back to article Hackers could exploit solar power equipment flaws to cripple green grids, claims researcher

A Dutch researcher says he found a way to cause mischief on power grids by exploiting software bugs in solar power systems. Specifically, Willem Westerhof, a cybersecurity researcher at ITsec, said he uncovered worrying flaws within power inverters – the electrical gear turns direct current from solar panels into alternating …

  1. Stu 18

    Widespread problem

    It is not just the solar industry with this issue, I think you could call it modern 'fast / first to market' strategy and if its not 'instant' it must be old technology / old hat. The google effect or the egotism of 'the new way'.

    The difference is instead of testing and proving we've got release now and fix later. We won't need EMP to wipe out society, just a Friday afternoon cockup.

    1. John Gamble

      Re: Widespread problem

      Yes. The fact that the issues have been seen many times before (TELNET, default passwords, not using https, etc.), issues that even those of us not in security recognize and (one hopes) avoid, shows that we're basically seeing a "copy, paste, and minimally edit" style of so-called programming.

      Somehow it need to be communicated to management that test suites must be installed along with the purchased (or freely downloaded) libraries, and security tests must be included.

      1. John Smith 19 Gold badge
        Unhappy

        "basically seeing a "copy, paste, and minimally edit" style of so-called programming."

        Indeed it looks like this "written" by some representatives of the "code-monkeys-R-us" school.

        The Linux Foundation has put out some reference implementations for industrial IoT, which this is.

        I don't know if it's better, but can it be much worse?

        1. Fatman
          Joke

          Re: "basically seeing a "copy, paste, and minimally edit" style of so-called programming."

          <quote></quote>

          Those code monkeys that Microsoft have sent packing have to work somewhere!!!!!!

    2. Lysenko

      Re: Widespread problem

      There's nothing modern about the lack of/weak security: all the ModBus/TIA485 industrial control stuff out there has always been like this. What is (relatively) new is the obsession with giving everything an IP interface and then slapping it onto an Internet facing LAN. I have quite a lot of power equipment like this but it is all networked over ModBus or CANBus so the only way a miscreant is going to get to it is by getting remote access to the control unit, running Debian (and if they get that far I have much bigger problems).

      Of course, hardening devices by making remote access virtually impossible is verboten in our brave new cloudy world so if you want robust security you'll probably end up having to build it yourself.

      1. Pascal Monett Silver badge
        Trollface

        Re: you'll probably end up having to build it yourself

        I am building it myself.

        Starting with a moat. I am in negotiations for some grizzlies, but there are authorization issues.

        Movement detectors are not a problem, of course, but the permits for the gatling guns on the corner towers are - you wouldn't believe the conversations I've had on the phone. Some functionary actually had the gall to tell me it was illegal !

  2. Chris G

    Vulnerabilities

    It looks as though many of the most serious vulnerabilities lie with the regulators, vendors and users, the software problems are bad enough if discovered and exploited but the likleyhood of that happening increases when everone wants to pass the buck and do nothing.

  3. Anonymous Coward
    Anonymous Coward

    Nothing new under the sun.

    see title

  4. TheElder

    My inverter

    My solar power inverter is directly connected to the internet of no thing.

    1. John Smith 19 Gold badge
      Unhappy

      "My solar power inverter is directly connected to the internet of no thing."

      However in Europe there are companies who install PV arrays on the roofs of businesses on a shared profits basis, usually with some soft of govt deal to pick up part of the install costs.

      You can bet all of those are remote monitored through the cheapest available data channel.

      Guess what that is.

      1. Anonymous Coward
        Anonymous Coward

        Re: "My solar power inverter is directly connected to the internet of no thing."

        You can bet all of those are remote monitored through the cheapest available data channel.

        Remote metering of distributed assets is normal, but the meter is (for both technical and legal reasons) a separate piece of kit to the switching and inverter. There's some meters (eg UK "smart" meters) that have switching capability, but that's a different kettle of fish. In practical terms, you could cause a minor bureaucratic mess by screwing the data feeds, but it wouldn't be a grid problem, and most of those sites wouldn't have remote disconnection via the data feed.

        For larger commercial sites there is often that capability, eg to work alongside battery storage and optimise export power prices, or to switch between on-site, private wire and grid export, but the threat there is the same SCADA security debate as we have on all infrastructure. In practice, it appears that threat is persistently over-stated, despite its theoretical potential.

  5. Yet Another Anonymous coward Silver badge

    Solar Eclipse

    Was able to cause widespread blackouts of solar power.

    It's all very well being able to predict them - but what is being done to stop them?

    1. Solarflare

      Re: Solar Eclipse

      Obligatory XKCD

  6. TheElder

    but what is being done to stop them?

    Move to Mars.

  7. whoseyourdaddy

    After the fake energy crisis of 2000, hung a SMA Sunnyboy in the garage.

    Interesting that you had to buy a small adaptor to add RS422 to it. But, it was a well-constructed box..

    ..with the world's most complex solar-farm-grade protocol stack. So yeah. This happens when most people want nothing more than a simple copy of the two-line dot-matrix text display. At a nice 9600 baud rate.

    Instead I needed a friggin' Vulcan mind-meld (beaglebone) to translate.

    I'll open it up and "patch" the EPROM chips sometime after the house falls down.

  8. Potemkine! Silver badge

    Lack of competence

    Most installers are electricians, and know nada in IT, and less than nada in IT security... Many industrial installations do use the default passwords because of this lack of knowledge. Awareness and questioning should be basic attitudes for anyone working with something connected to something else.

    1. Anonymous Coward
      Anonymous Coward

      Re: Lack of competence

      Well, installers install. It really isn't a credible expectation that they should become ITSec configuration experts, and for smaller installations you can't expect that one should be brought along as another expensive body visiting the site.

      As it happens, the grid can manage reasonably well (sailing close to the wind, I assure you) with the intermittency of renewables, so some artificial intermittency of hacked inverters on these devices would not actually do too much. There's plenty of systems in place for bringing in thermal plant to back up loss of renewables (remember that on solar you have this on a daily basis even before weather fluctuations). As for "flooding the grid with power", there's already some local saturation problems (eg SW England on a sunny weekend), but the grid operators have "constraint" systems to cut off excess supply. So all in all a bit of a nothing problem, for now.

      However, in the longer term, with much higher levels of battery storage and electric vehicles, hacked control systems could become a problem. Due to network and generation constraints, these future loads will have to be centrally managed. And that means there is the potential to maliciously connect additional demand load to the network, far beyond the capabilities of generation - hack the central despatch system for a modest EV fleet of 200,000 cars (less than 1% of the total UK car fleet), even on 13 amp slow charging, and that would throw an instantaneous spike of 600 MW at the grid. Coping with that without notice at a bad time would be a real problem, but if the cars were on fast chargers, or the fleet bigger, then the problem becomes much, much worse. Bear in mind that the real threat here is not so much the casual cyber-vandal, or even ransomware scum, but well resourced nation-state grade actors, able to bide their time, build specific tools, use hoarded zero day flaws, test all of the "old tech" of phishing, SQL injection, bribery and coercion, attacks via trusted party systems etc. These people would choose their timing carefully.

      In the UK context, for those who trust government, recent consultations on the future energy system and electric vehicles have had specific mention of the issue of IT security. But having been part of those consultations, I'm pretty sure that no proper ITSec expertise has been brought to bear. The emerging demand aggregation systems that are the focus of this threat are either from large "can't happen hear, we know best" energy industry dinosaurs, or from cash strapped, private equity funded startups where everything is about getting basic functionality out of the door ASAP, and immediate cash takes precedence over everything else.

      1. Mr Sceptical
        Facepalm

        Re: Lack of competence

        "Well, installers install. It really isn't a credible expectation that they should become ITSec configuration experts, and for smaller installations you can't expect that one should be brought along as another expensive body visiting the site."

        Well, that might be OK for a one-man band lashing together solar kit after an internet training course to power off-grid stuff, but that's not acceptable in the commercial space. Customers are paying for the expertise to install AND configure kit correctly, otherwise they'd just get their regular sparky to do that.

        Gone are the days you can be a credible installer without knowing how to optimise the configuration afterwards. If you can't do that, you're just a 1st fix / 2nd fix fleshpot pair of hands, you're no commissioning guy. Got to move with the times or get out of the game.

        A little ignorance goes a long way in creating unintended future f*ck ups I'd say...

        * We do security systems but the same principle applies to power, seen to many 'installs' by companies that don't understand the IT aspect of current systems - even the big boys fail miserably to train all their engineers.

  9. John Smith 19 Gold badge
    Unhappy

    To put this in perspective 90Gw is about 2x the entire UK generating capacity.

    So yes shutting it down, or pulsing the Europe wide grid with it at "interesting" frequencies would be quite noticeable.

    It sounds like this guy has single handedly given a wake up call to the whole industry, and the relevant regulators.

    You can bet none of the actors involved in this will thank him for making them do their jobs properly.

    Now I wonder what sort of security the hardware that runs all those big wind turbines is like....

    1. Anonymous Coward
      Anonymous Coward

      Re: To put this in perspective 90Gw is about 2x the entire UK generating capacity.

      So yes shutting it down, or pulsing the Europe wide grid with it at "interesting" frequencies would be quite noticeable.

      But unrealistic for the current systems. There's limited cross-border integration, the aggregation and control systems are diverse (and have incomplete penetration of the asset base) so it would be nigh on impossible to hit the entire output at once, and huge tranches of distributed renewables (eg most household PV arrays) aren't net connected at all. Good luck hacking an inverter that has no data connection!

  10. Sir Runcible Spoon

    Buck Passing

    This isn't an 'either/or' situation, the devices need to be secure and bug free AND the environment in which they are to be deployed should also be secure and locked down.

    It isn't *that* hard to fathom, except that bean-counters seem to think that security is an optional feature. Start holding them accountable for security breaches and you'll see a marked change in budget priorities.

    Although they'll probably still come up with something like "It costs $1bn to fix all the hardware flaws, but only $100m to sort out all the negative PR and fines".

  11. ZenCoder

    Nonexistent penalties for gross negligence.

    Quick analogy ... imagine if all building codes, regulations and liability for bridges were abolished overnight.

    The free market would eliminate all bridge builders that didn't immediately perform a race to the bottom in terms of quality.

    That's basically how IT infrastructure works. Security is a business/regulatory problem not a technical one.

    If everyone providing vital IT infrastructure were required to adhere to strict quality control and quality assurance (testing) guidelines, all products subjected to random code quality spot checks, and held financially liable both before and after product delivery for any failure to meet these standards .... then all software projects would cost a lot more and take a lot longer ... but there would be a lot more security and reliability.

    Anyway given my analogy, if bridges were collapsing every day, would you blame the construction workers, the engineers, the businessmen, the shareholders or the government for not providing and properly enforcing the proper regulatory framework?

    1. John Smith 19 Gold badge
      Unhappy

      bridges..collapsing every day,.. you blame the..for not providing..enforcing the proper..framework?

      Substitute "burning down" for collapsing and I think the British are going to be finding out quite soon.

  12. Threlkeld

    Keep it simple, why not?

    The grid itself signals its state continuously, because the frequency falls below 50 Hz when there is too much demand, and rises above when there is an excess of supply. It is surely not beyond the wit of mankind to make use of this fact?

    Some equipment, like battery chargers and refrigeration loads, can often be turned off for periods of up to hours without serious impact on performance. If the user could set a simple control that represented their choice between continuous service (on the other hand) and lower cost (on the other), then such loads could be shed automatically and incrementally at periods of high demand, and brought on line at periods of low demand.

    Much of the practical functionality of control via the internet could be attained without having any of the potential problems of actually connecting to the internet. And the problem of how to hack the system would keep lots of potential evildoers occupied in harmless fun. Any suggestions?

  13. handleoclast
    Coat

    Worst case scenario

    The very worst thing they could do is configure the power inverters to run in reverse. This would feed power from the grid into the sun, causing it to explode.

  14. MeCcano
    Pint

    ...and Bluetooth?

    My Sunny Boy inverter is Bluetooth and Sunny Explorer uses that rather than a LAN with IP addresses, but many of the same vulnerabilities potentially apply with bluetooth. I use some software that queries the inverter every five mins to get the data. This was only possible through being able to replay the SMA protocol back to the inverter, but for a good cause. I've got 5 minute interval data from it for the last 7 or 8 years from it! I don't believe the password to be encrypted over the air, but we live in the hills so I'm not going to lose too much sleep.

    1. abc123zxy

      Re: ...and Bluetooth?

      Same here.

      I used Sunny Explorer once to see what the software could do - ended up using SMAspot on a server that runs 24/7 to collect the stats instead.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like