Compromised Solar Inverter Resembles DDOS Attack

The recent discovery of a wireless device in a solar power inverter in the US highlights the risks of a distributed denial of service attack (DDOS) on the power grid as more energy comes from renewable power.

The recent power outage across Spain and Portugal showed the impact of the loss of a proportion of power, although a cyber attack was ruled out in that case. Nevertheless, industry is calling for more security across hardware and software for inverters from China.

• The dark side to solar power inverters
• Spain and Portugal recover from power outage

“This is not the first time we’ve seen this type of vulnerability explicitly inserted into the OT/IoT supply chain. We saw a similar issue with the over-reliance on technology and equipment from PRC-owned manufacturer ZPMC, a previously documented cybersecurity risk for the U.S. maritime industry,” said Edgard Capdevielle, CEO of Nozomi Networks in the US.

“Nation-state actors are focused on compromising the US critical infrastructure, especially power gen and distribution. We do not believe the compromises are limited to power, to be clear, but the risks in power are particularly acute,” he said.

“It’s our view that asset owners should take this seriously, getting their arms around the wireless attack surface around their operating environment.”

Reuters reported finding a cellular board inside an inverter, but gave no further details. This could be used for monitoring the voltage and current through the inverter, but that would require a separate sensor. It is more likely that the cellular module would be used to just cut out the controller, shutting down inverter.

Used across several large scale solar farms, this would unbalance an electricity grid and potentially cause outages. 70% of all inverters installed in 2023 came from Chinese vendors, mainly Huawei and SunGrow and control remote access to 168 GW of PV capacity in Europe. By 2030, this figure is projected to exceed 400 GW.

Adding a separate module avoids the cybersecurity check on the software and hardware, such as a software bill of materials (SBoM) and this addition could be performed at various stages in the supply chain.

The risk is not theoretical. A recent report commissioned by SolarPower Europe warned of the real possibility of cascading blackouts caused by malicious or coordinated solar inverter manipulation.

“In this case, these are just the two examples that were actually caught. The unfortunate reality is that there are likely hundreds of other instances of supply chain contamination that were never caught. Wireless is the easiest, fastest vulnerability because virtually no OT/IoT asset owner is monitoring their wireless attack surface. The door is wide open.”

The newly formed European Solar Manufacturers Council (ESMC) flagged the risk of a DDOS attack. The ESMC, not to be confused with the European Semiconductor Manufacturing Company (EMC) set up by TSMC, was set up by six leading solar organisations across Europe and includes the majority of cell, panel and materials suppliers in the region.

“Europe’s energy sovereignty is at serious risk due to the unregulated and remote control capabilities of PV inverters from high-risk, non-European manufacturers, most notably from China,” it said.  “Today, over 200 GW of European PV capacity is already linked to inverters manufactured in China – the equivalent of more than 200 nuclear power plants,” said Christoph Podewils, Secretary General of ESMC. “This means Europe has effectively surrendered remote control of a vast portion of its electricity infrastructure.”

However most solar inverter manufacturers point out the updates come from the system controller rather than to the inverter.

Nevertheless, the ESMC has called for the immediate development of an EU “Inverter Security Toolbox”, modelled after the successful 5G Security Toolbox. This would involve a comprehensive risk assessment of inverter manufacturers and a requirement that high-risk vendors must not be permitted to maintain an online connection to European electricity systems, which could include outright bans for such vendors from connecting to the grid.

This could replicate legislation in Lithuania that bans inverters from China, but would have to include the hardware supply chain.

“Europe must act now to prevent a future energy crisis that would rival the gas dependency on Russia,” said Podewils. “We support the European Commission’s upcoming assessment of cybersecurity risks in the solar value chain and are ready to contribute our expertise.”

“Trusted suppliers and other approaches to improve the safety of the IoT supply chain are important, but it’s a little like closing the barn door after the cows get out,” said Capdevielle at Nozomi. “IoT asset owners should always assume their supply chains have been contaminated. The operating assumptions should be that there are likely contaminated or compromised assets in the environment, and the compromise is likely wireless,”