Everything is a Target: Solar Panels are in Play
Alternative and renewable energy sources have become more important and visible over the last few years. This is due to many factors, including the price in oil fluctuating, oil being a finite resource, the nation focusing on being less dependent on oil from other countries, and the clear view of the environmental concerns.
As the alternative energy sources have been produced to a greater level, there are more choices for consumers. Early on, there was solar and wind. As time passed more products within each were added and to a greater extent. For instance, there were consumers and users using a few of these on their property. Now there are solar farms across the U.S. and wind farms on land and in the sea. As a bi-product with the increased number of products is the security testing. There are by far more products available, and security has been applied at a rudimentary level or brushed aside.
Target
This testing methodology was put into place with a recent product. With solar panels, an essential piece of the equipment is the inverter. This allows the solar panel to convert the DC (direct current) to AC (alternating current). With the subject solar panels, this was connected to the internet. The vulnerability noted was researched and published by the Dutch InfoSec firm ITsec.
Exploit
The security researcher found 17 vulnerabilities. With this attack, the security researcher was able to take control of the solar panel. If the attacker were able to gain control over a significant number of solar panels, much like the IoT bot army, the solar panels could be turned off or on at the same time. Individually, this seemingly would not appear to be a significant issue. The integral portion of this is that the solar panels are connected to the grid. If this were to be done with a large number, there would be a significant fluctuation in the power grid. This would cause a rather large and nearly instant power imbalance, which could force the grid to power off.
From a third party’s view, this would not be an issue. The additional component not noted in significant numbers in the U.S. is the connectivity. With this factor, a large number of solar panels being turned off or on at any distance would be a rather significant detriment for the utility.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.