Attackers could shut down power grids by abusing solar panel flaws

It all boils down to a quest for balance…

Attackers could shut down power grids by abusing solar panel flaws

An attacker could exploit vulnerabilities found in solar panel components to shut down large parts of a power grid.

Security researcher Willem Westerhof discovered the flaws in his research surrounding something he calls the "Horus Scenario."

Named after the Egyptian god of sky, the Horus Scenario refers to the possibility of a digital attack that could destabilize a power grid and cause service outages by targeting solar panel electricity systems, also known as photovoltaics (PV). Such an attack could have wide-reaching effects if it focused on interconnected power grids like those found in Europe.

Westerhof explains that a bad actor could achieve the Horus Scenario by undermining balance, a key ingredient to power grid stability:

"The power grid needs to maintain a constant balance, between supply of power, and demand of power. If supply exceeds demand, or demand exceeds supply, outages can occur. In order to maintain stability all sorts of countermeasures exist to prevent outages due to peaks or dips in demand or supply. Under normal circumstances, these countermeasures ensure grid stability. There is however a limit to these countermeasures. A maximum peak or dip value in a specific period of time. If an attacker is capable to go beyond this maximum peak or dip value, outages will occur. [sic]"

Theoretically, if an attacker manipulated the amount of PV power at an opportune time (say, around midday when the sun is shining the brightest), an attacker could take out a significant amount of a grid's power supply and cause an outage.

Picture1 512x264

Source: Horus Scenario

So how could an attacker do something like this in a practical sense?

To answer that question, Westerhof analyzed the PV inverters made by SMA, a market leading solar panel brand.

Sma solar inverters

The researcher found that the components, which convert direct current (DC) into alternating current (AC) on a PV plate and thereby help balance the grid, suffered from 17 vulnerabilities. 14 of those flaws received CVE IDs and CVSS scores ranging from 3.0 (Informational) to 9.0 (Critical).

Together, the bugs provide attackers with a complete kill chain all the way from initial (REMOTE) execution to the Horus Scenario. Here's the worst that could happen if an attacker exploited the vulnerabilities:

"In the worst case scenario an attacker compromises enough devices and shuts down all these devices at the same time causing threshold values to be hit. Power grids start failing and due to the import and export of power cascading blackouts start occurring. Several other power sources (such as windmills) automatically shut down to protect the grid and amplify the attack further. Despite their best efforts power grid regulators are unable to stop the attack. It is only after the sun sets (or when there is no longer enough sunshine for the attack to take place) that the grid stabilizes again. Depending on the authorities way of dealing with this attack, this scenario may keep going for several days."

An event such as the one described above that produced a 3-hour outage on a European power grid around midday in June would cause approximately 4.5 billion euros in damage, as the researcher found out using a blackout simulator tool.

Westerhof reported the vulnerabilities to SMA in December 2016. He's been working with the company, power grid regulators, and government officials since then. SMA has agreed to fix the flaws, whereas actors from the energy sector and the government will discuss the findings at international conferences.

Hopefully, companies like SMA will see this story and use it as an opportunity to create a bug bounty program. Such frameworks help to create lasting partnerships with security researchers, collaborative efforts which could subsequently improve the security of PV inverters and other devices and thereby reduce the attack surface of power grids everywhere.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, ,

4 Responses

  1. Henry Guerrero

    August 6, 2017 at 3:44 pm #

    I applaud SMA and other companies for improving the security of their products. Would putting a tarp over the solar panels to simulate insufficient available sunshine help? All rooftops could be equipped with an automatic cover for such attacks.

  2. Shane M. Walton

    August 6, 2017 at 5:44 pm #

    Good to point the need for security in any system, especially if it has an IoT component. Though this article has an undertone of damning solar progress. The general title should be changed to reflect the subject content, not all solar panels.

  3. Mark Jacobs

    August 7, 2017 at 10:14 am #

    What about about the "hammer attack"? Massive groups of "hackers" go round with hammers, smashing the panels, cutting off supply completely?

    I am trying to point out how ridiculous it is to believe solar power is at fault here. It is the way it is fed to the grid that is at fault. Redress that and the problem vanishes.

  4. R Slickah

    August 7, 2017 at 11:23 pm #

    Y2K all over again
    "It is possible that "xxxxxx" might happen.
    Here, spend billions on some security patch solution that I have ingeniously devised and you will be protected.
    And don't vaccinate.

Leave a Reply