What happens when malware hits PV systems – SPE

November 6, 2024
Emiliano Bellini

A random malware variant targeted around 800 remote monitoring devices at ground-mounted PV installations in Japan in May, according to Japanese PV cybersecurity specialist Girasol Energy.

Although the incident caused no financial or technical damage to the solar installations, the malware used the systems as a springboard for fraudulent actions.

“The random malware installed a backdoor and used illegal internet banking to steal money. Once a backdoor is installed, a hacker can easily gain repeated unauthorized access without going through the normal authentication process,” said Hiroyuki Ikegami, CTO of Girasol Energy. pv magazinenoting that such incidents are more common than generally thought.

Ikegami explained that online cybercriminals often make random or automated attempts to turn vulnerable computers into members of botnets.

“Based on known vulnerabilities, attackers attempt to break into vulnerable computers and, if successful, install malware to create a backdoor on the computer,” he says. “Computers with backdoors are shared by attackers around the world – this is a botnet.”

He explained that once computers become part of a botnet, they are at the disposal of attackers. They can use compromised devices for a range of malicious activities, such as sending fraudulent emails or overloading servers with traffic to disrupt service in distributed denial-of-service (DDoS) attacks.

Ikegami said the malware targeted SolarView Compact SV-CPT-MC310 remote monitoring devices developed by Japan-based Contec. The company has since released an updated version of the product, which addresses all vulnerabilities involved in the incident. It has also told users to update their software.

Contec said in a press release that it found 19 vulnerabilities in SolarView between 2021 and 2023 and has issued patches since 2021 to address these issues. Japanese media reported that the attackers used around 800 SolarView devices in the May 1, 2024 incident to run a scam and steal money.

“This means that in about two to three years, 800 vulnerable SolarViews will no longer be maintained from a cybersecurity perspective,” Ikegami said. “Users did not apply these patches to SolarView and continued to deploy vulnerable SolarView directly to the Internet. This negligence led to the entire incident.”

Ikegami said details of how the incident was discovered remain unclear. However, based on reports linking it to money transfer scams, he believes the incident was likely uncovered during police investigations into the victims of the scam.

He warned that all remote monitoring devices connected to the internet are exposed to these risks if they are not properly protected by specialist cyber security companies.

“There is no assurance of protection if no one inspects the system and attacks like the one we saw in May could have legal consequences for PV plant owners, although the performance of the plants is not affected,” Ikegami said.

There have been no reported cases in Japan where unwitting botnet participants have been sued for damages related to such issues.

“However, there is a risk, and it is important for companies to respond appropriately, especially if the system should work with cybersecurity,” Ikegami said, noting that in this case it is more profitable for the attacker if the PV owner is not aware of it. . “It’s like using an empty house for illegal activities.”

Ransomware also poses a significant threat to production facilities and IT systems. As PV systems become a more important energy source, such attacks may become more common.

“The importance of PV systems will increase in the coming years, so system integrators must be particularly careful about ransomware and unknown future attacks,” said Ikegami.