Security flaw in solar panels may enable hackers to bring down power grids

IoT

Security flaw in solar panels may enable hackers to bring down power grids

IoT

Security flaw in solar panels may enable hackers to bring down power grids

Malicious hackers can target electricity grids by exploiting vulnerabilities in solar panels, thereby causing losses in billions and impacting everybody's lives.

A security vulnerability in a component in solar panels can help hackers target electricity grids across Europe, says researcher Willem Westerhof.

In a detailed research note which he published in a specially-created website, Dutch security researcher Willem Westerhof has demonstrated how hackers can exploit a security flaw in a component in solar panels to shut down electricity grids that service entire nations.

The rise and rise of infrastructure-focussed malware

The said security flaw exists in inverters that are attached to solar panels and convert direct current to alternating current. The flaw was discovered by Westerhof last year but despite being intimated about the flaw, SMA, the German manufacturer of such solar panels, has not been able to fix it yet.

Solar panel inverters manufactured by SMA are used widely in European power grids and the flaw thus makes all of them vulnerable to potential cyber attacks. These inverters are internet-connected and as per Westerhof's research, offer around 90 gigawatts of electric power in Europe.

'In Europe there is over 90 GW of PV power installed, an attacker capable of controlling the flow of power from a large number of these devices could therefore cause peaks or dips of several GigaWatts causing massive balancing issues which may lead to large scale power outages,' he says.

By remotely-controlling such inverters, Westerhof adds that hackers can cause sudden peaks or dips in power production, leading to grid failures. If they can cause sufficient voltage fluctuations, they can even bypass safety mechanisms installed in power plants and can cause a power outage for long periods.

Malware attacks behind 2016 Ukrainian power outage, researchers reveal

Westerhof adds that solar panel and inverter suppliers are not obliged to follow existing laws and guidelines for power supply equipment and its cyber security in Europe. As such, they have probably not implemented too many cyber security measures in their devices, thereby leading to such vulnerabilities.

'A 3 hour power outage across Europe, somewhere mid day on June is estimated to cause +/- 4.5 billion euros of damage. We should also consider the impact it may have on human lives, as previous outages are known to cause problems which sometimes end fatally,' Westerhof warned on his website.

SMA said that the said vulnerability exists in only a limited range of products and that its engineers are working on correcting the flaws. The manufacturer added that customers should change default passwords while installing the panels, and should avoid connecting them to the Internet. SMA will release a detailed response to Westerhof's findings in the coming days.

UK government announces guidelines for connected and autonomous vehicles

Yesterday, it came to light that the Irish electricity transmission system operator EirGrid was targeted by a state-sponsored cyber attack over two months ago but the hack was discovered only recently. Suspected hackers were able to wiretap a Vodafone network used by EirGrid and then used it to access unencrypted traffic sent and received by employees at the grid.

“Vodafone discovered that there had been a breach on their Direct Internet Access (DIA) service which is internet provider to Eirgrid’s interconnector site in Shotton, Wales. The original breach took place on April 20 and lasted just short of seven hours,” reported The Independent.

“However it was able to tell the state supplier that all the compromised router devices had their firmware and files copied by the attackers," it added.

Shares
The following two tabs change content below.

Jay Jay

Jay has been a technology reporter for almost a decade. When not writing about cybersecurity, he writes about mobile technology for the likes of Indian Express, TechRadar India and Android Headlines

Comments