The rapidly growing photovoltaic power generation is facing increasingly serious cybersecurity threats. Recently, Japanese media reported the first cyber attack on a photovoltaic power plant.
First publicly confirmed attack on photovoltaic grid
Japanese media Sankei Shimbun recently reported that hackers hijacked 800 remote monitoring devices (SolarView Compact produced by industrial control electronics manufacturer Contec) in a large photovoltaic power grid for bank account theft. This may be the world's first publicly confirmed cyberattack on photovoltaic power generation infrastructure.
It is reported that the attackers used a vulnerability (CVE-2022-29303) discovered by Palo Alto Networks in June 2023 to spread the Mirai botnet. The attackers even posted a "teaching video" on Youtube on how to exploit the vulnerability on the SolarView system. Contec subsequently patched the vulnerability on July 18, 2023.
On May 7, 2024, Contec confirmed the recent attack on remote monitoring equipment and reminded photovoltaic power generation facility operators to update the equipment software to the latest version.
In an interview with analysts, South Korean cybersecurity company S2W said that the mastermind behind the attack was a hacker group called Arsenal Depository. S2W pointed out that the organization launched the "Japan Action" hacker attack on Japanese infrastructure after the Japanese government discharged contaminated water from the Fukushima nuclear power plant.
The potential risk of photovoltaic network attacks is huge
The attackers' main motivation this time seems to be financial gain rather than disrupting the operation of the power grid. The attack on the remote monitoring equipment of the photovoltaic power station did not threaten the operation of the solar energy system. But experts say that the potential risk of such attacks is huge.
Thomas Tansy, CEO of DER Security, said: "In this attack, the hackers are looking for computing devices that can be used for extortion. Hijacking these devices is no different from hijacking industrial cameras, home routers or other networked devices. However, if the hackers' goal turns to destroying the power grid, they can use these unpatched devices to carry out more destructive attacks (such as interrupting the power grid) because the attackers have successfully entered the system. They just need to learn some professional knowledge in the photovoltaic field."
Tansy warned that large photovoltaic power grids usually have a central control system. If hacked, hackers can take over more than one photovoltaic power field and frequently shut down or open photovoltaic equipment, which will have a serious impact on the operation of the photovoltaic power grid.
The biggest weakness of photovoltaic power grids: inverters
Security experts point out that the most serious cybersecurity risk faced by distributed energy resources (DER) such as photovoltaics is actually the inverter. The latter is responsible for converting the direct current generated by solar panels into the alternating current used by the power grid and is the interface of the power grid control system. The latest inverters have communication capabilities that can connect to the grid or cloud services, which increases the risk of these devices being attacked.
The North American Electric Reliability Corporation (NERC) warned that defects in inverters pose a "significant risk" to the reliability of bulk power supply (BPS) and could cause "widespread blackouts." The U.S. Department of Energy warned in 2022 that cyber attacks on inverters could reduce the reliability and stability of the power grid.
In May 2023, researchers from the Netherlands National Inspectorate for Digital Infrastructure (RDI) reported that they had examined nine inverters from eight manufacturers and found that none met RDI's security standards.
"This means that solar panel installations, for example, are vulnerable to hackers, shut down or used in DDoS attacks. User and operational data could also be stolen," the researchers said.
The biggest security risk for inverters lies in the growing number of home solar installations. According to a report by the Solar Energy Association, the number of households in the United States with installed photovoltaic equipment is expected to double to 10 million by 2030. By 2030, the number of households with installed photovoltaic equipment is expected to exceed 100 million.