Hijack of monitoring devices highlights cyber threat to solar power infrastructure

In what might be the first publicly confirmed cyberattack on the solar power grid infrastructure, Japanese media recently reported that malicious actors hijacked 800 SolarView Compact remote monitoring devices made by industrial control electronics manufacturer Contec at solar power generation facilities to engage in bank account thefts.

The attackers presumably exploited systems that had not patched a flaw, CVE-2022-29303, that Palo Alto Networks discovered in June 2023. The cybersecurity company said that the flaw was under active exploitation to spread the Mirai botnet. The attackers even posted a YouTube video demonstrating their exploit on a SolarView system. Contec subsequently patched the flaw on July 18, 2023.

On May 7, 2024, Contec confirmed the most recent attacks on the remote monitoring devices and apologized for the inconvenience. The company alerted power generation facility operators of the problem and urged them to update the device’s software to the latest version.

The group Hacker CN was likely responsible for the attack

In an analyst interview, South Korean security company S2W said that the group responsible for the attack was Arsenal Depository, which appears to be referring to a hacker group also known as Hacker CN.

In January 2024, S2W identified Hacker CN as Chinese or Russian, indicating it was involved in hacktivist attacks targeting Japanese infrastructure after the Japanese government discharged contaminated water from the Fukushima nuclear power plant in what S2W called the “Operation Japan” campaign. (Neither Contec nor S2W responded to requests for interviews.)

Although concerning, the exploitation of the remote monitoring devices did not threaten power system operations. However, experts say that in highly capable hands, the intrusion into the exploited devices could have proved even more dangerous. They stress that inverters used in solar installations are a more likely vector through which damaging solar attacks might occur.

The attack didn’t target grid operations but could have

Experts say the apparent financial motivation leads them to believe the attackers were not targeting grid operations. “Those bad guys were looking for compute devices that they could use to do computer internet-related types of extortion,” Thomas Tansy, CEO of DER Security, tells CSO. “From that standpoint, the fact that they hijacked a contact would be no different than bad guys hijacking industrial cameras, home routers, or other devices that are connected to the internet. The intent of the attack was not to compromise the power grid. It was to extort money.”

But, if the hackers were motivated to disrupt the power grid, they could have exploited these unpatched devices for more malevolent purposes, Tansy says. “Could an adversary pivot and say, ‘We’re no longer interested in extorting people today, we’re interested in interrupting power on the grid?’ Sure. If they had the expertise to do that, the fact that they’re inside the system gives them the opportunity. Of course, they’d have to have the skills and the know-how to pull off, but at that point, the barbarians are inside the gates.”

Access to monitoring systems will grant some level of access to the actual photovoltaic installation, Willem Westerhof, team manager at Secura, tells CSO. “You effectively have local network access. You could try, instead of doing what they did, you could try to leverage that access to attack anything that is in the same network.”

Attackers could gain access to a central control system

Such networks typically have a central control system, which, if infiltrated could allow attackers to take over more than a single solar park. “Based on what I’ve seen, this specific monitoring equipment also has the option to, for example, shut down the photovoltaic installation,” Westerhof says. “So, you could shut down and start up a solar park this way. I don’t think the grid will get completely shut down, given the scale of the attack and available countermeasures, but it’ll probably make some people in charge of grid balancing very nervous if you start shutting those down or repeatedly cycling them off and on.”

However, grid-scale solar installations, such as those that utilities increasingly use to fuel their power supply, likely have sufficient protections built into their networks to thwart this kind of attack.

Mandatory security safeguards such as “NERC-CIP starts to apply depending on how big it is and how impactful the installation is,” Andrew Ginter, VP of industrial security at Waterfall Security Solutions, tells CSO. “And you tend to see more rigorous cybersecurity being applied just because it makes good business sense. If you have a dozen solar farms, each of which is producing 300 megawatts of power, a utility is monitoring those things.”

The more severe cybersecurity risks to power grids stem from inverters

As unsettling as the attack on the Contec devices was, experts point to a more severe cybersecurity risk to distributed energy resources (DER) composed of solar panels, a critical component called the inverter, part of a class of power electronics that regulate the flow of electric power. An inverter is a device that converts direct current (DC) electricity, which is what a solar panel generates, to alternating current (AC) electricity, which the electrical grid uses.

The North American Electric Reliability Corporation (NERC) has warned that the deficiencies in inverters pose “a significant risk to BPS [bulk power supply] reliability” and could potentially cause “widespread outages.” The US Department of Energy warned in 2022 that a cyberattack on inverters could reduce the grid’s reliability and stability.

In May 2023, a team of researchers for the Dutch National Digital Infrastructure Inspectorate (RDI) reported that of the nine types of inverter from eight manufacturers they examined, none met the RDI’s security standards. The researchers concluded that “this makes solar panel installations, for example, easy to hack and can then be switched off or used for DDoS attacks. Or personal and usage data can be intercepted.”

“The key component is the inverter,” Ginter says. “The inverter is the interface to the grid, it’s the interface to the grid control systems. The newest inverters have communications; they’re connected to the grid, or they’re connected communications-wise to a cloud service. It’s those devices that are at risk of being compromised.”

Hacked inverters could imperil household solar installations, even start fires

The real risk to inverter exploitation lies in the growing number of household solar installations. According to the Solar Energy Association, the number of US homes with solar installations is expected to double to 10 million by 2030. The number of households with solar installations is expected to top 100 million by 2030.

“Typically, those inverters have a voltage and a frequency set,” Westerhof says. “So those are just the electric parameters, but those are configured either through firmware or through set points. If you get to a point where you can influence that, you can get those systems to send out a very significantly different voltage and a different frequency, which basically messes with all connected devices.”

Inverters themselves are usually capable of dealing with voltage or frequency changes, short-circuiting or breaking down. But, Westerhof says, in some rare circumstances, “some attached devices might in certain context slowly, yet steadily start to go ablaze. The chances of a fire starting will definitely increase.”

Some solutions to solar cybersecurity problems

The attack on the Contec devices, the threats to DER inverters, and other threats to the solar component of the power grid stem not from solar panels themselves, which are basically passive devices, but from the communications elements that connect the panels to electrical power systems. Because of this bifurcation, solar panel users can take steps to protect themselves from threats embedded in the communications software.

The standards-setting body IEEE has established Standard 1547 for interconnecting solar panels to the systems and recently updated that standard in 2018 to, among other things, improve reliability and support the grid under abnormal circumstances.

“Because there’s a standard, you can buy the hard goods, the batteries, the solar panels from one party out of China, and you can implement a control system and a security system that’s 100% homegrown American made,” Tansy says. “And you have bought yourself a pretty significant measure of protection in doing that.”

According to Westerhof, another step to help protect the solar component of the grid is to ensure local installers are adequately trained in cybersecurity, particularly when it comes to insecure inverters.

“Installers, for example, sometimes install models that have been out of vendor support for several years, just because that’s the inverter they still have in stock,” he says. “PV-park [solar farm] owners are quite concerned with cybersecurity, but they can’t really control it for the PV installations because they are dependent on the vendors and the people who can install it.”

The US Department of Energy advocates for futureproofing the distributed energy resource industry now before it reaches maturity and NIST is developing guidelines for residential and light commercial solar energy systems based on a review of known smart inverter vulnerabilities documented in the National Vulnerability Database (NVD) and information about known smart inverter cyberattacks. It is also testing five example smart inverters.

Ginter thinks that the NIST draft guidelines underscore the kinds of questions all organizations should be asking when they implement basic cybersecurity protections. “NIST is saying we should have some cybersecurity standards, do some basics. I think the standards are going to have to become more stringent as time goes by, and we wind up with software carrying out safety-critical functions in these physical devices,” he says.