A new cybersecurity report from Forescout Technologies has unveiled significant vulnerabilities in solar power systems that could potentially destabilize power grids and compromise consumer data privacy.
The report, titled “SUN:DOWN – Destabilizing the Grid via Orchestrated Exploitation of Solar Power Systems,” details several key findings:
- Forty-six new vulnerabilities were found that affected top solar inverter manufacturers, including Sungrow, Growatt, and SMA. These vulnerabilities enable situations that impact grid stability and user privacy. Some vulnerabilities also allow threat actors to hijack other smart devices in users’ homes.
- High-severity risks persist – Over the past three years, an average of 10 vulnerabilities have been disclosed annually in solar power systems, with 80% ranked as high or critical severity. Nearly one-third (30%) of these had a CVSS score of 9.8–10, which generally means an attacker can take full control of an affected system.
- Geopolitical concerns in solar supply chains – More than half of solar inverter (53%) and storage system (58%) manufacturers are from China. Also, 20% of monitoring system providers also originate from China, raising security concerns over foreign-controlled energy infrastructure.
According to Barry Mainz, Forescout CEO, “The collective impact of residential solar systems on grid reliability is too significant to ignore – hospitals could lose access to critical equipment, families could go without heat in the winter or AC in a heatwave, and businesses could shut down. Threat actors increasingly target critical infrastructure, making it essential to take them seriously and secure solar inverter systems before vulnerabilities lead to real-world disruptions.”
Taking Full Control
The new vulnerabilities, which have now been fixed by the relevant vendors, could enable bad actors to take full control of an entire fleet of solar power inverters via a couple of scenarios.
“Once in control of these inverters, attackers can tamper with their power output settings or switch them off and on in a coordinated manner as a botnet. The combined effect of the hijacked inverters produces a large effect on power generation in a grid. The impact of this effect depends on that grid’s emergency generation capacity and how fast it can be activated, the researchers said.
For instance, Growatt inverters were found to be susceptible to cloud-based takeovers, enabling malicious actors to seize control of solar plants and user devices remotely. Also, vulnerabilities in Sungrow inverters could enable malefactors to hijack systems using insecure direct object references (IDORs) and hardcoded credentials, which could lead to remote code execution and full system control.
“By exploiting these weaknesses, hackers could manipulate solar power generation at scale, triggering coordinated load-changing attacks that could destabilize power grids. The resulting impact could include emergency power shutdowns, grid disconnections, and even widespread blackouts,” Vedere Labs said.
Threatening Grid Stability, National Security
Daniel dos Santos, Head of Research at Forescout Research – Vedere Labs, said: “Solar power systems are rapidly becoming essential elements of power grids throughout the world, but persistent security flaws threaten both grid stability and national security,” said. “To mitigate these risks, owners of commercial installations should enforce strict security requirements when procuring solar equipment, conduct regular risk assessments, ensure full network visibility into these devices, and segment them into sub-networks with continuous monitoring.”
For a deeper analysis of the vulnerabilities, potential attack scenarios, and mitigation strategies, Forescout has made the full research report available online.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.