Willem Westerhof, a cybersecurity researcher at Dutch security firm ITsec, discovered 21 security vulnerabilities in the Internet-connected inverters – an essential component of solar panel that turns direct current (DC) into alternating current (AC).
According to Westerhof, the vulnerabilities leave thousands of Internet-connected power inverters installed across Europe vulnerable.
Westerhof demonstrates that it is possible for hackers to gain control of a large number of inverters and switch them OFF simultaneously, causing an imbalance in the power grid that could result in power outages in different parts of Europe.
The vulnerabilities affect solar panel electricity systems, also known as photovoltaics (PV), made by German solar equipment company SMA, which if exploited in mass, could result in electrical grids getting knocked offline.
Westerhof's research, called the "Horus Scenario" – named after the Egyptian god of the sky, was first published in a Dutch newspaper Volkskrant, and now he launched a website detailing the vulnerabilities and how a digital attack could lead to terrible consequences.
According to the researcher, the attack causes due to an imbalance in the power grid. Since the power grid needs to maintain a constant balance between the supply of power and demand of power, an exceed in supply or demand could cause outages.
So, if an attacker manipulates the amount of PV power in a power grid at a particular time, an attacker could cause peaks or dips of several GigaWatts, causing a massive imbalance which may lead to large scale power outages.
For a country like Germany, where solar energy covers up to 50 percent of its power demand, such a devastating attack would instantly cause a significant power outage, which would adversely affect millions of people and cost governments billions of dollars.
To explain this scenario in real life, Westerhof analysed the PV inverters made by SMA and discovered 17 vulnerabilities, 14 of which received CVE IDs and CVSS scores ranging from 3 (Informational) to 9 (Critical).
"In the worst case scenario, an attacker compromises enough devices and shuts down all these devices at the same time causing threshold values to be hit" and "a 3 hour power outage across Europe, somewhere mid day on June is estimated to cause +/- 4.5 billion euros of damage," Westerhof writes.Westerhof reported all the vulnerabilities to SMA in late 2016 and worked with the company, power grid regulators, and government officials to fix the issues and harden up the security of their systems.
More than six months later, the company patched the flaws in its kit and is rolling out patches to its customers, while power grid regulators and the government will discuss the findings at international conferences.
Luckily it was a white hat who discovered the flaws in the solar panel which could have caused a devastating effect on the entire nation. If it were a black hat, it could have resulted in massive power outages across Europe similar to the one suffered by Ukraine last year.