Cybersecurity vulnerabilities discovered in solar power systems are raising alarms about potential large-scale attacks on energy grids. A new report highlights critical flaws in solar inverters from leading manufacturers that could allow hackers to disrupt power grids, steal sensitive user data, and manipulate energy markets. As solar energy becomes increasingly integrated into national grids, particularly in the U.S. and Europe, securing these systems against cyber threats is more critical than ever.
Vulnerabilities Expose Solar Power Systems
Forescout Research’s Vedere Labs recently uncovered nearly 50 vulnerabilities in solar inverters from major vendors, including Sungrow, Growatt, and SMA Solar Technology. These flaws range from basic security failures like hardcoded login credentials and stack-overflow vulnerabilities to more complex issues in cloud platforms and website code. Exploiting these vulnerabilities could enable attackers to:
- Collect details about equipment and users.
- Inject data into web portals.
- Overwrite device firmware with malicious code.
- Tamper with power output settings.
- Switch inverters off and on in a coordinated manner (botnet).
According to Forescout, over half of solar inverter and storage system providers are based in China, raising concerns about potential state-sponsored attacks.
Growatt Inverters: A Case Study in Vulnerability
Growatt inverters were found to be particularly vulnerable due to flaws in the company’s cloud platform. These flaws could allow hackers to:
- Steal information about Growatt devices.
- Modify devices without logging into the portal.
- Upload arbitrary files to the platform.
- Access lists of authorized users.
- Take over user accounts and control connected inverter devices.
Other Vulnerabilities: Sungrow and SMA
Attacks on Sungrow and SMA inverters, while more complicated, exploited basic security failures such as:
- Hardcoded login credentials.
- Stack-overflow vulnerabilities.
- Unauthorized code execution on an SMA website.
- Insecure encryption and failure to verify security certificates in a Sungrow Android application.
Potential Impact on Energy Grids and Users
Compromising solar inverters can have far-reaching consequences, including:
- Grid Instability: Hackers could manipulate inverters to create power load fluctuations, leading to grid instability, load shedding, and emergency equipment shutdown.
- Blackouts: Coordinated attacks on a large fleet of inverters could cause widespread power outages.
- Data Breaches: Exploiting insecure direct object references (IDOR) could expose sensitive personal data, such as email accounts, physical addresses, and energy consumption data, potentially violating GDPR and other regulations.
- Hijacked Smart Home Devices: Attackers could gain access to other smart home devices connected to the same network as the compromised inverter.
- Financial Manipulation: Energy price manipulation and ransomware attacks could cause financial losses for grid operators.
Addressing the Cybersecurity Threat
The increasing reliance on solar power necessitates proactive security measures from all stakeholders, including manufacturers, regulators, utility companies, and consumers.
Industry Response
Sungrow and SMA have reportedly patched the identified vulnerabilities and issued advisories. Growatt acknowledged and fixed the issues but was criticized for a slower and less collaborative response.
Recommendations
To mitigate the risks, experts recommend:
- Enforcing strict security requirements when procuring solar equipment.
- Conducting regular risk assessments.
- Ensuring full network visibility into these devices.
- Segmenting solar devices into sub-networks with continuous monitoring.
- Implementing a defense-in-depth approach and continuous risk management.
- Making solar system operators aware of cybersecurity standards and best practices.
Government Initiatives
The U.S. Department of Energy (DOE) is actively involved in addressing solar cybersecurity through research and development projects. These projects aim to develop more secure ways to operate solar and other distributed energy resources (DER), enabling grid operators to rapidly detect disturbances and recover from power outages.
In 2022, the DOE, in collaboration with the Office of Cybersecurity, Energy Security, and Emergency Response (CESER), released the “Cybersecurity Considerations for Distributed Energy Resources on the U.S. Electric Grid” report, which provides recommendations for securing current and future systems.
The Growing Importance of Solar Cybersecurity
As solar energy becomes an integral part of the energy landscape, securing these systems is paramount. Unlike traditional centralized power plants, distributed solar systems rely on individual consumers to maintain security, which complicates defense strategies.
The electric grid is a cyber-physical system, meaning cyberattacks can cause physical damage and safety issues in addition to disrupting information flow. Therefore, addressing cybersecurity risks at every level is crucial for maintaining a reliable, safe, and secure energy supply.
