Renewable energy sources, including solar energy systems, quickly become essential elements of power nets around the world – especially in the US and Europe. However, cyber security for these systems is often a side issue, creating a growing risk for the security, stability and availability of grid.
New research Forescout supplier found an uncertain ecosystem – with dangerous energy and implications of national security. Although any residential solar system produces limited power, their combined output reaches dozens of gigawatts – which makes their collective impact on cyber security and grid reliability to ignore.
In the Full reportPrescout reviews known issues and presents new vulnerabilities that have been found on three leading manufacturers of solar energy systems: Sungrow, Growatt and SMA. Forescout also discusses realistic power grid -catch scenarios that can be executed and that can cause emergency situations or black -outs, and offers recommended risk limit actions for owners of smart inverters, utilities, equipment manufacturers and supervisors.
Summary of the findings
- Forescout -cataloged 93 previous vulnerabilities on solar energy and analyzed trends:
- There is an average of more than 10 new vulnerabilities that are announced in the past three years a year
- 80% of them have a high or critical seriousness
- 32% have a CVSS score of 9.8 or 10, which in general means that an attacker can take full control over a affected system
- The most affected components are solar monitors (38%) and Cloud -Backends (25%). Relatively few vulnerabilities (15%) influence the solar string directly
- Due to the growing concern about the dominance of foreign components of solar energy, Forescout analyzed their common countries of origin:
- 53% of solar manufacturers are located in China
- 58% of the storage system and 20% of the manufacturers of the monitoring system are in China
- The second and third most common countries of origin for components are India and the US
- New vulnerabilities:
- Forescout analyzed six of the top 10 suppliers of solar energy systems worldwide: Huawei, Sungrow, Ginlong Solis, Growatt, Goodwe and SMA
- Forescout found 46 new vulnerabilities that influence various components in three suppliers: Sungrow, Growatt and SMA.
- These vulnerabilities make scenarios possible that influence raster stability and user privacy
- Some vulnerabilities also enable attackers to hijack other smart devices at user houses
Impact on grid security
The new vulnerabilities, which have now been resolved by the affected suppliers, can enable attackers to take full control over a whole fleet of solar energy converters via a few scenarios, as shown in the report:
Once control over these inverters, attackers can tamper with their power settings or switch off in a coordinated way as a botnet. The combined effect of the hijacked inverters has a major effect on the power generation in a grid. The impact of this effect depends on the capacity of that grid and how quickly that can be activated.
The example of the full report discusses in the full report that of the European grid. Earlier research showed that control over 4.5 GW would be mandatory to reduce the frequency to 49Hz – which requires the tax reduction. Since the current solar capacity in Europe is around 270 GW, attackers would require that attackers control less than 2% of the inverters in a market dominated by Huawei, Sungrow and SMA.
Recommendations
- Treat PV inverters in residential, commercial and industrial installations as a critical infrastructure:
- Owners of commercial and industrial installations must:
- Include security requirements in purchasing
- Perform a risk assessment when setting up devices
- Provide network visibility in solar energy -systems
- Segmenting and checking devices in their own sub -networks
- Devices manufacturers must:
- Implement secure software -life cyclus practices
- Perform regular penetration tests
- Take on security-in-depth strategies using web application firewalls
- Use external audits of communication connections based on standards, such as: ETSI EN 303 645, Ride equipment Directive (ROD) and Cyber Resilience Act (CRA)
Forescout news item
