Solar power shines light on security for the renewable energy industry

Solar power plants have massive numbers of vulnerable internet-connected devices. Its recent focus on cybersecurity is awakening the rest of the renewable energy industry to the threat.

A hand holds a lightbulb swathed in leaves and surrounded by symbols of renewable energy.
ipopba / Getty Images

Cyberattacks on energy companies are becoming more common. State-sponsored groups such as Hexane or DragonFly target them routinely to sabotage operations and steal intellectual property (IP) while criminal groups try to extort money with the ransomware attacks like the one that hit Portugal’s Energias de Portugal (EDP) recently.

Renewables such as solar are a small part of the energy industry but has its own large and largely unaddressed cybersecurity issues. “In the past, I don’t think the developers that built the solar plants didn't really have security on their radar,” says Rafael Narezzi, CIO/CISO at renewable asset management firm WiseEnergy, which manages solar assets totaling around to 1.2 gigawatts with plans to reach 4 gigawatts in two years. “Their focus was on developing and building the assets, rather than the risks that need to be managed for operating assets. They didn’t look sufficiently on the security cyber-hygiene of the aspects [of connecting assets to the internet].”

Narezzi says that some of the first cybersecurity pen test results he saw exposed a broad set of issues, including “CCTV that had been hijacked with cryptojacking malware, passwords left in the communications room, weak passwords on the routers, and routers already compromised and used as proxies -- even malware that was getting distributed by one of the assets.”

The distributed nature of the assets along with the lack of vertically integrated manufacturers are some of the reasons behind the cybersecurity challenges within the renewables space, says Christopher Blauvelt, director of operational technology, eastern region, at Fortinet. “Usually, you’ll have one supplier for the panels, another supplier to the support structures, another supplier for the solar tracking, and another supplier for the inverters,” he says. “All these third parties don’t always share the same knowledge or understanding of cybersecurity best practices.”

“To combat any risks associated with a lack of vertically integrated manufacturers, you need to look at the control protocols,” adds Blauvelt. “These are often chosen based on what is the least expensive to implement and integrate, which leads to the adoption of older control protocols with little to no security.”

Deral Heiland, IoT research lead at Rapid7, notes that incorrect deployments are a common issue. “Solar power solutions, like most internet of things (IoT) technology, must be able to communicate with the internet, but not be directly connected to the internet because doing that would expose them to potential attacks,” he says. “Unfortunately, this is not always the case.”

Compounding this problem, Heiland says, are unchanged default, weak or reused passwords used for remote management. Poor patch management is another problem area. He recommends that the industry use the security baseline recently released by NIST documented in NISTIR 8259 and 8259A.

Cyberattacks on renewables are a real threat

One reason for this laissez-faire attitude, says Narezzi, is that it was assumed that knocking out communications to solar farms would be inconvenient, but wouldn’t interrupt operations. Recent proofs of concept and real-world attacks have shown that cyberattacks are a real threat for renewables.

In 2017 researchers at the University of Tulsa found that a lack of segmentation among wind turbines could lead to an entire farm being taken hostage. Blauvelt says the same vulnerability exists within the solar power plant networks. “Addressing the issue of distributed networks could be solved by better segmentation of said network and preventing inverters from being able to communicate with each other.”

Blauvelt believes the effect of these issues could be severe. Solar power plants are generally constructed in rural areas due to the land requirements where distribution grids are weak, and this could amplify the effects of an attack on the inverters. “Parameter changes in the inverters can lead to voltage fluctuations that damage equipment in businesses and homes,” he says. “They can also be used to put the grid into a state where protection systems will operate, causing loss of power and unintentional islanding. Therefore, ensuring there is better segmentation of the distribution network and solid monitoring between sites and panels can help prepare a solar power plant for an attack.”

A SHA2017 presentation showed the potential damage of a successful cyberattack on solar panels to the the wider energy grid. Dubbed the Horus Scenerio, Dutch researcher Willem Westerhof discovered 17 vulnerabilities in inverters and demonstrated how a widespread attack on vulnerable sites would be akin to an unexpected solar eclipse. Where solar eclispses can normally be predicted and the shortfall in solar power compensated for via other power sources such as wind farms or coal plants, large expected shortfalls in in power generation could cause large-scale power failures, especially on grids that use significant amounts of solar power.

“The researcher came out with a proof of concept that he could hijack the inverters and actually blow them out,” says Narezzi. “That was a red flag, and I think people start to look more to the cybersecurity side [of solar farms].”

While not on the same scale as the Horus scenario, what is thought to be the first publicly known cyberattack involving a solar company occurred in 2019. sPower, a Utah-based renewable energy provider, fell victim to a DDoS attack exploiting a known vulnerability in its Cisco firewall. Though it didn’t lead to a power outage, the event did cause signal interruptions resulting in lost connection with its power generators.

Another reason that security previously wasn’t top of mind for many companies in the renewables space may have been the lack of regulation to compel them to act, especially in Europe.  “In the US, for example, there is very severe regulation in terms of cybersecurity. You can lose your license,” Narezzi says. “[In the EU] why don’t they give fines, make companies lose their license, and make things more severe, and how do you apply the fine to someone who is producing energy?”

While WiseEnery is too small to come under the purview of the EU’s NIS Directive on security, Narezzi says the US has a stricter regulatory environment for utilities that need to be adhered to.The NIS Directive allows regulators to issue fines of up to £17 million in the UK, but no such punishments have been issued.

The renewable energy business has been making progress on security. This year SolarEdge, a large solar company, announced it would embed security technology to perform continuous runtime integrity checks to protect its invertors.  Researchers at Lawrence Berkeley National Lab and University of Arkansas are investigating ways to make solar inverters more secure.

Steps to improve security at solar sites

While he admits he still has a “way to go,” Narezzi says WiseEnergy is taking measures to protect its assets against ongoing risks and create better ways to orchestrate all the assets under the company’s management. Part of that program is regular penetration testing.  “I like to swap or replace vendors very often, for example for pen tests, because it gives you better visibility than using the same one,” he says. “Every time you have a new vendor on the pen test they want to show off, so I think the first time is better than the second time in terms of results.”

The use of non-secure wireless networks is another potential area of risk, according to Fortinet’s Blauvel, and an issue that can only be solved if owner/operators use communication mediums that can be monitored and secured. This is a risk WiseEnergy has also identified, and the company is replacing satellite communications with 4G on sites to removes sites from the open internet and reduce management overhead and complexity.

“Satellites used to be good at a time,” says Narezzi, “but today, in the UK, for example, we have very good 4G coverage. The traditional method we were using before was a satellite with a public IP and a router on the other side. With 4G we’re less visible for attacks and we have a VPN that controls everything and have visibility of operations.”

Narezzi says he is using M2M – a managed 4G service dedicated to IoT devices – to create a private network of IoT devices owned by the company and controlled by the provider. The contractors provide the infrastructure for hundreds of SIM cards all connected via VPN, which reduces efforts around configuration and management, and reduces the attack surface.

While he described 4G as “solid” enough for the company’s current needs, Narezzi expect 5G to have a massive effect by removing bandwidth limitations and enabling the deployment of far more IoT devices. “I wish I could have 5G today, but I think this is going to take time,” he says. “Many parts of our operation are on farms and areas that don't have enough coverage, but the government is doing something and will help us as indirectly [by providing more rural coverage].”

Copyright © 2020 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)