Renewable energy sources, including solar power systems, are rapidly becoming essential elements of power grids throughout the world — especially in the US and Europe. However, cybersecurity for these systems is often an afterthought, creating a growing risk to grid security, stability, and availability.

In our new SUN:DOWN research, we analyzed different implementations of these systems. Our findings show an insecure ecosystem — with dangerous energy and national security implications. While each residential solar system produces limited power, their combined output reaches dozens of gigawatts — making their collective impact on cybersecurity and grid reliability too significant to ignore.

In the full report, we review known issues and present new vulnerabilities found on three leading solar power system manufacturers: Sungrow, Growatt, and SMA. We also discuss realistic power grid attack scenarios that could be executed and could cause emergencies or blackouts. We provide recommended risk mitigation actions for owners of smart inverters, utilities, device manufacturers, and regulators.

Summary of Findings

  • We cataloged 93 previous vulnerabilities on solar power and analyzed trends:
    • There’s an average of over 10 new vulnerabilities disclosed per year in the past three years
    • 80% of those have a high or critical severity
    • 32% have a CVSS score of 9.8 or 10 which generally means an attacker can take full control of an affected system
    • The most affected components are solar monitors (38%) and cloud backends (25%). Relatively few vulnerabilities (15%) affect solar inverters directly
  • Due to growing concerns over the dominance of foreign-made solar power components, we analyzed their common countries of origin:
    • 53% of solar inverter manufacturers are based in China
    • 58% of storage system and 20% of the monitoring system manufacturers are in China
    • The second and third most common countries of origin for components are India and the US
  • New vulnerabilities:
    • We analyzed six of the top 10 vendors of solar power systems worldwide: Huawei, Sungrow, Ginlong Solis, Growatt, GoodWe, and SMA
    • We found 46 new vulnerabilities affecting different components in three vendors: Sungrow, Growatt and SMA.
    • These vulnerabilities enable scenarios that impact grid stability and user privacy
    • Some vulnerabilities also allow attackers to hijack other smart devices in users’ homes

Impact on Grid Security

The new vulnerabilities, which have now been fixed by the affected vendors, could allow attackers to take full control of an entire fleet of solar power inverters via a couple of scenarios, as shown in the report:

Once in control of these inverters, attackers can tamper with their power output settings or switch them off and on in a coordinated manner as a botnet. The combined effect of the hijacked inverters produces a large effect on power generation in a grid. The impact of this effect depends on that grid’s emergency generation capacity and how fast that can be activated.

The example we discuss in our full report is that of the European grid. Previous research showed that control over 4.5GW would be required to bring the frequency down to 49Hz — which mandates load shedding. Since current solar capacity in Europe is around 270GW, it would require attackers to control less than 2% of inverters in a market that is dominated by Huawei, Sungrow, and SMA.

 

Recommendations

  • Treat PV inverters in residential, commercial, and industrial installations as critical infrastructure:
  • Owners of commercial and industrial installations should:
    • Include security requirements in procurement
    • Conduct a risk assessment when setting up devices
    • Ensure network visibility into solar power systems
    • Segment and monitor devices into their own sub-networks
  • Device manufacturers should:
    • Implement secure software lifecycle practices
    • Conduct regular penetration testing
    • Adopt security-in-depth strategies using web application firewalls
    • Use third-party audits of communication links based on standards, such as: ETSI EN 303 645, Radio Equipment Directive (RED) and Cyber Resilience Act (CRA)
  • See the Conclusion and Recommendations section of the full report for complete details

Go deeper: Join our on-demand webinar with Daniel dos Santos, head of research, any time you want.

watch the webinar

 

How Forescout Can Help

Passive vulnerability matching – which allows for risk assessment and segmentation decisions – was added to the CVE database for Forescout eyeInspect and eyeFocus.

Forescout eyeInspect customers can download the latest vulnerability bundle and install it locally to detect vulnerable devices on their networks. Forescout eyeFocus customers benefit from real-time deployment of content on the cloud, so they can detect vulnerable devices just by searching for specific CVEs on their dashboard.

Forescout eyeInspect can also detect exploitation attempts against Sungrow devices using the Threat Detection Add-ons v1.29 script.

get the research