The worldwide shift toward intelligent energy generation has introduced fresh weaknesses into national electrical networks. We spoke with hackers at INSPIRATIONS DIGITAL who have identified security flaws in residential roof systems and solar facilities across the globe.
“There it goes,” remarks Aditya K Sood as the control panel for a solar energy facility in India pops up on his monitor. Based in the United States, this hacker aims to raise awareness about cyber security issues. During an interview over a video call with INSPIRATIONS DIGITAL, he demonstrates just how straightforward it was for him to access the system of a solar farm located in Tamil Nadu, South India.
As he points to the system displayed on the screen, Sood remarks, 'People often set up their devices but neglect to change the default passwords. Sometimes, these passwords are extremely weak.' He adds emphatically, 'If I had to describe it simply, I'd say an attacker could gain full control over the device.'
The German firm Solar-Log, which developed the control system for the facility in India, informed INSPIRATIONS DIGITAL later that certain versions of their software allow users to modify settings related to the amount of power fed back into the grid. The company stated via email that previously, it was feasible to “set weak passwords.”
"Although it is technically feasible for a user to set a weak password and offer unrestricted access to their network over the internet, we strongly advise against doing so," Solar-Log noted.
For this article, INSPIRATIONS DIGITAL spoke with three distinct cybersecurity professionals who revealed they managed to gain control over millions of devices simultaneously. These experts assert that if they had tampered with the electricity these facilities supply to the European power grid, they could have triggered widespread outages—a genuine risk. in the hybrid warfare against the West initiated by Russia and other nations .
Is solar power the Achilles' heel of energy security?
For several years, Andreas Ulbig and his group at the RWTH university in Aachen, Germany, have been investigating risks associated with linked energy networks.
At the university campus, a massive hall akin to a warehouse contains vintage transistor stations designed for human scale alongside contemporary inverters — equipment used to transform power generated by solar panel systems.
Ulbig states that the digital transformation of Europe's energy grid is crucial as the region strives to transition from relying on a few hundred big thermal power stations to utilizing millions of small-scale wind turbines, solar panel inverters, and battery storage systems.
He told INSPIRATIONS DIGITAL that transitioning to millions of renewable energy units cannot be done "manually."
However, the expert in active energy distribution networks also mentioned that advanced grid systems known as smart-grids might attract cyber attackers who could interfere with solar power facilities throughout Europe. This interference has the potential to cause overloads in electrical grids, possibly leading to widespread outages. Nonetheless, he pointed out that it would be quite difficult for a hacker to gain simultaneous control of a sufficient number of sites to activate automated safeguard mechanisms.
Large grids vulnerable to attack
Most photovoltaic systems include remote monitoring and maintenance integrated with a cloud platform supplied by manufacturers. An example of this is the system run by the Chinese firm Solarman PV.
Solarman PV claimed on their website that they monitor solar installations totaling 195 gigawatts (GW) across 190 nations—approximately 10% of the global solar capacity deployed worldwide.
However, in August 2024, the Romanian cybersecurity company Bitdefender identified a significant flaw in the Chinese software code, which made all of the organization's PV connections to customers vulnerable.
These vulnerabilities were tackled, and the updates were distributed to all clients prior to Bitdefender making them publicly known,” Solarman responded when queried by INSPIRATIONS DIGITAL. He further stated that up until then, they hadn’t uncovered any indications suggesting that malicious parties had taken advantage of these weaknesses, nor was there any substantial harm reported among their customer base.
Key European Union infrastructure under scrutiny from China and Russia
The revelations about how vulnerable Europe's energy systems are to cyberattacks come as several EU member states have reported alleged attacks on their critical infrastructures. Swedish and Latvian investigators are looking into the severing of an underwater cable beneath the waters of the Baltic Sea and German authorities are investigating reports of drone sightings. at military bases throughout the country. Germany's interior ministry has linked the sightings to Russia's war in Ukraine.
In September 2024, a cyber assault targeting a solar facility in Lithuania was attributed to Russian-linked hacker groups by the U.S.-based cybersecurity company Cybel.
Despite Chinese firms leading the worldwide market for solar power technology, multiple cybersecurity specialists informed INSPIRATIONS DIGITAL about vulnerabilities found in systems developed by both U.S. and German corporations.
However, Samantha Hoffman, an independent security consultant associated with the National Bureau of Asian Research, informed INSPIRATIONS DIGITAL that in China, the Communist government "plays a significant role in the research and development process in ways that may not be as prevalent in other countries."
U.S. government agencies think that Chinese hackers have made significant advances into crucial American infrastructures, embedding code within networks that manage power grids. Additionally, there are claims suggesting that China has targeted India’s energy systems. However, China refutes these accusations.
EU proposal aims at crafting a safer digital world?
Meanwhile, the European Union is attempting to curb cybersecurity threats with new regulation. While new regulation requires operators of larger solar installations to have response mechanisms to attacks, the so-called EU Cyber Resilience Act, adopted in October 2024, targets production of smart devices. Manufacturers of digital devices with connection to the internet must ensure that their products have lifetime access to software updates and can disclose possible vulnerabilities with regard to cybersecurity.
The proposed EU bill aimed at boosting cybersecurity, set to be implemented in 2027, might act as a model for comparable laws globally, according to certain specialists.
Edited by: Uwe Hessler
Author: Mathis Richtmann
0 Comments