Solar power opens up new targets for cyber attackers
- May 30, 2019
- Posted by: Kerry Tomlinson, Archer News
- Categories: Archer News, Cyberattack, Hacking, Home Security, Industrial Control System Security, Power Grid, Privacy, Smart Devices
The sun is powering the equivalent of 12 million homes in the U.S., recent numbers show.
That’s more homes than people in the state of Ohio, all running on sunshine.
But is the solar energy system secure?
Researchers are trying to make sure the same kind of thing doesn’t happen in the U.S. with solar.
The game Go, like chess, can boggle the mind with hundreds of millions of possible board combinations.
Humans brought in artificial intelligence, a computer mind called AlphaGo, to figure out the best moves.
That same kind of force can work for saving the security of solar power, said Dan Arnold with Lawrence Berkeley National Laboratory in California.
Arnold faces a brain-breaking game of his own — how to protect solar inverters from cyber invaders — and he’s using AI to solve it.
“We are essentially trying to put ourselves in the shoes of an attacker and figure out, if they were to gain access to certain systems of the grid, what would they do?” he said in an interview with Archer News.
Solar panels need inverters, devices that change sunlight into the kind of power we use for lights and computers.
But inverters can be vulnerable.
Testing company TUV Rheinland found security holes in solar inverters last year.
A Dutch researcher reported 17 security holes in solar inverters in 2017.
In February, a group of senators wrote a letter to the Department of Energy, asking for the U.S. to ban one of the largest inverter makers in the world, Huawei in China — the same company affected by bans over its phone technology.
Security holes can let attackers in — and possibly take down parts of the grid — by sending fake signals, Arnold said.
“By manipulating the settings of these devices, it is possible that you could introduce very large swings in what the voltage could be,” he said. “You could create some sort of cascading problem.”
AI, like the victorious AlphaGo, will help them see all the possible combinations of settings, discover which are the most damaging, and how to counteract the attack.
“There’s very large number of possible combinations of how the knobs could be tuned,” he explained. “It’s exploring the different combinations of buttons that could be pushed and the effect on the grid.”
As companies work more and more to standardize their solar devices, attackers will be able to hit more targets, Arnold said.
They could extend their attack from one house or office to many at the same time.
“We all are all essentially interconnected neighbors in this regard,” said Sean Peisert, also with Lawrence Berkeley National Laboratory.
Like driving on the freeway, you have to watch how you drive — and how others do, too, he said.
“Any one impact can have a cascading effect on the rest of what’s going on,” Peisert said. “When one car starts weaving in between other cars or there is one accident. And all of a sudden you have a giant backup on the freeway. A similar effect can take place in the power grid.”
The researchers want to create tools that can automatically detect attacks — and automatically respond to save the grid.
“It’s a safe bet that hostile entities are already in the system,” Arnold said. “They are waiting for either the right time or an event to occur before certain action is taken. And we depend on this infrastructure. There are people who whose lives are at stake if the grid will not operate.”
Solar will become more standardized — and more connected, too.
Enrico Pontelli and Jay Misra are working on the smart grid of the future at New Mexico State University.
There may soon be a time when you can buy and sell your solar power to many people on the fly, but that will take more connections, they said.
“Communication is the key that makes smart grids possible,” Pontelli said to Archer News. “The fact that we can exchange information and we can use information to make decisions, intelligent decisions. But, of course, once you have communication, you have data that are floating around.”
“On the flip side of it, you could also have bad actors do all kinds of stuff with your data and the devices as well,” Misra added.
$20 Million Project
Pontelli and Misra are working with other researchers and labs under a $20 million National Science Foundation grant awarded last year, finding ways to make the new smart grid secure, and keep it secure.
The goals are not just to keep attackers out, but also to keep info about your personal habits, well, personal.
Smart grids can deliver up information that can be used against you, Pontelli said.
“They can disclose when you are home, when you’re not home, even when you actually take a shower.
Somebody can come inside because they can realize that actually your energy usage has changed,” he said.
California created a new regulation — called Rule 21 — that will require new solar installations to use smart inverters that communicate with the Internet.
Other states may follow with similar rules, like Nevada, Arizona, Hawaii, Vermont and Massachusetts, according to news reports.
Inverter makers Morningstar, Fronius, Yaskawa Solectria and Enphase Energy told Solar World they are paying attention to cybersecurity issues with their devices.
The SunSpec Alliance, a solar industry organization, formed a Distributed Energy Resources [DER] Cybersecurity Working Group to come up with best cybersecurity practices for solar and other alternative power systems.
Still, Portelli and Misra said solar power has security gaps.
For example, a company can make a secure inverter, but other devices may not be secure.
You can make a secure water pipe, but if no one’s watching the faucet at the end, an attacker can still find ways to mess with your water.
The researchers at New Mexico State University and Lawrence Berkeley National Lab hope to make solar smarter and more secure before attackers try to take control over your sun-powered house or office — and take down parts of the grid that have no solar power at all.
“This is a system that has to be protected,” Arnold said. “We are in the position to try to get out ahead and limit the damage that could be done if a cyberattack were actually to activate or to take place.”
What Can You Do?
Security experts say you should do research before you buy solar power devices.
—Check to see if the device makers talk about cybersecurity for their devices.
—Check to see if an organization like UL or others has certified them for cybersecurity.
—When you buy the device, change the default password that comes on it, or you could give attackers a cheap and easy way in to your device, your house, and maybe even the power grid.
Main image: Solar panels on a house. Image: Moerschy