regional transmission system: distribution feeders serving dense load pockets, substations with limited transfer capacity, or areas operating with low spinning inertia due to high renewable penetration. Research shows that spatial distribution matters: activating loads at certain buses produces far larger system stress than doing the same action evenly across a service area.
Scenario, step 3: Synchronized load manipulation. Using command and control infrastructure, the attacker flips thousands of high-wattage devices either on or off in concert. A coordinated mass switch-on can create sudden demand spikes that strain generation and transmission assets. Conversely, a mass switch-off can cause under-frequency events that lead to generator trips and under-voltage collapse. Both modes can trigger protective relays, isolation schemes, and cascading failures if margin and situational awareness are reduced. Simulation studies and mitigation research are explicit about these failure modes.
Scenario, step 4: Exploiting response fragility. Grid operators rely on frequency and voltage control systems that assume load and generation behave within predictable bounds. An attacker who times an LAA to exploit low-inertia conditions, or who coordinates with other disruptive actions such as targeted attacks on communications, can force emergency responses that isolate zones, trip lines, and create rolling outages or sustained blackouts. This is not science fiction. The academic record has repeatedly shown that LAAs can push realistic grid models into emergency states.
Why this matters now. The penetration of internet-managed loads is growing. Procurement and lifecycle practices for IoT devices remain uneven across public and private owners. Federal guidance exists on acquiring and handling IoT technology, but adoption across sectors is incomplete. The combination of legacy weak devices, fragmented ownership of distributed assets, and the technical feasibility of LAAs creates an asymmetric attack surface that can scale quickly and cheaply.
Operational implications for owners and operators. First, inventory and prioritize. You cannot protect what you do not know you have. Asset inventories must include IoT-managed loads at the distribution edge and third-party managed devices on customer premises that can be commanded remotely. Second, assume compromise and design to tolerate it. That means network segmentation, strict authentication, and rate-limiting controls between device management and grid control systems. Third, improve detection specifically for LAAs. Data-driven algorithms and physics-informed models can detect anomalous load patterns and identify compromised nodes faster than rule-of-thumb thresholds. Deploy these where they give the most operational leverage.
Strategic recommendations. Short term: enforce basic IoT hygiene where you control procurement. Require unique credentials, automatic firmware updates or forced update windows, and network access controls on any device that touches critical processes. Tighten supply chain clauses in contracts to force vendors to meet baseline security. Medium term: implement operational changes in grid control to add resilience against fast, coordinated load swings. That includes fast frequency response resources, improved state estimation that accounts for distributed load manipulations, and contingency planning for LAAs. Longer term: regulate minimum security standards for high-wattage, internet-controllable devices and require manufacturers to bake in telemetry that enables attribution and remediation. CISA and NIST guidance on IoT acquisition provides a playbook; operators must move from guidance to enforceable procurement requirements.
What defenders often miss. They focus on perimeter defenses for SCADA and major control centers while neglecting the millions of endpoints at the customer edge. Attackers do not need privileged access to control centers if they can manipulate aggregate demand. Defense must be a combined program across utilities, vendors, regulators and consumers. Simple, low-cost mitigations on devices buy time and reduce the effectiveness of a mass LAA. Active coordination between utilities and national cyber agencies to share indicators of compromise can blunt the initial spread of a botnet.
Bottom line. A coordinated blackout driven by compromised IoT devices is a plausible, actionable threat. It is not the only threat vector for the grid, but it is one of the cheapest for an adversary to execute and one of the most disruptive if unmitigated. The technical community has produced models and mitigation concepts. The gap now is operational adoption and procurement discipline. If you run or regulate any part of the power system, treat IoT hygiene as mission critical infrastructure policy, not as an IT line-item. The next Mirai-style moment for the grid will not announce itself before it happens. Act now or accept that a cheap, distributed attack could become your worst day.