cross-posted from: https://feddit.org/post/1885722

Archived link

Here is the original article in Dutch (gated)

While wind turbines, which are highly networked and equipped with hundreds of sensors, are traditionally considered more vulnerable to outside interference than solar panels, a Dutch citizen may have proved otherwise.

A Dutch white hat hacker could have gained control of millions of smart solar panel systems, using a backdoor.

The findings confirm a 2023 report by a Dutch agency which found that converters, essential parts of solar panels that make the electricity suitable for the power grid and which are usually connected to the web, can be “easily hacked, remotely disabled or used for DDoS [Distributed Denial of Service] attacks.” DDoS is one of the most common types of attacks, which basically try to overwhelm a system.

EU industry association SolarPower Europe said the bloc “needs more robust cybersecurity rules for distributed energy sources” in a statement commenting on the hack.

The share of solar power in the European grid has surged from 1% in 2010 to 9% in 2023, and with it the disruptive potential of a cyberattack on solar panels has likewise grown.

“Devices that can be centrally co-ordinated or managed (for example, aggregated rooftop solar installations) must be subject to an EU or nationally authorised layer of monitoring,” stressed Dries Acke, deputy CEO of the lobby group.

A report by the EU’s own cybersecurity agency from 24 July found that the union is ill-prepared for a concerted attack on its energy infrastructure, whether by a foreign state or by malicious insiders.

With electricity being so essential, any attack on Europe “attracts considerable pre-positioning activity by advanced threat actors” in the power sector should they aim at “executing a destructive attack” it adds.

Solar panels were outlined as a vulnerability in several scenarios, also due to the dominance of a single country, China, in the supply chain.

The industry says that while laws like the updated EU Network and Information Security Directive, known as NIS2, and the Cyber Resilience Act are a start, more action is needed: solar panels should be classified as a critical product, which means they’d be subject to more rigorous assessments.

These concerns come as the EU’s home-grown solar industry cites cybersecurity as a reason why they should receive preferential treatment, which would help them regain market share from Chinese competitors.

“Future-looking cyber requirements should come under an EU Electrification Action Plan,” said Acke, adding that “Europe must learn from its recent lessons in energy security, and map a secure path forward.”

  • Badabinski@kbin.earth
    link
    fedilink
    arrow-up
    5
    ·
    3 months ago

    Shit like this is why I want a non-exporting hybrid inverter with batteries for a solar setup. It’s much harder to hack something that doesn’t need to coordinate with the grid beyond being a simple consumer of power (i.e. no net metering, no feeding power back to the grid). I just hope I can find something that integrates with Home Assistant using local-only APIs.

    • ironhydroxide@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      2
      ·
      3 months ago

      You could make something. It may not be easy, or cheap, or safe. But with esphome, and off the shelf solar components, you could build what you describe.

        • ironhydroxide@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          3
          ·
          edit-2
          3 months ago

          Rs485 is just serial with differential signaling. Get a 485 to ttl adapter board, drop it on the serial of an esp. And use that directly, or have it mirror to mqtt. Easy peasy

          No need to go full sbc, microcontrollers are more reliable

          Esphome setup would be their UART bus component.

  • ironhydroxide@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    4
    ·
    3 months ago

    Just imagine the affect this could have on a cloudless day.

    All panels making power. Shut them off, then on, then off. Surge the grid and trip the frequency controls.

    Worst case requiring a black start.

    Yeah Decentralization of control is important. Share all the data, but none of the control.

  • Bezier@suppo.fiOPM
    link
    fedilink
    arrow-up
    2
    ·
    3 months ago

    Well I think there are actual good reasons to have solar connected, but security should be taken very seriously.