Version Nichts ist wahr. Alles ist erlaubt.
Lecture: Decentralized energy production: green future or cybersecurity nightmare?
The cybersecurity dark side of solar energy when clouds are involved
In this talk we will have a look at some cybersecurity challenges raised by the trend of decentralizing our energy production.
Our energy infrastructure is now changing from a centralized system based on big power plants to a more decentralized system based on renewable energy produced by smaller power plants (maybe yours). In Germany alone, 300.000 so called balcony power plants were in operation by August 2023. Most of these smaller power plants are / will be somehow connected to some cloud services.
To show that security hasn't been the biggest priority, we will examine the cybersecurity controls of different solar inverters. To put it mildly: there is room for improvement.
We will also discuss the need for better regulations and enforcement of cybersecurity for smaller connected power plants: altogether they probably produce more power than the bigger ones - and this trend is accelerating.
Protecting our infrastructure shall have - today more than ever before - a high priority.
Context: cybersecurity for future energy production systems
Cybersecurity for smaller solar power plants is a critical challenge: strong separation between operational, safety relevant network and internet is not present. Moreover, manufacturers do not invest enough in security; reason being high competition in terms of time to market, price pressure and lack of security knowledge.
These power plant systems need more or less an internet connection in order to fetch power & energy data from the plant with an app, perform firmware updates, and carry out maintenance remotely.
The central device, which is connected to the internet, is the inverter. Many companies provide inverters for solar power plants and include cloud connectivity. An inverter converts the energy from the solar panels to grid compatible energy. Since it handles high currents & voltages, the physical consequences of cybersecurity risks are arguably higher than for standard smart home devices.
Research results related to connected solar inverters (technical part)
Out of curiosity, I tested different inverters from different manufacturers, including cloud connectivity. All devices have a license to be operated in Germany and are very popular. They are used in solar power plants of different sizes, from balcony size to bigger plants.
In this section some research results will be presented, we will especially focus on one system.
Positive note: critical vulnerabilities have been patched by now.
Insecure Direct Object Reference (IDOR) or similar vulnerabilities have been found, allowing an attacker with a simple account to execute commands on connected inverters remotely. This was an enabler for many further attacks.
- An attacker could trigger a firmware update process on connected inverters.
- The firmware update process was not properly secured: update images did not include a cryptographic signature.
- Most of the devices did not use the TLS protocol for cloud communication or did not use it correctly.
- Secure boot and secure debugging were not implemented.
- On the server side, there were insufficient sanity checks.
- Sensitive data (e.g. serial number) was easy to extract.
- Commands could be executed on any connected devices (e.g. switch ON, switch OFF, change parameters).
- The power electronics and relays of devices could be manipulated remotely with a malicious firmware update.
- By manipulating many devices synchronously the stability of the grid could be endangered.
A proof of concept with a full (unlocked) exploit chain will be presented.
Conclusion and Discussion
Removing bureaucratic hurdles is an important step in order to democratize our energy production - and renewable energies are the future! On the other hand, if it comes at the cost of poorly-secured devices, this may be jeopardized.
In Germany, we have the Kritis Verordnung (decree) to protect for example the electricity infrastructure. It states that every power plant with more than 104 MW capacity is required to have specific protections. Individually, the small solar power plants are not in this category. However, summing up all devices connected to one cloud, we probably reach these numbers by now - and if not, tomorrow. Current projections point in that direction.
During this research, I realized how easy it is to take control of energy production devices and it scared me. The cloud connectivity and the related "remote control / remote maintenance" and "firmware update" processes are truly critical and attacks may scale. Even if vulnerabilities are patched by now, an attacker who finds a way into the cloud servers can control all connected inverters.
On the other hand, it seems that there are no security related regulations regarding these systems as of today in the European Union. The EU Cyber Resilience Act, which will apply to these devices is still in discussion and is likely to be effective soon. However, manufacturers will probably have a grace period of 36 months to comply: by then, many insecure devices will already be installed. Knowing how many bad guys are out there, the risk is there and growing rapidly.