Last week’s post about solar inverter security sparked a lot of interest and a few good questions I’d like to answer; starting with one from TJ that reminded me people are justifiably and genuinely worried.
TJ asked: “Is it possible for a hack to shut down all the inverters for a particular company? Who knows?”
The answer to the first question is “yes”, if four conditions are satisfied:
(a) Systems are accessible over the Internet;
(b) The system takes commands over that connection (that is, it’s not just sending monitoring data);
(c) There is a security vulnerability; and
(d) An attacker knows how to exploit that vulnerability.
The easiest vulnerability is if an internet-connected solar inverter connects without a password (Faisal claimed this is true of SolaX, which I’ll look into), or uses hard-coded credentials for a default account (that is, the admin account has a default password that you can’t change).
Of course, if an attacker can log into the configuration interface, they have control over the system.
Another common programming error is where the software developer has locked down the admin Web page – but didn’t secure API access properly, or an attacker can send instructions to the product’s “command line interface” (CLI). I’ve seen this kind of bug innumerable times over the years in computers, network equipment, and industrial automation gear; so it’s inevitable that a solar PV system will one day fall prey to the same kind of bug.
Once a vulnerability becomes known, it’s all too easy for miscreants to find systems that might be exposed, because there’s a search engine called Shodan that indexes systems available to the Internet. Here are a number of entries for SCADA systems, some of which are PV controllers.
Who Knows?
If you’re not familiar with the IT industry, the second part of TJ’s question, “Who knows?”, looks ominous. Would we ever find out if our systems were vulnerable?
This might surprise you: the answer should be “Yes”. The IT industry has a 20-year-old public database of vulnerabilities, and if someone discovers a problem, the wider industry becomes aware of it (usually after what’s known as a “disclosure window” of 90 days).
If you’re interested, here’s what a good security advisory program looks like, from computer networking giant Cisco Systems – every advisory for every product is published, along with an assessment of how severe a problem is, and how to fix it.
In the 1990s, going public like this was subject to very heated debate: surely publishing ways to hack (for example) Microsoft Windows is terribly dangerous?
The pro-disclosure argument that won the day had many threads, but the most important were: (a) customers need to know that their systems might need to be patched against a possible hack; and (b) the information security community would be able to work collaboratively on fixes, if it learned to be more open about vulnerabilities. Today, the IT community’s Common Vulnerabilities & Exposures (CVE) database documents tens of thousands of security bugs, and various organisations from Google and Microsoft down offer “bug bounties” to reward security researchers for their work.
Disclosure isn’t perfect. Some governments “hoard” vulnerabilities they discover (America’s National Security Agency did so for many years), and cyber-crime syndicates don’t take part in disclosure programs, but overall, disclosure has made us all more secure.
Solar PV vendors are in the very early stages of taking part in vulnerability programs, but I expect they will become more active. Even if they hope to avoid scrutiny, hackers will turn their attention to control systems, and the solar power industry will be forced to respond.
Lesharoturbo explained monitoring-only systems can’t be controlled by attackers, which is true. However, if a vulnerability and an Internet connection existed, they could expose sensitive information to attackers, so security is still a consideration.
From Richard Pillay, this very good question: “I found it very interesting you suggested using https after logging in. So use an insecure connection to enter your credentials?”
I should have been more clear: I had in mind local logins only here – that is, you’re directly connected to a device. A secured login page is preferable, but I know from experience that a lot of home routers don’t enforce it for local users (but do switch to HTTPS after login). As long as the insecurity only applies to local users, I’m not too worried.
One useful protection is to run a firewall, either on your ADSL router or a separate linux host. (I wouldn’t trust a machine running M$ as a firewall, but then I haven’t allowed M$ into my home in 40 years,or ever used it in my IT career of 30 years.) If the firewall is on a separate host, I’d close its TCP/IP ports down tight, and let nothing else run on it.
The firewall rules would allow only outgoing traffic from the inverter. Rather than reject unwanted incoming packets trying to reach the inverter, I’d just let the connection attempt hang, tying up the intruder – waiting for a reply which will never come.
Then we can be sure that it really is monitoring-only.
It is a concern that I’ll be nailing down with crowbars before I let my inverter anywhere near the internet. For the first year after the inverter goes in, I’ll be there only part time, and _there_won’t_be_any_internet_connection_!
So we’ll see which inverter has two MPPTs _and_ handles FULL OFF-GRID, i.e. off the net too.
Richard, the article is unfortunately very true. We live in a world of hackers, & we are ever-more connected, with even IOT devices like light bulbs.
As a consumer, the best we can do is to have a strong password on our router, & other devices linked to the web (including Android/Apple I devices, etc). One should also periodically upgrade the router firmware if at all possible. (This is one area of vulnerability: Phones, etc automatically update, but a router will not unless it is under the control of the ISP.
Personally, I replace my Router firmware with OpenWRT. I feel this is a more secure option, but not for the faint-hearted!
There is another issue not covered in the article: When we all have batteries, & the ability to ´sell´ power back to the grid, we will have another portal open to hack. If a hacker gets into the overall control software, there could be a similar effect to a DNS attack, where all the batteries were turned on, bringing the whole network down. I feel we will be relying on companies such as Reposit to keep our systems safe from attack, so hopefully they carry their side of the bargain.
I think what is important in a discussion like this is to make sure to stick to factual information.
One important consideration is to make sure that any interfaces provided by your inverter are not accessible over the public Internet.
It looks like most inverters management web interfaces do not support HTTPS – hence any passwords passed to them will effectively be unprotected.
There are however other factors that need to be considered. For instance, the APIs of some inverters have no security at all. This is the case with Fronius. The Fronius API is however read-only. – You cannot change any settings via the API – you can only read data.
This article has however only considered the potential attack of someone maliciously changing settings on your inverter.
What is a more likely issue is for someone to use data from your inverter to infer your movements – in other words whether you are at home or not. That could expose you to burglary by letting on whether the house is empty or not, based on electricity consumption. For this reason, it is also important to ensure that any access to data from your inverter is secured. This includes web-hosted systems like Fronius’ SolarWeb platform.
For a potential burglar to utilise knowledge that an inverter is not powering loads, it would not only be necessary to know that the occupants had not simply gone to bed, or were barbecuing by torchlight in the back yard, but also the street address of the inverter. That should not be available until the manufacturer’s database has been cracked. Ideally that would be encrypted – failure to do so is extreme corporate negligence in these times.
Neither a static nor a dynamic IP address will give much better location than a suburb at best, I believe.
Nevertheless, I second Doug’s recommendation of running OpenWRT. It is a good choice for providing the security of a firewall.
Hackers
Causing grief to innocent punters is an extremely poor means of getting your rocks off as I can’t for the life of me see any benefit to be gained.
My question is WHY do they do it?
Simply because they can.
Where do most inverters come from? Which country?
Who controls these manufacturers?
What happens when a large percentage of you energy supply can be controlled with the push of a button from a foreign state based organisation?
How do you disable a country quickly?
If you can answer these questions correctly then you will understand the great threat posed to our country as a whole when foreign connected controlled energy management assets are throughout our energy grid.
It’s not about the individual hack, it’s about a widespread and orchestrated hack when we have large loads under control over the air.
Some countries have taken action to address this risk – https://www.greentechmedia.com/articles/read/senators-propose-ban-on-huawei-solar-inverters-citing-national-security-thr#gs.qwkckj
Why hasn’t our government?
I’ve probably already said too much already…
I have found that my battery storage releasing some power to the grid while providing to the house. Is that normal? If so why is it doing? I believe that the battery storage meant to run the power into the house.
No hacker is going to be satisfied with hacking just one of your devices
If you ever discover that your inverter is ‘hacked’, it will be highly likely that every other device you own which is connected directly or indirectly to the internet has already been hacked too.
Conversely, if your other devices get hacked, the possibility that your inverter will eventually get hacked too could possibly be increased depending on how you’ve set things up.
This article from a cyber security website gives some insight into the extent of the problems.
https://www.scmagazine.com/home/security-news/vulnerabilities/huawei-products-riddled-with-backdoors-zero-days-and-critical-vulnerabilities/
That particular manufacturer is not the only one with problems.