Hijacking of monitoring devices highlights cyber threat to solar energy infrastructure

In what may be the first publicly confirmed cyberattack on solar grid infrastructure, Japanese media recently reported that malicious actors hijacked 800 SolarView Compact remote monitoring devices manufactured by industrial control electronics manufacturer Contec from solar power plants in order to steal bank accounts.

The attackers likely took advantage of systems that had not been patched for the CVE-2022-29303 vulnerability discovered by Palo Alto Networks in June 2023. The cybersecurity firm said the vulnerability was being actively exploited to spread the Mirai botnet. The attackers even published a video on YouTube demonstrating an exploit in the SolarView system. Contec subsequently patched this vulnerability on July 18, 2023.

On May 7, 2024, Contec confirmed the latest attacks on remote monitoring devices and apologized for the inconvenience. The company notified utility operators about the problem and urged them to update the device’s software to the latest version.

The Hacker CN group was most likely responsible for the attack

In an interview with analysts, South Korean security firm S2W stated that the group responsible for the attack was Arsenal Depository, which likely referred to the hacker group also known as Hacker CN.

In January 2024, S2W identified Hacker CN as Chinese or Russian, indicating that it was involved in hacktivist attacks targeting Japanese infrastructure after the Japanese government discharged contaminated water from the Fukushima nuclear power plant in a so-called “Operation Japan” campaign. (Neither Contec nor S2W responded to interview requests.)

Although disturbing, the use of remote monitoring devices did not threaten the operation of the power system. However, experts say that in very capable hands, hacking into operated devices could turn out to be even more dangerous. They emphasize that inverters used in photovoltaic installations are a more likely vector through which harmful solar attacks can occur.

The attack did not target network operations, but it could have

Experts say the apparent financial motivation leads them to believe the attackers did not target network operations. “These criminals were looking for computing devices that they could use for Internet-related fraud,” says CSO Thomas Tansy, CEO of DER Security. “From this point of view, the fact that they took over a contact would be no different from bad actors taking over CCTV cameras, home routers or other internet-connected devices. The purpose of the attack was not to breach the power grid. It was intended to extort money.”

However, if hackers had an incentive to disrupt the power grid, they could use these unpatched devices for more malicious purposes, Tansy says. “Could the adversary turn around and say, ‘We’re no longer interested in ripping people off today, we’re interested in interrupting grid power?’ Bright. If they had the knowledge to do so, the fact that they are in the system gives them the opportunity to do so. Of course, they would have to have the skills and knowledge to do this, but at this point the barbarians are outside the gates.”

Access to monitoring systems will provide some level of access to the actual solar installation, says CSO Willem Westerhof, team leader at Secura. “You actually have access to the local network. Instead of doing what they do, you can try to use this access to attack everything on the same network.

Attackers can gain access to the central control system

Such networks typically have a central control system that, if infiltrated, could allow attackers to take over more than one solar plant. “From what I’ve seen, this particular monitoring equipment also has the ability to, for example, turn off a photovoltaic installation,” says Westerhof. “You can therefore close and reopen the photovoltaic park. “I don’t think the network will be completely disabled, given the scale of the attack and the countermeasures available, but it’s likely that some of the people responsible for balancing the network will be very upset if you start disabling them or repeatedly disabling them and NA.”

However, grid-scale solar installations, such as those that utilities increasingly use to power their energy sources, likely have sufficient safeguards built into their networks to thwart these types of attacks.

Mandatory safeguards such as “NERC-CIP are starting to come into play depending on how large the installation is and how much impact the installation has,” says CSO Andrew Ginter, vice president of industrial security at Waterfall Security Systems. “And what often happens is that more stringent cybersecurity is applied just because it makes business sense. If you have a dozen solar farms that each produce 300 megawatts of power, the utility company monitors them.

More serious cybersecurity threats to power grids come from inverters

While the attack on Contec was concerning, experts point to a more serious cybersecurity threat to distributed energy resources (DERs) consisting of solar panels, a critical component called an inverter, a class of power electronics that regulates the flow of electricity. power. An inverter is a device that converts direct current (DC) produced by a solar panel into alternating current (AC) used in the electrical grid.

The North American Electric Reliability Corporation (NERC) warned that inverter shortages pose “significant risks to BPS (bulk power supply) reliability” and could potentially cause “widespread failures.” The US Department of Energy warned in 2022 that a cyberattack on inverters could reduce grid reliability and stability.

In May 2023, a team of researchers from the Netherlands’ National Digital Infrastructure Inspectorate (RDI) reported that of the nine types of inverters they examined from eight manufacturers, none met RDI safety standards. The researchers concluded that “this makes solar panel installations, for example, easily hacked and then can be disabled or used for DDoS attacks. Or personal and usage data may be intercepted.”

“The key element is the inverter,” says Ginter. “An inverter is an interface to the grid, an interface to grid control systems. The latest inverters have communication; are connected to a network or are communication-connected to a cloud service. It is these devices that are at risk.”

Hacked inverters can threaten home photovoltaic installations and even cause a fire

The real threat to the operation of inverters is the growing number of home photovoltaic installations. According to the Solar Energy Association, the number of homes with solar PV systems in the U.S. is expected to double to 10 million by 2030. By 2030, the number of households equipped with photovoltaic installations is expected to exceed 100 million.

“Typically, these inverters have a set voltage and frequency,” says Westerhof. “So these are just electrical parameters, but they are configured either through firmware or through setpoints. If you get to the point where you can influence this, you can force these systems to send out a very significantly different voltage and a different frequency, which basically disrupts the operation of all connected devices.

The inverters themselves are usually able to cope with voltage or frequency changes, short circuits or failures. However, Westerhof says, in rare circumstances, “some connected devices may slowly but steadily start to catch fire under certain circumstances. The likelihood of a fire breaking out will definitely increase.”

Some solutions to solar cybersecurity problems

The attack on Contec devices, threats to DER inverters and other threats to photovoltaic elements of the power grid do not arise from the photovoltaic panels themselves, which are essentially passive devices, but from the communication elements that connect the panels to power systems. With this fork, solar panel users can take steps to protect themselves from threats built into their communications software.

The standard-setting body IEEE established the 1547 standard for interconnecting solar panels to systems and recently updated the standard in 2018 to, among other things, improve reliability and support the grid in unusual circumstances.

“Because there is a standard, you can buy durable equipment, batteries and solar panels from one company outside China, and you can implement a 100% American-made control and security system,” Tansy says. – And in doing so, you’ve bought yourself some pretty significant protection.

According to Westerhof, the next step to help protect the solar component of the grid is to provide local installers with adequate cybersecurity training, especially when it comes to unsecured inverters.

“For example, installers sometimes install models that have not been supported by suppliers for several years, just because they still have such an inverter in stock,” he says. “Solar park (solar farm) owners are quite concerned about cybersecurity, but they can’t really control solar installations because they are dependent on suppliers and the people who can install them.”

The U.S. Department of Energy is advocating for future-proofing the distributed energy industry now, before it reaches maturity, and NIST is developing guidance for residential and light commercial solar energy systems based on a review of known smart inverter security vulnerabilities documented in the National Database vulnerabilities (NVD) and information about known cyber attacks on smart inverters. It is also testing five sample smart inverters.

Ginter believes the draft NIST guidance highlights what questions all organizations should be asking when implementing basic cybersecurity defenses. “NIST says we should have some cybersecurity standards and know the basics. “I think over time the standards will have to become more stringent and eventually there will be software that performs security-critical functions in these physical devices,” he says.