Cybersecurity vulnerabilities in solar power systems pose potential risks to grid security, stability and availability, according to a new study
The SUN:DOWN research – conducted by Forescout Research, a specialist in cybersecurity – investigated different implementations of solar power generation. “Our findings show an insecure ecosystem — with dangerous energy and national security implications,” says the group’s blog, which seems to reserve these more concerning ramifications for the impact of a coordinated attack against large numbers of systems.
The report reviews known issues and presents new vulnerabilities with systems offered by three leading solar power system manufacturers: Sungrow, Growatt, and SMA. It presents seemingly realistic power-grid-attack scenarios with the potential to cause emergencies or blackouts. It also advises on risk mitigation for owners of smart inverters, utilities, device manufacturers, and regulators.
Forescout Research summarises its main findings as follows:
- We cataloged 93 previous vulnerabilities on solar power and analyzed trends:
Due to growing concerns over the dominance of foreign-made solar power components, we analyzed their common countries of origin:- There’s an average of over 10 new vulnerabilities disclosed per year in the past three years
- 80% of those have a high or critical severity
- 32% have a CVSS score of 9.8 or 10 which generally means an attacker can take full control of an affected system
- The most affected components are solar monitors (38%) and cloud backends (25%). Relatively few vulnerabilities (15%) affect solar inverters directly
- New vulnerabilities:
- 53% of solar inverter manufacturers are based in China
- 58% of storage system and 20% of the monitoring system manufacturers are in China
- The second and third most common countries of origin for components are India and the US
- New vulnerabilities:
- We analyzed six of the top 10 vendors of solar power systems worldwide: Huawei, Sungrow, Ginlong Solis, Growatt, GoodWe, and SMA
- We found 46 new vulnerabilities affecting different components in three vendors: Sungrow, Growatt and SMA.
- These vulnerabilities enable scenarios that impact grid stability and user privacy
- Some vulnerabilities also allow attackers to hijack other smart devices in users’ homes
While the new vulnerabilities have now been rectified by the vendors in question, Forescout said they could allow attackers to take full control of a fleet of solar power inverters via a couple of scenarios. For example, by obtaining account usernames, resetting passwords to hijack the respective accounts, and using the hijacked accounts.
Attackers can then interfere with power output settings, or switch them on and off at the behest of a botnet. “The combined effect of the hijacked inverters produces a large effect on power generation in a grid,” says the blog. “The impact of this effect depends on that grid’s emergency generation capacity and how fast that can be activated.”
The report discusses the example of the European grid. Previous research showed that control over 4.5GW would be required to bring the frequency down to 49Hz — which mandates load shedding. Since current solar capacity in Europe is around 270GW, it would require attackers to control less than 2% of inverters in a market that is dominated by Huawei, Sungrow, and SMA.
The group provides a number of recommendations. For example, to treat PV inverters in residential, commercial, and industrial installations as critical infrastructure. This would mean following NIST guidelines for cybersecurity with components like smart inverters in residential and commercial installations
Owners of commercial and industrial solar installations should consider security during procurement, and conduct a risk assessment when setting up devices. Other recommendations are outlined in the blog and full report.
