If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!
Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.
Context: cybersecurity for future energy production systems
-----------------------------------------------------------
Cybersecurity for smaller solar power plants is a critical challenge: strong separation between operational, safety relevant network and internet is not present. Moreover, manufacturers do not invest enough in security; reason being high competition in terms of time to market, price pressure and lack of security knowledge.
These power plant systems need more or less an internet connection in order to fetch power & energy data from the plant with an app, perform firmware updates, and carry out maintenance remotely.
The central device, which is connected to the internet, is the inverter. Many companies provide inverters for solar power plants and include cloud connectivity. An inverter converts the energy from the solar panels to grid compatible energy. Since it handles high currents & voltages, the physical consequences of cybersecurity risks are arguably higher than for standard smart home devices.
Research results related to connected solar inverters (technical part)
----------------------------------------------------------------------
Out of curiosity, I tested different inverters from different manufacturers, including cloud connectivity. All devices have a license to be operated in Germany and are very popular. They are used in solar power plants of different sizes, from balcony size to bigger plants.
In this section some research results will be presented, we will especially focus on one system.
**Positive note: critical vulnerabilities have been patched by now.**
Vulnerabilities
---------------
* *Insecure Direct Object Reference* (IDOR) or similar vulnerabilities have been found, allowing an attacker with a simple account to execute commands on connected inverters remotely. This was an enabler for many further attacks.
* An attacker could trigger a firmware update process on connected inverters.
* The firmware update process was not properly secured: update images did not include a cryptographic signature.
* Most of the devices did not use the TLS protocol for cloud communication or did not use it correctly.
* Secure boot and secure debugging were not implemented.
* On the server side, there were insufficient sanity checks.
* Sensitive data (e.g. serial number) was easy to extract.
Exploitation
------------
* Commands could be executed on any connected devices (e.g. switch ON, switch OFF, change parameters).
* The power electronics and relays of devices could be manipulated remotely with a malicious firmware update.
* By manipulating many devices synchronously the stability of the grid could be endangered.
A proof of concept with a full (unlocked) exploit chain will be presented.
Conclusion and Discussion
-------------------------
Removing bureaucratic hurdles is an important step in order to democratize our energy production - and renewable energies are the future! On the other hand, if it comes at the cost of poorly-secured devices, this may be jeopardized.
In Germany, we have the Kritis Verordnung (decree) to protect for example the electricity infrastructure. It states that every power [plant with more than 104 MW capacity is required to have specific protections](https://www.gesetze-im-internet.de/bsi-kritisv/anhang_1.html). Individually, the small solar power plants are not in this category. However, summing up all devices connected to one cloud, we probably reach these numbers by now - and if not, tomorrow. Current projections point in that direction.
During this research, I realized how easy it is to take control of energy production devices and it scared me. The cloud connectivity and the related "remote control / remote maintenance" and "firmware update" processes are truly critical and attacks may scale. Even if vulnerabilities are patched by now, an attacker who finds a way into the cloud servers can control all connected inverters.
On the other hand, it seems that there are no security related regulations regarding these systems as of today in the European Union. The [EU Cyber Resilience Act](https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act), which will apply to these devices is still in discussion and is likely to be effective soon. However, manufacturers will probably have a grace period of 36 months to comply: by then, many insecure devices will already be installed. Knowing how many bad guys are out there, the risk is there and growing rapidly.