A Dutch security researcher claims to have found vulnerabilities in internet-connected solar panel equipment installed throughout Europe, which could potentially be exploited by hackers.
Willem Westerhof, a cybersecurity researcher at ITsec, says he has found 21 security flaws in power inverters, which convert direct current from the panels into alternating current that goes into electricity grids.
According to Volkskrant, the Dutch newspaper that first reported the story, Westerhof has suggested that the vulnerability exists in thousands of internet-connected inverters. He has noted that the vulnerability affects devices made by various manufacturers throughout Europe, and confirms that those made by German specialist manufacturer SMA Solar Technology is among them. All manufacturers were notified of the flaws in December 2016.
Potentially disastrous consequences
Due to this vulnerability, Westerhof has suggested, hackers would be able to access these devices remotely, giving them control to alter the flow of power or switch them off simultaneously to disrupt powergrids supplying electricity across the continent.
“In Europe there is over 90 GW of [photovoltaic] power installed. An attacker capable of controlling the flow of power from a large number of these devices could therefore cause peaks or dips of several gigawatts, causing massive balancing issues which may lead to large-scale power outages,” he warned.
In response to Westerhof’s claims, SMA issued the following statement: “Please be assured that the security of our devices has highest priority for SMA in all respects and that we do everything we can to protect our inverters and communication products against cyber-attacks. We already assessed the mentioned issues on a technical basis and work intensively on the correction. The stated potential security issues only affect older SMA products and only a very few products in our portfolio.”
The company has assured customers that only the Sunny Boy models TLST-21 and TL-21 and the Sunny Tripower models TL-10 and TL-30 are affected and that all other products comply with the latest security standards.
A surprising discovery
According to the BBC, Westerhof claims to have discovered the security flaws while working on his undergraduate thesis, which he revealed in a talk at the SHA2017 security conference in the Netherlands on Monday.
Westerhof did not release the full details of potential of these vulnerabilities to the public, in order to avoid encouraging malicious hackers.