The standards body TÜV Rheinland has cast doubt about inverter makers’ cybersecurity measures after it hacked commercially available PV inverters “within a few minutes.”
The Cologne-based organization stated that the finding was “all the more critical since storage systems typically communicate with the inverter, too.”
By hacking inverters, cybercriminals could gain access to battery management systems and trick batteries into operating in unsafe modes, TÜV Rheinland said.
On a wider scale, it might be possible to attack the entire electricity grid, causing massive power fluctuations, the researchers warned.
“We were able to re-parametrize commercially available inverters without any problems,” said Roman-Alexander Brück, laboratory head for solar components at TÜV Rheinland, in the press note.
His team hacked inverters using various techniques, including brute-force attacks and stealing passwords.
Although there are no known instances of such attacks happening outside the lab, the findings could call into question the extent to which inverter manufacturers are addressing the cybersecurity concerns that have now been apparent for some time.
Last October, for example, GTM reported on cybersecurity worries that had surfaced when a Dutch researcher uncovered 17 solar inverter vulnerabilities that hackers could use to remotely control plant output.
The list of vulnerabilities was handed over to the inverter maker, SMA, in December 2016. It is not known whether the TÜV Rheinland exercise also included SMA inverters but Susanne Henkel, SMA’s corporate press manager, said the manufacturer was aware of the tests.
“SMA welcomes activities and analyses like this, because they are supporting the continuous improvement of security standards,” she said. “In general, cybersecurity is an extremely important topic that needs to be permanently addressed. This is what we do at SMA.”
SMA always adheres to the highest IT security requirements and international standards, Henkel said.
“An interdisciplinary team is permanently working on secure system solutions and their integration, starting from product development and reaching to regular remote updates of our inverter software in the field,” she said.
Based on the TÜV Rheinland findings, either this work is not good enough or other inverter manufacturers are not replicating it.
Part of the problem might be that since the equipment has not been maliciously exploited so far, it is hard to gauge how much of a risk the vulnerabilities really are.
Scott Moskowitz, research manager at GTM Research, said that from a consumer's point of view the threat to inverters should be placed in the context of an increasingly wide range of insecure devices now being hooked up to IT networks.
“It’s something to pay attention to and keep in mind,” he said, “but I’d say it’s no more a concern than buying a modem, air conditioning, smart meters or any other piece of internet-connected home infrastructure.”
Cybercriminals could potentially hack a residential inverter and cause an outage or gain access to your Wi-Fi network, in the same way as they might via your smart TV or Amazon Alexa system, he said.
Utilities, though, may face greater risks because of the scale of their operations. “From the grid operators’ perspective, the risk is that folks hack into utility-scale or distributed PV systems and use them to sabotage the grid,” Moskowitz theorized.
In defense of inverter makers, some cybersecurity issues might not be entirely of the manufacturers’ own making, according to Dima Tokar, co-founder and chief technology officer of MachNation, an analyst firm focused on the internet of things.
“Most IT vulnerabilities, such as the well-publicized [central processing unit] exploit from earlier this year, tend to be industry-agnostic as they affect underlying hardware or widely deployed operating systems,” he said.
Security teams protecting renewable energy plant components that are connected to IT networks should assume the systems are vulnerable unless it has been confirmed otherwise, he said.
This advice goes not just for inverters but also for any mission-critical operating systems or supervisory control and data acquisition platforms that could be exposed to typical attack vectors via internet or intranet connections, said Tokar.
More general threats, such as distributed denial of service attacks, can also exploit poorly secured devices, including low-cost consumer gadgets, to attack energy infrastructure that is not properly isolated and secured, he said.
Regardless of how secure inverters are, “plant operators should keep abreast of developments in the security community and conduct routine audits to identify and mitigate any risks posted by vulnerabilities,” Tokar advised.