A study examined the IT security of solar energy systems. Problems include a lack of encryption during data transfer, standard passwords and insecure firmware updates.
Trend Micro, one of the world's leading providers of cybersecurity solutions, has released a new report examining the IT security of distributed energy systems. The researchers particularly examined the network gateways of solar energy systems - one of the most popular forms of decentralized energy generation. The increasing decentralization of the electricity supply not only represents progress in the energy transition, but also raises new security questions.
Some solar energy systems have safety risks
The study of systems from leading manufacturers such as Enphase, Outback, Phocos, Sol-Ark and Victron focused on how cyber-secure these systems are designed. The popularity of solar and photovoltaic systems in particular is drawing increased attention to their IT security. While the Outback and Phocos systems had no vulnerabilities, researchers were able to identify different security risks at other facilities.
In addition to a lack of encryption during data transfer and problems with standard passwords, potentially insecure firmware updates also pose a risk. Some systems in the test were also vulnerable to attacks in which they were switched off or reconfigured remotely. Two systems examined also classified all data traffic in the local network as trustworthy. This can lead to risks if the system is accidentally connected to the Internet. Additionally, the exact location of some solar energy systems could be identified through unauthorized access to their Access Point (AP) scans. In an emergency, this would enable cyber attackers to specifically target specific regions.
Data security and location dependency
The security researchers also considered issues of data sovereignty and storage location when using cloud services. Depending on the manufacturer, some systems transfer data, for example, to Amazon Web Services (AWS) in the USA or EU, to Microsoft Azure in Brazil, to Alibaba Cloud in China, or to data centers in the Netherlands. These transfers require a high level of trust in the respective cloud service providers and their security precautions. The transfer of sensitive information across international borders not only requires technical reliability, but also compliance with different data protection regulations. This illustrates the complexity and global nature of data security in the context of decentralized energy generation.
It is unlikely that individual exposed devices can cause widespread outages in the distributed energy supply. Instead, attackers could target cloud services that manage and control multiple devices at the same time in order to control them for malicious purposes. The security measures taken by cloud providers are correspondingly important in order to prevent such attacks.
Cybercriminals can take over user accounts with remote management capabilities through methods such as phishing, brute-forcing passwords, or exploiting known security vulnerabilities. Once they gain access, they can manipulate existing data and control the solar energy systems remotely, if cloud services allow this.
Recommendations for protecting solar energy systems
Trend Micro's security researchers provide clear recommendations for action to support system operators and technicians:
- Remote access limitation: It is recommended to limit remote access to the control interface. In particular, direct exposure of systems to the Internet should be avoided.
- Password protection: Changing default passwords and enabling password protection are crucial to preventing unauthorized access.
- Separation of the network interface: The researchers also recommend separating the inverters' network interface from other local networks to reduce vulnerability to potential attacks.
- Collaboration with external IT security experts: You are advised to follow best security practices and consider working with external IT security experts.
“The study results emphasize the importance of a balanced IT security approach in the changing landscape of decentralized energy generation,” said Udo Schneider, Security Evangelist Europe at Trend Micro. “The integration of renewable energy requires not only technical innovations, but also careful consideration of safety aspects to ensure the smooth operation and trustworthiness of these systems. Cybersecurity plays a significant role in ensuring an efficient energy supply.”
More at TrendMicro.com
About Trend Micro As one of the world's leading providers of IT security, Trend Micro helps create a secure world for digital data exchange. With over 30 years of security expertise, global threat research, and constant innovation, Trend Micro offers protection for businesses, government agencies, and consumers. Thanks to our XGen™ security strategy, our solutions benefit from a cross-generational combination of defense techniques optimized for leading-edge environments. Networked threat information enables better and faster protection. Optimized for cloud workloads, endpoints, email, the IIoT and networks, our connected solutions provide centralized visibility across the entire enterprise for faster threat detection and response.
Matching articles on the topic