Solar Power System Vulnerabilities Could Result in Blackouts

Power grids across the world are at risk of damaging cyber-attacks following the discovery of extensive vulnerabilities in leading solar power system manufacturers.

Researchers from Forescout’s Vedere Labs warned that these vulnerabilities present realistic power grid attacks that could cause emergencies and blackouts.

Renewable energy sources, such as solar, are a growing target for cyber-threat actors, with these systems rapidly becoming essential elements of power grids throughout the world, especially in the US and Europe.

The report highlighted three significant cyber incidents in 2024 that exploited solar power systems, leading to an FBI industry notification in July 2024 warning about threats to renewable energy resources.

The Vedere Labs analysis focused on the top six manufacturers of solar power systems worldwide.

In three of these – Sungrow, Growatt and SMA – widespread new vulnerabilities were discovered, many of which could be used to disrupt or damage power grids.

No significant weaknesses were found in the other three manufacturers – Huawei, Ginlong Solis and GoodWe.

Sungrow and SMA patched all the reported issues and published advisories about the fixed vulnerabilities.

Growatt acknowledge and fixed the issues, but the researchers said the process took much longer and was less collaborative.

New Vulnerabilities Could Result in Grid Failures

The discovered vulnerabilities were present across numerous components within solar power systems.

These include the panels generating direct power, PV inverters that transform the direct power and connect it to the grid, serial communication dongles used to connect the inverter to the internet and cloud services to collect inverter metrics, visualize them, monitor and manage PV plants.

The researchers discovered 46 new vulnerabilities affecting different components across Sungrow, Growatt and SMA.

These vulnerabilities can be exploited in a variety of ways:

• Execute arbitrary commands on devices or the vendor’s cloud
• Enable account takeover
• Gain a foothold in the vendor’s infrastructure
• Take control of inverter owners’ devices

The report posited that some of the newly discovered vulnerabilities could have been used to conduct coordinated large-scale cyber-attacks that target power generation and ultimately, grid failures.

Hijacking Inverters

The researchers found that there were several attacks that could have been used to obtain control of Growatt and Sungrow inverters.

Growatt inverters are particularly susceptible because control can be achieved via the cloud backend only, according to the findings.

This would allow attacker to gain full access to the user’s resources, solar plants and devices, meaning that inverter configuration parameters can also be set and changed.

One scenario is attackers performing operations on the connected inverter devices, such as switching it on or off, while impersonating the legitimate user.

For Sungrow inverters, possible scenarios include exploiting one of the discovered stack overflow vulnerabilities by publishing crafted messages that could lead to remote code execution on communication dongles connected to the inverter.  

Once an attacker has taken over entire fleets of inverters, they can use this position to amplify the attack in a way that causes maximum damage to the grid.

In a proposed attack scenario, the researchers said that threat actors could modulate the power generation of inverters, taking advantage of a primary control system trying to stabilize the grid frequency via power response.

When the primary control decreases the load at its maximum capacity, the attack will reduce all of its load immediately, forcing the primary control to raise the load in the system followed by an immediate increase of the load by the attack, and so on.

This process will cause the frequency to fall outside of its safe range, leading to grid instability, load shedding and emergency equipment shutdown.

Other Attack Scenarios

The researchers highlighted other possible ways attackers could use the vulnerabilities to damage power networks and their customers. These include:

• Exploiting insecure direct object references (IDOR) to access sensitive personal data, thereby impacting the privacy of millions of people
• Hijacking smart home devices in a user’s account that may be controlled by design by an inverter’s energy management system capabilities
• Causing a financial impact on utilities and grid operators by deploying ransomware and manipulating energy prices, such as altering settings to send more or less energy to the grid at certain times

Vulnerabilities of Modern Power Generation Solutions

The Vedere Labs researchers said the findings demonstrate many of the assets used in more modern power generation solutions, such as solar inverters, communication dongles and their cloud backends, are just as vulnerable as the operational technology (OT) integrated into the traditional grid.

These assets are difficult to defend as they are much more distributed.

Another notable finding from the report was the dominance of Chinese firms in the development of solar power components.

Among the top six vendors analyzed, five are headquartered in China, with just one, SMA, from Europe.

Additionally, 53% of solar inverter manufacturers are based in China, while 58% of storage system and 20% of monitoring system manufacturers are based also based in the country.

This dominance of China represents a national security threat to nations like the US, given the country’s reported intrusions into critical infrastructure organizations, the researchers noted.

 Authorities have previously warned that China has pre-positioned itself to launch destructive cyber-attacks on these critical services in the event of a military conflict.