Power distribution infrastructure in today’s context is largely controlled through closed-loop computer networks, and an ill-intentioned hacker can cause massive power outages if these networks are not secure.
With a global emphasis moving towards renewable and clean energy sources, solar panels have become the major contributors to power generation in many countries in Europe.
How safe are these solar panels? Well, apparently they have serious vulnerabilities, as discovered by a cybersecurity researcher in the Netherlands.
This Dutch researcher, in fact, claims there are at least 21 vulnerabilities, particularly in the inverters which connect solar panels to the internet.
The Weak Point: Photovoltaic Cells
Photovoltaic (PV) cells are devices that receive the power generated by the solar panel grid.
Then the inverters take over and they are, in turn, controlled through a network.
Control over the system is exercised through balancing the requirement or demand and the availability or supply side.
When the demand goes up, the supply side is activated.
And when there is a tendency of excess power flowing through the grid, the system slows down the production or supply side to keep the balance.
When either situation shifts to the extreme, the grid can fail.
This is precisely what the Dutch researcher, Willem Westerhof, has tried to demonstrate to the manufacturer.
Acting as a White Hat hacker, he could get into the system and manipulate the command sequence in the grid.
He called his work the “Horus Scenario.” Horus, incidentally, is the god of the sky as per Egyptian beliefs.
This obviously means the other hackers could do the same thing and then the results could be catastrophic to large parts of Europe that depend on solar power.
People still vividly remember the power outage that occurred in Ukraine last year due to cyber attack on the country’s energy grid.
SMA Perhaps Did Not Respond Very Well
While Westerhof was conducting his research last year, he alerted the manufacturer of the inverters, SMA.
The company probably did not concede that its products had security issues or any such vulnerabilities as reported by the researcher.
In good faith, Westerhof also waited patiently until the company took the appropriate steps to send the patches to plug the loopholes in their products and assure their customers that they need not be overly concerned about it.
It is only after making sure the company has adequately addressed the issue that the researcher has published his findings and uploaded the details on a dedicated website.
Some Kind of Blame is Ensuing
The issue of vulnerabilities can arise in any network.
The company that created the software or the network’s backbone then owns the responsibility and rushes in to repair the problem.
Here, as indicated, the initial reaction from SMA was to wash its hands of the crisis.
There are several layers involved in setting up and maintaining power utilities.
The government has a separate department to deal with energy that is supplied to the public and plays a regulatory role as well.
If the grid were to fail tomorrow due to hackers gate-crashing the solar power ecosystem, then it is the government that will step in first.
They will get involved in the firefighting mode, where the power can be resumed as soon as possible, and then order an inquiry on what exactly transpired.
But the government does not want to dirty its hands by being responsible for the security of company-owned and operated power grid systems.
In their view, the government’s role is more of a facilitator or regulator.
The vendors, like SMA, feel their equipment is safe and that it is at the customers’ end that the secure environment has to be created and vulnerabilities avoided.
The users, on their part, feign ignorance in the whole subject of cybersecurity and feel the developers of the equipment and systems must ensure that there are no vulnerabilities.
They feel the companies can send an audit team to check once the connection is completed and before their inverters are made part of the common grid.
As such, they expect the education and physical assistance to come from the manufacturer.
For the time being though, SMA has managed to send out the remedy to all its users with the right advice, so that they can download the patches from their servers and block potential hackers from laying a hand on their systems.