Friend
Professional
- Messages
- 2,653
- Reaction score
- 850
- Points
- 113
A Dutch hacker has found a breach in solar power systems.
The problem of vulnerability of "smart" technologies is becoming more acute. Dutch hacker Witse Boonstra recently demonstrated the severity of such threats by discovering the ability to disable 4 million solar power systems in 150 countries at the touch of a button. The discovery confirmed Hupponen's law: "If something is smart, it is vulnerable."
The scale of the threat is impressive. Solar panels in the Netherlands can produce energy comparable to the capacity of forty nuclear power plants such as Borssele. However, many manufacturers do not provide sufficient protection against hackers.
Boonstra, a security researcher at a Forensic IT Organization (JIO), discovered a major flaw in Enphase's systems. In recent months, he has focused on devices that connect solar panels to the power grid.
Although the principle of operation of solar panels is simple — they produce direct current, which is then converted to alternating current for supply to the grid - but an inverter is used for this. In Enphase systems, each panel is equipped with its own microinverter.
Enphase customers can configure and manage their systems through a personal account, with the ability to delegate management to others. Boonstra identified a critical vulnerability: a bug in the software allowed you to gain administrator rights over other people's accounts. Testing his theory, he created two administrative accounts and found that the first one could manage the second one without permission. For final verification, I created twenty more accounts and successfully managed them all through the first one.
Together with his colleague Hidde Smith, Boonstra studied the firmware of Enphase devices and found six vulnerabilities that could be used to infect millions of solar systems with malware.
This situation is comparable to the concept of the "Ring of Omnipotence" from Tolkien's "Lord of the Rings": just as one ring controlled the others, the vulnerability revealed allows you to control millions of systems through one account, which threatens global energy security.
The Netherlands ' vulnerability to grid diversions is growing. The interconnectedness of solar energy systems, charging stations, and centrally managed batteries makes the country more vulnerable to such threats. Experts warn that the responsibility for stability can no longer lie solely with network operators.
Solar panels in the Netherlands generate about twenty gigawatts of energy, which is comparable to the capacity of forty nuclear power plants. A sudden loss of even a few gigawatts can seriously destabilize the grid.
Representatives of the State Digital Infrastructure Service (RDI) confirm that such a scenario threatens stability not only in the Netherlands, but also in Europe, given the synchronization of power grids.
Secura researchers have described a scenario in which an attacker can turn solar panels on and off every few seconds. This approach can destabilize the network if applied to panels that produce 3 gigawatts. It is not easy to gain control over such a large amount of energy, but experts believe it is real.
Another possible attack scenario involves changing the parameters of inverters. Modern electric networks operate in the range from 240 to 253 volts. When the upper limit is reached, the inverters are automatically switched off. An attacker can change these settings, which will overload the power grid.
An additional threat comes from the fact that a significant part of these systems is controlled by Chinese companies. Huawei and Sungrow, the largest suppliers of solar systems, supply more than 3 gigawatts each to the Dutch grid every day. Every year, the country adds about 4 gigawatts of solar capacity, which increases its dependence on foreign components.
Experts warn of growing dependence on Chinese companies and possible political risks. In the event of a conflict, Beijing may require manufacturers to make changes to the systems, which will allow manipulating the operation of solar panels in other countries.
Public actors could turn off electricity in the Netherlands through inverter software. Such actions, while perceived as acts of hostility, would allow the country that organized them to deny involvement. In the context of increasing tensions and frequent cyber attacks, experts believe this scenario is quite realistic.
Representatives of TenneT, the operator of the high-voltage network, emphasize that the main responsibility for preventing such attacks lies with energy suppliers such as Essent. However, TenneT has overall responsibility for dealing with major incidents in the Netherlands.
Experts say that at the level of the whole of Europe, it is possible to compensate for the loss of up to 3 gigawatts due to fast-responding capacities, such as batteries, hydroelectric and gas-fired power plants. But shutting down more than 3 gigawatts of solar panels can have unpredictable consequences.
It is almost impossible to eliminate the risk in the source. Existing mechanisms only allow us to respond to emerging threats, which creates a dangerous scenario for society.
Experts call for tougher regulation and supervision in the industry. New legislative initiatives, such as the Cyber Resilience Act (CRA), the RED 3.3 Directive and the NIS2 Directive, can help increase the responsibility of software developers and limit the access of insecure products to the Dutch market.
Regulatory representatives confirm that the new legislation will help to deal more effectively with insecure equipment, including applications and cloud services. Similar measures are planned to apply to operators of charging stations for electric vehicles.
Experts emphasize the need for a clear division of responsibilities between all market participants. The work of ethical hackers identifying vulnerabilities is certainly commendable, but relying solely on their good will in cybersecurity matters is unacceptable.
Source
The problem of vulnerability of "smart" technologies is becoming more acute. Dutch hacker Witse Boonstra recently demonstrated the severity of such threats by discovering the ability to disable 4 million solar power systems in 150 countries at the touch of a button. The discovery confirmed Hupponen's law: "If something is smart, it is vulnerable."
The scale of the threat is impressive. Solar panels in the Netherlands can produce energy comparable to the capacity of forty nuclear power plants such as Borssele. However, many manufacturers do not provide sufficient protection against hackers.
Boonstra, a security researcher at a Forensic IT Organization (JIO), discovered a major flaw in Enphase's systems. In recent months, he has focused on devices that connect solar panels to the power grid.
Although the principle of operation of solar panels is simple — they produce direct current, which is then converted to alternating current for supply to the grid - but an inverter is used for this. In Enphase systems, each panel is equipped with its own microinverter.
Enphase customers can configure and manage their systems through a personal account, with the ability to delegate management to others. Boonstra identified a critical vulnerability: a bug in the software allowed you to gain administrator rights over other people's accounts. Testing his theory, he created two administrative accounts and found that the first one could manage the second one without permission. For final verification, I created twenty more accounts and successfully managed them all through the first one.
Together with his colleague Hidde Smith, Boonstra studied the firmware of Enphase devices and found six vulnerabilities that could be used to infect millions of solar systems with malware.
This situation is comparable to the concept of the "Ring of Omnipotence" from Tolkien's "Lord of the Rings": just as one ring controlled the others, the vulnerability revealed allows you to control millions of systems through one account, which threatens global energy security.
The Netherlands ' vulnerability to grid diversions is growing. The interconnectedness of solar energy systems, charging stations, and centrally managed batteries makes the country more vulnerable to such threats. Experts warn that the responsibility for stability can no longer lie solely with network operators.
Solar panels in the Netherlands generate about twenty gigawatts of energy, which is comparable to the capacity of forty nuclear power plants. A sudden loss of even a few gigawatts can seriously destabilize the grid.
Representatives of the State Digital Infrastructure Service (RDI) confirm that such a scenario threatens stability not only in the Netherlands, but also in Europe, given the synchronization of power grids.
Secura researchers have described a scenario in which an attacker can turn solar panels on and off every few seconds. This approach can destabilize the network if applied to panels that produce 3 gigawatts. It is not easy to gain control over such a large amount of energy, but experts believe it is real.
Another possible attack scenario involves changing the parameters of inverters. Modern electric networks operate in the range from 240 to 253 volts. When the upper limit is reached, the inverters are automatically switched off. An attacker can change these settings, which will overload the power grid.
An additional threat comes from the fact that a significant part of these systems is controlled by Chinese companies. Huawei and Sungrow, the largest suppliers of solar systems, supply more than 3 gigawatts each to the Dutch grid every day. Every year, the country adds about 4 gigawatts of solar capacity, which increases its dependence on foreign components.
Experts warn of growing dependence on Chinese companies and possible political risks. In the event of a conflict, Beijing may require manufacturers to make changes to the systems, which will allow manipulating the operation of solar panels in other countries.
Public actors could turn off electricity in the Netherlands through inverter software. Such actions, while perceived as acts of hostility, would allow the country that organized them to deny involvement. In the context of increasing tensions and frequent cyber attacks, experts believe this scenario is quite realistic.
Representatives of TenneT, the operator of the high-voltage network, emphasize that the main responsibility for preventing such attacks lies with energy suppliers such as Essent. However, TenneT has overall responsibility for dealing with major incidents in the Netherlands.
Experts say that at the level of the whole of Europe, it is possible to compensate for the loss of up to 3 gigawatts due to fast-responding capacities, such as batteries, hydroelectric and gas-fired power plants. But shutting down more than 3 gigawatts of solar panels can have unpredictable consequences.
It is almost impossible to eliminate the risk in the source. Existing mechanisms only allow us to respond to emerging threats, which creates a dangerous scenario for society.
Experts call for tougher regulation and supervision in the industry. New legislative initiatives, such as the Cyber Resilience Act (CRA), the RED 3.3 Directive and the NIS2 Directive, can help increase the responsibility of software developers and limit the access of insecure products to the Dutch market.
Regulatory representatives confirm that the new legislation will help to deal more effectively with insecure equipment, including applications and cloud services. Similar measures are planned to apply to operators of charging stations for electric vehicles.
Experts emphasize the need for a clear division of responsibilities between all market participants. The work of ethical hackers identifying vulnerabilities is certainly commendable, but relying solely on their good will in cybersecurity matters is unacceptable.
Source
