Note from Finn: Please welcome Willem Westerhof to the SolarQuotes® Blog. Willem is a Hacker, Researcher and IT Specialist who is particularly well known around the world for finding cyber-security holes in popular solar inverters.
After getting an increasing number of emails from Australians who were concerned at the thought of having their solar power system exposed to the internet, I invited Willem to write a guide explaining what non-hackers like you and I can do make our inverters more secure. Over to you Willem:
We all know that solar power is great. It helps the environment, it saves you money and is a great investment for most Australian home owners.
But did you know that the solar inverter on your wall may pose a serious cyber security risk? Not just for your own network and data, but also for the stability of power grids as a whole!
Following a lot of research, I was so concerned by the lack of cyber security in PV installations that I contacted several government agencies and following a responsible disclosure period, created a website called The Horus Scenario that explains how:
- A malicious hacker could target the electrical grid by focusing on web connected solar inverters.
- If successful, the hacker could cause large scale (nation-wide or even continental) power outages.
- If this attack is ever truly executed in the wild, I expect it to cost billions of dollars and have a direct and severe impact on everybody’s lives.
Since this discovery, government agencies, solar inverter manufacturers, energy suppliers and some local installers are taking measures to improve the overall cyber security of inverters.
The question now is: What can you do to protect your PV installation?
Let’s just start by saying that there is quite a lot you can (and should!) do.
Should you simply disconnect your solar inverter from the internet?
Nowadays almost all solar inverters have an internet connection via Wi-Fi or cable. The main benefit of this connection is that you can monitor the device from anywhere. The downside is that your inverter becomes a target for hackers. In some cases, your solar inverter will present itself directly as an internet facing device. In other cases, a hacker will first need to acquire access to your home’s network or Wi-Fi (which is far easier than you might think, based on my experience as an ethical hacker).
Tip #1 Don’t connect it to the internet if you don’t have to.
The first tip for cybersecurity starts right there: If you don’t use these applications or online portals and the device doesn’t require an internet connection to function, simply do not attach it to the internet. Some solar inverters offer local monitoring via Bluetooth, USB, or by simply tapping on the touchscreen of the inverter.
Editor note: Some inverter manufacturers require an inverter to be internet-connected under conditions of warranty.
As an alternative, you could also setup the monitoring interface to only be reachable from your local network (and for example your work Wi-Fi IP address) by setting up proper firewall rules.
When your solar inverter is not attached to the internet, an attacker needs to be physically close to try anything. The chances of a hacker physically coming to your house in order to hack your specific PV installation is tiny.
Tip #2 If you must keep it connected – follow the manufacturer’s security guidelines
Now let’s assume that you want to keep the inverter internet connected whilst still keeping it secure. There are several actions that you can take. In the rest of this guide I’ll describe setting up your cyber security in the same manner a king would secure his castle.
Any good king needs advice of trusted people. In solar this advice comes from the manufacturer’s instructions!
Reputable solar inverter manufacturers should provide detailed guidelines for setting their devices up properly. You may have to hunt around to find them, but there are usually great tips in these documents. Below some example links are given:
- Fronius Primo Operating Instructions page 39 shows you how to lock the inverter to protect it from malicious changes:
- SMA Guidelines for a Secure PV System Communication should be read by anyone with a web-connected SMA inverter.
- Enphase Envoy Installation And Operation Manual page 41 for example. The default username and password should be changed ASAP:
The manufacturer’s guidelines like the ones above show you how to get the system working and then, optionally, make the system more secure.
The Fronius guidelines show several ways to make your solar inverter more secure. For example:
- You can implement a key lock code on the inverter, requiring physical access before any changes can be made.
- You can get access to your data via a USB stick, without allowing the inverter access to the internet.
- You can receive an SMS whenever your solar inverter shows specific errors, meaning you’ll know when something is wrong, or when someone is attacking your inverter.
Try and follow the manufacturer’s guidelines to the best of your efforts. It is also possible to simply contact the help-desk and ask them to help setup your device with the correct security settings.
If you are getting a new system installed – be there with the installer and ensure they go through any optional security settings.
Tip #3: Restrict what your solar inverter has access to.
Some devices simply have more privileges than others. This is normal. Your laptop needs full access to anything for usability, but your inverter really doesn’t need access to Youtube, Netflix or your Xbox.
If you’re pretty good with computers and networks it is possible to set up a different network specifically for your inverter. From this network, you can allow network traffic to go from and to the solar inverter manufacturer’s servers and block everything else. Any attacker who tries to reach your inverter will never reach it because his network traffic isn’t send to the device. You could even use this network for other web-connected devices. This way you can make sure that those devices and your PV installation only communicate in the way you want them to, while making sure you can still use your laptop to browse, play games and stream videos to your heart’s content. This article shows you how to do this.
Tip #4: Get a router and configure it with a proper firewall
A device or a network of devices is only as strong as the weakest link in the chain. So, let’s start by building a strong outer perimeter – you could consider it the ‘walls’ to your castle.
Set up a strong router and configure it with a proper firewall. Most mid-tier routers support this type of functionality out of the box. This firewall ensures that only the services that you want to, are exposed to the internet. Free firewall software as well as cheap consumer hardware exists that function as a firewall. Plenty of guides are available online. Here’s a good ‘for dummies’ guide to setting up a Wireless-router securely. And here’s a guide to setting up your home router’s firewall.
Another part of your ‘walls’ is the Wi-Fi. Make sure your Wi-Fi device is up-to-date and keeps itself up-to-date. The recent KRACK attack shows that security vulnerabilities still exist in many modems and routers and installing security patches is critical. Also make sure your Wi-Fi uses a safe communication protocol and a long and complex password to keep any attackers in range of your Wi-Fi out of your network. The guide to setting up your wireless router linked to above, walks you through securing your Wi-Fi.
Tip #5: Ensure there is no ‘backdoor’ to your inverter – secure every device on your network.
As said before, any chain is only as strong as its weakest link. An infected device forms a direct threat to any of the devices in the same network. Every once in a while, an attacker may still sneak in to your network despite the strong firewall and outer perimeter you’ve set up as per Tip #4.
You could for example click on a dodgy e-mail or insert a friend’s infected USB stick. Your now infected device can then be used to target any device in your network, including your solar inverter.
In order to prevent the infection from spreading, you need to set up proper security on all your individual devices. Make sure you run updates regularly on every internet connected device in your house. Enable and set up your individual computers’ firewalls, install antivirus/antimalware software and don’t install any ‘dubious’ pieces of software. Where possible set your updates to run automatically, as doing them manually takes up a lot of time and effort.
For solar inverters specifically, this usually means connecting them to the internet, setting them up to receive automatic updates, and following the proper security guidelines from the manufacturer. In most cases, (for example with most newer SMA inverters) setting the device up to receive updates, is a simple as changing a setting to: “update automatically” and configure your firewall to allow traffic from the device to the SMA update servers and back.
Some older inverter models or PV-related hardware however, cannot be updated over the air as they are too old to have an internet connection. For these unconnected devices, you should check at least annually if updates are available and then manually install new firmware according to the vendor’s instructions.
If you have internet-connected legacy devices that are unsupported (e.g. SMA Sunny WebBox) you will never receive updates. Treat these devices as hazardous devices, as any security vulnerabilities that may exist in them, will never be solved (old windows 2000 and XP devices are a great example of this!). Where possible, I recommend replacing these devices, as better and more secure alternatives are usually available. If you cannot replace them, make sure you place the device in a separate network segment (a sort of quarantine space), to which only specific whitelisted network traffic is allowed.
Tip #6: Change the password for every configured user of the inverter
Most inverters come with default users and corresponding passwords. These default users and passwords should be changed by you as soon as possible. Make sure you determine the password yourself for ALL users. Local installers often have one password for all their clients. That’s not very secure, so make sure you change the password for all users of the inverter. SMA solar inverters for example, come with a user login (default password 0000) and installer login (default password 1111) for which the passwords can be changed by you. You, as owner of the device, should be the only one who has access to both the user password and the installer password of the device. Whenever an installer has to adjust the settings of the device he can simply ask you for the password.
Also make sure to use different (not your personal default) passwords for all these accounts. Solar inverters can use very weak encryption on passwords, allowing eavesdropping attackers to decrypt the password. If you use the same password on your inverter as you’ve used on your banking account or e-mail, an attacker who compromises your inverter might get far more than “just” your inverter password.
I strongly recommend using a password-safe and setting up true random passwords with a 16 char+ (or as long and complex as possible if the device/service doesn’t allow 16+ characters) length on all the services and devices you use. This improves your overall security enormously, and password safes nowadays are very easy to use.
Tip #7: Two factor authentication
This step involves using two factor authentication where possible. No solar inverters that I know of support this right now, but newer models or online login portals may do so in the future. Two factor authentication usually involves getting a code from your mobile phone and using it as an additional “password”.
What this effectively does, is make sure that an attacker not only needs to know your password, but would also need access to your mobile phone. Odds are, that an attacker doesn’t have this access. Even better, when an attempted sign-in is made, the ‘guards of your castle’ notify you that someone is trying to get in using your password. You can then simply deny them access and change the password as you are now aware that someone else knows your password.
Phew! Your solar inverter is now secure
With everything in place not only is your solar inverter secure, but all your devices and accounts are. The thing with cybersecurity, is that it is never about a single device (in this case the inverter). Keeping up a high level of cyber security requires discipline and effort on all your devices. To complicate matters, it doesn’t just require effort and discipline on your side, but also on the installer’s and the manufacturer’s side. You can only set up your web connected solar power system as securely as possible and hope that others will follow your example.
There’s always a chance that an advanced attacker with a lot of dedication might still slip in and hack your device, but with a castle set up like this, the ordinary script-kiddie or web-bot will have no chance against your mighty defenses.
Great article. Never knew the solar inverter was that vulnerable.
Solaredge is a pretty popular choice of string inverter. Any suggestions specifically for the solaredge inverter owners?
http://en.sma-sunny.com/files/2017/08/CyberSecurity-TI-en-10.pdf is a dead link
Thanks for spotting that. It should be linked to the correct article now.
When you have a Inverter installed make sure the Installer connects an Ethernet cable back to a wall socket close to the router. This should not cost any extra. Be prepared for the Installer to say “But it has WiFi, why do you want the Ethernet connection for?”. You should still be able to use WiFi if you want if you have the Ethernet connectivity installed.
If you use the Ethernet connection you can then disable the Inverter WiFi and communicate with the Inverter solely over the Ethernet cable.
Biggest issue I have is that by default SMA inverters pump out the Inverter’s WiFi’s SSID by default (SMAXXXXXXXX) so any one looking for an Inverter can find it by driving around. You could at least change the name of it to make it less obvious it’s an SMA Inverter!
The reason they are set to WiFi by default is to make it easy for Installers to commission the Inverter as most just seem to use a WiFi Tablet or Smart phone. A Notebook or similar with Ethernet could be used. Don’t know if any Installers actually carry these with them.
Just make sure the router does not have any ports open that are not necessary. You can use various sites to check to see what ports are open on your router, i.e: https://www.grc.com/su-firewalls.htm Click on the “[1] Shields UP! Home” link located further down the page. If you find an incoming port open that is not needed then block it, normally for the average person all incoming ports are blocked. Only allow incoming ports if used have access to specific servers on your Network (i.e: Inverter acting as a web page server)
If you do have WiFi operating on your Network make sure you DO NOT use a dictionary password as it can be cracked easily and make sure to use an encrypted protocol. Make sure it is not Open to all where no password is required.
Watch out for anyone asking you to install something like TeamViewer so that they can access your Inverter.
If you really want to have a secure configuration then I suggest go to University and attain an IT degree that covers all this or pay someone that you trust that has a an IT degree so that they can configure you Network to be secure and I don’t mean the computer shop down the road that fixes Virus infections.
I connected my inverter to a Reposit box and that takes care of all the security for me. I had a network security friend of mine take a swing at the Reposit and he couldn’t find a way in.
I am reckon that Reposit will take care of my system because they have a financial stake in it working properly.
One of the aspects that this article doesn’t cover is APIs. Something that I discovered while in the process of purchasing a Fronius inverter is that while the Web interface on the inverter is secured using usernames and passwords, Fronius inverters also provide a RESTful API, which, while it is read only, is completely unsecured – it does not use any credentials and provides no encryption.
For that reason, you should be careful as to who can access your inverter over your network. Anyone with an understanding of the API (documentation is freely available online from Fronius) can pull any data they like off your inverter. While this only opens up things like your electricity consumption, that can start to give insights into whether anyone is at home or not.
Hello.
1. Nothing is absolutely secure – all security is only ever relative, and depends on the determination and skills of whoever seeks to breach it.
2. As WiFi itself, is a vulnerability, is it not best to have it disabled, and use only Ethernet data communications?
3. The suggestion is made in the article;
”
Where possible set your updates to run automatically, as doing them manually takes up a lot of time and effort.
For solar inverters specifically, this usually means connecting them to the internet, setting them up to receive automatic updates, and following the proper security guidelines from the manufacturer. In most cases, (for example with most newer SMA inverters) setting the device up to receive updates, is a simple as changing a setting to: “update automatically” and configure your firewall to allow traffic from the device to the SMA update servers and back.
”
Isn’t that, in itself, leaving the door unlocked?
With IP spoofing, any accomplished security violator can apparently pretend to be anyone they want, with pretending to be at any IP address they want, so allowing incoming access can be dangerous. A simple but effective firewall rule (from my very limited understanding of computer security), is “accept all outgoing, deny all incoming” – not sure whether that is expressed correctly.
With the reference to “doing them manually takes up a lot of time and effort” – that is “part and parcel” of (attempting) computer security – it is like personal health and fitness, and personal weight loss – they are not things that you only need to do only once, and expect that that is the end of it – they are things at which a person needs to work, each day, for the rest of a person’s life, including, in the case of IT security, subscribing to the CERT advisories, and, keeping up to date with them.
Welcome to the dark world of IT insecurity, and, remember – “Just because you are (and, you need to be, to survive) paranoid, does not mean they are not out to get you”.
Stewart – “someone that you trust that has a an IT degree so that they can configure you Network to be secure” – having an IT degree does not mean that a person is competent regarding computer security, or, Internet (and, if you have adequate knowledge, you will know that most of what is referred to as “the Internet”, is in fact, the “World Wide Web”, which runs on top of the Internet) security.
People should remember, that having an undergraduate degree, is like having a black belt in a martial art – it simply shows that the person has shown that they have started to learn how to learn.
And, “an IT degree” is a general degree classification, which, in itself, does not show either an understanding of, or, competence in, Internet security.
From memory, a university here, has (or had) a specialised degree in Internet security, and, I was a little acquainted with a man who was, I believe, associated with establishing that degree – I believe that he did his PhD thesis on Internet security – he was a local Linux “guru”.
There are no computer security experts. who can provide absolute computer (or, Internet) security solutions (apart from simply leaving a computer turned off, or, the famous Microsoft Windows security solution – the Blue Screen Of Death – “if it can not be accessed, then it cannot be breached”).
All that exists, in terms of people, are people of varying capabilities, and, in terms of computer security, there is also, luck.
That is why applicable IT mailing lists, and, especially, using them, can be useful, for IT users.
Problem is – the main processor speeds of computers keeps improving all the time, and (tongue in cheek) the way its going, it won’t be too long before we’ll all need a full body scan, updated every 5 minutes, which is then compared against the previous 500 such, in order to detect ‘anomalies’, so your humble home network can be shut down instantly ‘just in case’ a ‘Rogue Finn Junior’ has decided to shut down every coal power generation station in the entire Western hemisphere to help his Dad to sell more solar panels so he can get an increase in pocket money, or maybe even to simply turn off the White House heating system during a blizzard for the fun of it.
And that will be just so you can turn you PC on in the first place.
Now don’t get me wrong, I’m not knocking computer security at all, nor the advice above, which I’d totally recommend considering, because the same principle applies to much of the other things we use our PC’s for. In my own case I’ve currently got a wired ethernet connection to my router, I’ve disabled the ‘wireless interface’ option within the computer itself. I keep my computer fully turned off when I’m not using it, there’s no way you’ll ever get me to use ‘the cloud’ to store any of my important files and I’ve got very robust passwords.
Right at the moment I am looking at introducing one or more additional sub-routers so visitors can use it to access the internet with their own devices or via a ‘sacrificial lamb’ of mine, all of which are attached to that sub-router network.
“As an alternative, you could also setup the monitoring interface to only be reachable from your local network ”
This is how the Outback and Schneider Battery inverters work. They get out to their web portals and only allow monitoring of the data if wanted.
They do not need an ISP to work Offgrid and just need a cable modem for a local network. They can supply all the charts & graphs and all set-points to a laptop or tablet.
I should add that (for example) the SMA Inverter does not need an incoming port connection to send it’s data back to the SMA Portel site. Instead the Inverter initiates an outgoing connection back to the portel. it can then communicate with the portal site. This will upload data to the portal and can also be used to update the firmware automatically. If you don’t trust the Firmware in the box then disable connection back to the portal which might be a warranty issue and you may find you receive lot’s of error messages from the Portal site.
Allowing an incoming router HTTP port to connect to the Inverter is something that should probably be avoided. For starters the SMA in-built web server in the Inverter does not use the HTTPS protocol (uses HTTP) so the entering of the password can be seen as it won’t be encrypted. Biggest worry I think would be the Grid code if that is not secure and can be sniffed.
@Geoff: I don’t think the API access is too much to be concerned about as long as the router incoming port connections are disabled and as long you don’t have any Trojan or Virus software running trying to access it. The last part is a good reason why it should have password protection and use an encrypted method to log in.
Not sure when you last checked the database, but Enphase Australia has been installing the Envoy-S in place of the straight Envoy for quite a while.
Any ideas how to secure the Envoy-S against this threat would be appreciated. It’s what I have attached to my system.
IMO, it seems that Enphase has pretty much locked down the Envoy-S to prevent tinkering by it’s owners. Which, of course, leaves it wide open for hacking.
Best wishes
Chris.
My understanding is that solar systems are monitored by whoever installed them…a solar sales pitch often includes words like “if there is a faulty panel, we will know about it and contact you”. I wonder if my own home network follows the security rules as mentioned above, how do we know how secure the external monitoring is? Is that external monitoring a front door into my home network and solar power environment?
The Inverter company (i.e: SMA Portel) normally just receives Log data back from the Inverter which makes an outgoing connection to it and is quite normal. It’s highly unlikely a system would allow and incoming connection (via a Router with ports blocked) to allow the Install to monitor the Inverter directly.
My installer will receive a fault email from the SMA portel site but what they actually receive is up to them depending on what they have configured on the Portel to send them. They will probably just ignore the emails anyway. You are better off making sure you are the one also receiving the fault emails then contact the installer if a fault develops. Don’t rely on anyone else but yourself.
I have my doubts about installers monitoring a solar inverter. What you may be thinking of is the fact that some inverter manufacturers provide monitoring services which make use of a push service from the inverter to the provider’s web service. (This is what Fronius does using it’s Solarweb portal.)
Taking the example of a Fronius inverter, it is possible to create a user-configured push service on the inverter, which then periodically sends data to a service provider. This uses either a HTTP POST or FTP upload to the provider of the service.
With a string inverter I have my doubts that it is easy to tell if one panel has developed a fault – you only be able to infer this from looking at voltage and current readings.
If I take the Fronius example again, the fact that Fronius uses a push service is a good start. This means that the host that data is sent to has to be configured on the inverter. It also means that you don’t need to open up any firewall rules for inbound connections or NAT on your router. (This is done for both simplicity of configuration and security.) This means that it would requre something like a DNS poisoning attack to fool your inverter into sending its data somewhere else. Alternatively, if we took the example of Fronius, someone would have to hack Fronius’ servers to get at your data.
The data being sent out by the Fronius inverter push service is not encrypted. To get at it would however require that an attacker compromise ISP or carrier hardware somewhere along the route in a way that permits inspection of traffic. Given the massive volumes of traffic on the Internet, it would realistically require someone with the resources of a nation state actor (think NSA, CIA, GCHQ, ASD etc.) to be able to do this. Somehow, for the most part, I don’t think that the ASD is interested in data from roof top solar systems. 🙂
Geoff –
”
The data being sent out by the Fronius inverter push service is not encrypted. To get at it would however require that an attacker compromise ISP or carrier hardware somewhere along the route in a way that permits inspection of traffic. Given the massive volumes of traffic on the Internet, it would realistically require someone with the resources of a nation state actor (think NSA, CIA, GCHQ, ASD etc.) to be able to do this.
”
You may or may not be aware of an Australian ISP that was destroyed by being security violated a few years ago – ClicknGo, which was rapidly (including all of its accounts) taken over by Netregistry.
You may also be aware of the movie from some years ago; “War Games” – the scenario is said to have occured, on a number of occasions, and, the movie “Hackers”, and the movie “Mercury Rising”, and, you may be aware of the recent (in the last few years) incident of the intimate images of famous (and not so famous) people, which images were stored in the clouds. having had their supposed security, breached – all that is needed, is one or more people with adequate skills and determination, and, sometimes, it is just luck, or, a combination of luck and the (sometimes) incompetence of people responsible for security (are all of YOUR passwords, undiscoverable?).
Indeed –> “….severe impact on everybody’s lives.”
And skateboarding on the Freeway is likely to have a “severe impact” on your survival.
The question isn’t ‘how do you avoid getting hit by a truck?’; the question is WTF are you doing out on the Freeway in the first place?
The topic makes two points: 1… massive industries are being constructed out of nothing, for no practical reason.
2…..This is one of the better reasons yet given for GOING STAND-ALONE!
I’m really holding my breath to hear the Trendies are about to install internet-operated tissue-paper doors on the Royal Mint in order to justify yet another layer (or six) of bureaucrats, and industrialists who compete to produce a tougher type of tissue paper. Fair dinkum!!
What a great article. I think the cybersecurity issues are so underrate. I have not looked at a home solar system until now and I’m shocked with the cyber security risks with what I’m being quoted now in 2022. I’ve not placed an order yet but I’m including a cost of risk of damage/outage due to cyber attack/denial (I’m using a % of AU$5,000) based on service provider. This includes the cloud application controller’s country of origin.
I came across this article while evaluating my first solar system quotes. My focus was on home automation (how my home system can read current consumption) and this made it clear that some quotes require a cloud connection as part of their warranty. After told that my home controller cannot read data directly from the inverter (“local” or without cloud connection) I realized that, in my case, the quoted cloud interface was of no value to me and in fact was a liability as it exposed by system to another company that does not require my authorization. They can even update the software/firearm o the inverter without my authorization. Now trust only goes so far … so imagine a conflict … they can shutdown my system and expect much worse.
What hits me is that the industry is obliviously ignorant of this. When I speak to some companies the concept of “local” (not via cloud/internet) control is incomprehensible. I’m unable to ask for nobody outside of my home being able to permit my system being changed!
My intent is to not accept any quote for a system that allows anybody to make any changes to my system without my intervention (e.g: turn a switch or press a button). See how I go.
Inverter out to what/ in to what. I have No internet/ wi hi. What would Mr inverter connect to. Contractor says I need a $300 special inverter device. What you saying Willis?