Cybersecurity: The risks associated with photovoltaic solar systems

[German]The increasing decentralization of the power supply using solar cell systems not only represents progress in the energy transition, but also raises new security issues. Trend Micro has examined the IT security of systems for decentralized energy supply in a study. The researchers took a close look at the network gateways of PV solar systems in particular. Here are some of the results from this study.

Cybersecurity in PV solar energy systems

The investigation of systems from leading manufacturers such as Enphase, Outback, Phocos, Sol-Ark and Victron focused on how cyber-secure these systems are designed. The popularity of solar and photovoltaic systems in particular is drawing increased attention to their IT security. While the Outback and Phocos systems had no vulnerabilities, the researchers were able to identify various security risks in other systems.

In addition to a lack of encryption during data transmission and problems with standard passwords, potentially insecure firmware updates also pose a risk. In the test, some systems were also vulnerable to attacks in which they were switched off or reconfigured remotely. Two systems examined also classified all data traffic in the local network as trustworthy. This can lead to risks if the system is inadvertently connected to the internet. In addition, the exact location of some systems could be identified through unauthorized access to their access point (AP) scans. This would allow cyber attackers to target specific regions in an emergency.

Data security and location dependency

The security researchers also looked at issues of data sovereignty and storage location when using cloud services. Depending on the manufacturer, some systems transfer data to Amazon Web Services (AWS) in the USA or the EU, Microsoft Azure in Brazil, Alibaba Cloud in China or data centers in the Netherlands, for example. These transfers require a high level of trust in the respective cloud service providers and their security precautions. The transfer of sensitive information across international borders requires not only technical reliability, but also compliance with different data protection regulations. This illustrates the complexity and global nature of data security in the context of decentralized energy generation.

It is unlikely that individual exposed devices can cause large-scale failures in the decentralized energy supply. Instead, attackers could target cloud services that manage and control multiple devices simultaneously in order to control them for malicious purposes. The security measures taken by cloud providers to prevent such attacks are correspondingly important.

Cybercriminals can use methods such as phishing, brute-forcing passwords or exploiting known vulnerabilities to take over user accounts with remote management functions. Once they have gained access, they can manipulate existing data and control the systems remotely if the cloud services allow this.

Recommendations for protection

The security researchers at Trend Micro provide clear recommendations for action to support system operators and technicians:

• Limiting remote access: It is recommended to limit remote access to the control interface. In particular, direct exposure of systems on the Internet should be avoided.
  Password protection: Changing default passwords and enabling password protection are crucial to prevent unauthorized access.
• Separation of the network interface: The researchers also recommend separating the network interface of the inverters from other local networks in order to reduce vulnerability to potential attacks.
• Collaboration with external IT security expert: It is advised to follow best security practices and consider working with external IT security experts.

"The study results emphasize the importance of a balanced approach to IT security in the changing landscape of distributed energy generation," said Udo Schneider, Security Evangelist Europe at Trend Micro. "The integration of renewable energy requires not only technical innovation, but also careful consideration of security aspects to ensure the smooth operation and trustworthiness of these systems. Cybersecurity plays a crucial role in ensuring an efficient energy supply." Details can be found in ther report Distributed Energy Generation Gateway (In)Security.