A dark side to solar power inverters
Cette publication existe aussi en Français
Researchers in the US have uncovered vulnerabilities in the inverters and cloud services used for residential solar power systems. These inverters could be compromised and used to launch the equivalent of a distributed denial of service (DDoS) attack to being down a national electricity grid.
Solar power is rapidly becoming essential elements of power grids throughout the world, especially in the US and Europe, as shown by this week’s report from IRENA. However, cybersecurity for these systems is often an afterthought, creating a growing risk to grid security, stability, and availability.
The SUN:DOWN research by Forescout Vedere Labs in California analysed different implementations of solar power systems and found 46 vulnerabilities that have since been patched. While each residential solar system produces limited power, their combined output reaches dozens of gigawatts, making the collective impact on cybersecurity and grid reliability too significant to ignore.
The team analysed six of the top 10 vendors of solar power systems worldwide: Huawei, Sungrow, Ginlong Solis, Growatt, GoodWe, and SMA. They found the 46 new vulnerabilities affecting different components in three vendors: Sungrow, Growatt and SMA.
These vulnerabilities have realistic power grid attack scenarios that could be executed and could cause emergencies or blackouts, and the report cites European grids as an example.
- Wipers and botnets dominate threats to energy IoT systems
- Industrial and IoT networks under greater malware attack
The team catalogued 93 previous vulnerabilities on solar power and analyzed the trends. An average of over 10 new vulnerabilities have been disclosed disclosed every year in the past three years, and 80% of those have a high or critical severity.
32% have a CVSS risk score of 9.8 or 10 which generally means an attacker can take full control of an affected system. The Common Vulnerability Scoring System (CVSS) is a technical standard for assessing the severity of vulnerabilities in computing systems.
The most affected components are solar monitors (38%) and cloud backends (25%). Relatively few vulnerabilities (15%) affect the solar inverters directly. Some vulnerabilities also allow attackers to hijack other smart devices in users’ homes
The new vulnerabilities, which have now been fixed by the vendors, could allow attackers to take full control of an entire fleet of solar power inverters.
Once in control of these inverters, attackers can tamper with their power output settings or switch them off and on in a coordinated manner as a botnet. The combined effect of the hijacked inverters produces a large effect on power generation in a grid. The impact of this effect depends on that grid’s emergency generation capacity and how fast that can be activated.
The example they use is that of the European grid. Previous research showed that control over 4.5GW would be required to bring the frequency down to 49Hz — which mandates load shedding, or the collapse of the grid. As current solar capacity in Europe is around 270GW, it would require attackers to control less than 2% of inverters in a market that is dominated by Huawei, Sungrow, and SMA.
The report recommends treating inverters in residential, commercial, and industrial installations as critical infrastructure, with suitable cybersecurity.
Owners of commercial and industrial installations should include security requirements in procurement and conduct a risk assessment when setting up devices as well as ensure network visibility into solar power systems, segmenting and monitoring devices into their own sub-networks.
Device manufacturers should implement secure software lifecycle practices and conduct regular penetration testing, especially adopting security-in-depth strategies using web application firewalls.
Third-party audits of communication links should be based on standards such as ETSI EN 303 645, Radio Equipment Directive (RED) and Cyber Resilience Act (CRA).
The report is here: Solar grid vulnerabilities report
If you enjoyed this article, you will like the following ones: don't miss them by subscribing to :
