Earlier this month, a researcher gave a presentation on a clutch of software flaws in one manufacturer’s solar power inverters he believes could, if exploited widely enough and with clever timing, disrupt the energy grid of an entire country.
Given the dearth of research on this class of device, it’s an eye-catching if sensational claim that shouldn’t come as a total surprise in the light of recent technological developments.
Every solar power system has a wall-mounted inverter to convert DC photovoltaic (PV) power generated by solar panels into AC power that can be used by the owner or exported to the grid should any be left over.
A growing number of these come with “smart” software interfaces designed to let engineers monitor the inverter remotely while giving customers the fashionable ability to analyse their energy consumption using an app.
According to researcher Willem Westerhof, it is this software layer that creates the opening for attackers. In total, his “Horus” research identified 21 vulnerabilities (14 of which have formal CVE numbers) in inverters from German manufacturer SMA, disclosed to the company in December 2016.
Westerhof doesn’t offer detail on how they might be exploited for security reasons, but studying the CVE descriptions reveals a mixture of default and weakly secured passwords, vulnerable remote authentication, dodgy firmware updating, and even the ability to induce a denial-of-service state.
These formed the basis for a proof-of-concept black box test (ie without special knowledge of the target’s design) on the SMA products, which confirmed that an attacker could use them to compromise inverters in a range of ways.
Westerhof then modelled theoretical attacks whereby large numbers of these inverters were taken offline suddenly, preventing them from feeding electricity to a national grid without a backup power generation source being available.
Given that it is difficult to know how much power is supplied in this way at any given moment, this meant using mathematical modelling to estimate the effect of removing them. Claims Westerhof:
An attacker capable of controlling the flow of power from a large number of these devices could therefore cause peaks or dips of several GigaWatts causing massive balancing issues which may lead to large scale power outages.
This alarming scenario rests on a number of big assumptions, not least the prevalence of smart inverters from one company. The inverter market in most countries remains fragmented, featuring several brands and many models lacking internet capability. This means that disrupting the grid by attack equipment from one vendor is probably far-fetched.
SMA told journalists that the attack scenarios could be countered by users changing passwords – which doesn’t address the fact these issues exist in the first place on such an extensive scale. None of the CVEs appear to have been patched.
Observers are left with the feeling that while the doom-laden possibilities mentioned by Westerhof are pretty exaggerated, the weak software design implied by his findings is worth knowing about.
If independent researchers don’t rummage around and find these problems before they become serious, who will? With so many industries busily adding software intelligence to once passive devices, the competence of vendors is still taken on trust. That cosy assumption might be the real story here.
Jim
It may be “far-fetched” now to envision this attack, but as more and more of the grid gets more and more of these feature-rich devices, attacks get less and less unlikely.
I think these guys are providing a valuable service. Keep up the good work! (And, Sophos, too, for reporting it!)