All it takes is one hacker and a batch of faulty solar panels to threaten the safety of Europe’s electric grid.
Vangelis Stykas, a cybersecurity consultant, said he figured out how to do it. Using a laptop and smartphone at his home in Thessaloniki, Greece, Stykas bypassed firewalls in panels around the world and gained access to more power than runs through Germany’s entire system.
The “white-hat hacker,” who tests software so companies can fix flaws, said he got far enough inside the controls that he could have turned the devices off, dramatically tipping the supply-demand balance for the power network. Such a drastic fluctuation could stress a grid to the point where it shuts down as a fail-safe, he said.
The exponential growth of rooftop solar systems means millions more connection points to the grid, creating a massive vulnerability that hackers could exploit. The most serious impact may be cascading grid failures across the continent. That risk is a growing concern for utilities and governments dealing with more cyberattacks every year.
[…]
The average number of weekly cyberattacks on utilities worldwide doubled within two years to about 1,100, and they’re occurring more frequently as digitalization takes hold, the International Energy Agency said. The European Union suffered more than 200 reported cyberattacks on energy infrastructure last year, and that number has “largely increased in recent years.”
[…]
“There’s some naivete about the risk,” Harry Krejsa, director of studies at the Carnegie Mellon Institute for Strategy & Technology in Pittsburgh, told the Columbia Energy Exchange podcast last week. “It should be more of a concern than is widely perceived today.”
[…]
The threat is serious enough that NATO ran a security drill in Sweden to find and fix vulnerabilities in solar, wind and hydroelectric systems.
The military alliance says it’s the world’s first such exercise, and the scenario comes amid wars in Ukraine and the Middle East, and the West’s fracturing relationships with Russia and China. The latter is the biggest maker of solar panels.
[…]
Why do those things need network connectivity? I can only imagine for reading live power data to coordinate overall power production, but couldn’t you just make it read only?
This is a good question. There’s is no reason why this -and a lot of other things imho- must be connected.
In addition to not connecting stuff unnecessarily, connected devices that consume/produce lots of power need safeguards.
Like a random 0-60sec timer for remote power on/off operations. 50000 panels powering down over 60sec is easier to handle than if they do that simultaneously.
How do you have a SmartGrid if the nodes aren’t able to communicate with each other or log data?
In principle it makes sense to give various electrical things in your house a way to talk to each other. For example we have a PV system with a small battery, a boiler connected to the central oil heating with a supplemental electrical heating coil and a wallbox. Before any excess sun is pushed back into the grid, our house will first charge the battery, heat our water (saving oil) and ask the car if it would like to be topped up. Additionally there are several smart power meters to keep an eye on the grid and various parts of the house. In theory we could also tell our washing machine to prefer homemade electricity, though when we want our laundry done we want it done now, so that’s not going to happen.
These are all systems from different manufacturers and need a LAN connection to talk to each other, and in some cases get other parts to do certain things in order for the system to work.
In our case that network segment is isolated from the internet, though that requires some above-average skills and dedication. Most PV owners just want a nice app with lots of shiny diagrams and can’t be arsed to set up their own IT infrastructure. Most manufacturers want the dumbest possible devices connected to a cloud solution because a) it moves most things that could break (buggy software) from the customer’s premises to them (never mind what happens if/when their cloud breaks), b) it makes it very easy for their app to access all data, c) it gives them a copy of the data, and d) it lets them sell you subscriptions.So in a nutshell, it’s the same problem as everywhere a computer is involved - until after something really bad has happened, security is just that annoying thing that doesn’t add any value but makes things more expensive and more complicated for everyone involved.
I briefly worked for a company who worked on household power technology. Their product would attempt to predict energy prices, weather patterns, and usage to sell your excess energy at peak prices. Like discussed in the article, this company collected usage data and controlled the sale of energy back to the grid centrally. They did this because it meant they could better train their prediction models and run them on more powerful hardware. The controllers would have needed internet connectivity anyway to query energy prices, and putting the prediction on device would have just made them more expensive and worse. Even when I worked there (back in 2015 I think), they were already very aware of the threat vectors discussed by this article and took some measures to prevent it.
In my opinion they were (/are, still exist) a responsible company run by competent people. They did not collect the data out of “greed”, and I strongly suspect that the people in these comments implying that the data is collected to be sold have never actually worked in the industry and have very little idea of the specific value of energy usage data. I can’t really speak authoritatively for other companies, but I would guess that, like the one I worked for, their products are internet connected simply because it improves the product. For example, people expect things to be controllable or viewable from an app from anywhere, and that requires internet connectivity.
Because of the greed (and/or lazyness) of the companies selling the inverters. They want all your data and want to control all the sold devices.
