This is a challenge, but even more so, it is an opportunity to advance the collective technologies towards the attainment of solar cyber security worldwide.
In 2012, a computer virus, dubbed Stuxnet, disabled 1000 of Iran’s 5000 centrifuges, detailing a joint US-Israel cyber security attack on Iran that undermined its nuclear enrichment facilities.
In 2014, Unit 61398, a Chinese hacking group, penetrated the computer networks of major US companies like Westinghouse and US Steel in order to loot trade secrets.
In 2015, grid control center operators in Ukraine watched helplessly as their cursors moved across their computer displays, clicking substations offline. They frantically struggled to retake control until being involuntarily logged out.
And recently earlier this May, the ransomware attack brought global attention to the scale and sophistication that cyber threat can unleash.
Yes, You Read That Correct!
The cyber security threat is real and even the biggest and secured solar installations aren’t immune to it. The digitalization of power grids with increasing connectivity of solar power plants put the PV assets on high risk by illegitimate hackers who can break into the grid security, which can put the power supply at risk.
What started as an industry built upon mechanical and structural engineering elements using solar power, has now an equally robust software engineering component, making it susceptible to cyber security threats.
As reported in Symantec’s Internet Cyber Security Threat Report of 2017, India has been ranked fifth most vulnerable country in terms of cyber security breaches in the world in 2016, after the United States, United Kingdom, Canada and Australia. While India’s vulnerability to cyber attacks is high, cases of data breaches are often underreported in the absence of mandatory legal requirements.
Most people would not consider cyber attacks on solar plants to be capable of causing much damage. Researchers, however, have shown that such threats should not be taken lightly. There are multiple vulnerabilities found in products manufactured by the leading providers of PV assets. A serious cyber attack against solar panels could shut down an entire nation’s power grid.
Due to security vulnerabilities, hackers could disable grids and transformers remotely. Disabling the solar power system and grids at the same time could disrupt the power supply and would result in electrical grids getting knocked offline. Solar plants are part of a global, interconnected network that allows plants to draw power from those who have a surplus available.
The grids are operated based on the expected amount of power generated and power consumed. Any disruption to that balance could result in the shutdown of the entire grid.
Hacking Solar Power Could Be a Thing
Dutch cyber security researcher Willem Westerhof in his report pinpointed a clutch of software flaws in one manufacturer’s solar power inverters he believes could, if exploited widely enough and with clever timing, disrupt the energy grid of an entire country.
Every solar power system has a wall-mounted inverter to convert DC photovoltaic (PV) power generated by solar panels into AC power that can be used by the owner or exported to the grid should any be left over. A growing number of these come with “smart” software interfaces designed to let engineers monitor the inverter remotely while giving customers the fashionable ability to analyze their energy consumption using an application.
According to Westerhof, it is this software layer that creates the opening for attackers. In total, his research, dubbed as Horus Scenario identified 21 vulnerabilities (14 of which have formal CVE numbers) in inverters from German manufacturer SMA.
Westerhof disclosed on how they might be exploited for security reasons, but studying the CVE descriptions revealed a mixture of default and weakly secured passwords, vulnerable remote authentication, dodgy firmware updating and even the ability to induce a denial-of-service state. In some cases, a DoS attack could knock out part of a grid or setting up a TELNET session to the database port of SMA’s Sunny Explorer, crashing the application. In others, the use of default passwords or weak hashing algorithms can leave the operation of solar panels at risk of being hijacked. Other flaws can be exploited remotely, requiring little more than an internet connection to carry out.
Willem Westerhof also states that an attacker can exploit the flaws in solar panels and damage the operations of solar power plants. Such an attack could have far-reaching effects beyond disrupting the harnessing of solar energy at the point of attack.
For a country like India, where solar energy is in the verge of elevation at a given time, such an attack could be devastating. Westerhof noted that it’s too costly for developers to keep large supplies of powers on standby at all times, meaning most countries wouldn’t have the type of energy reserves available to cover the lost production at a plant that falls victim to a cyber attack.
More troubling than the Westerhof detailing the possibility of such an attack is the fact that the vulnerabilities that could be exploited to shut down the entire plant. Westerhof in his report stated that there are certain flaws that affect the inverters, which in turn will hamper the solar panels. The flaws could allow hackers to target the electrical grid by focusing on PV-installations.
One country which would be severely affected by such a hack is Germany, since between 30 and 50 percent of its power demand is covered by photovoltaic panels. A cyber attack on that grid in particular at the right time would take out nearly half of the country’s entire power supply, which would be catastrophic. It could also cause continent-wide power outages due to the way its power grid is interlinked with the rest of Europe. Solar energy cannot be stored indefinitely, and producing new power takes up a lot of valuable time. Cyber Security events on the grid are of significant concern, given the increased deployment of smart grid technologies and other forms of intelligent controls and industrial control systems (ICS).
Increased use of advanced controls increases the vulnerability to both loss of capability due to malware and the hostile takeover of operations. Additionally, there is the potential to merge cyber and physical events. At the moment there has been just midget culture of solar cyber security. The solar industry is not up to date when it comes to updating the software and controlling access. Especially in a country like India, there is no backup of the information from the meter.
The developer is depending on the meter administrator however nobody is contemplating the way that a cyber attack can likewise affect the meters. This claim has point of reference with the United Kingdom enduring shrewd meter assaults. Ukraine has also suffered unprecedented hacks of its power grid infrastructure. With such circumstances, the risk solar industry faces cannot be overstated.
Energy Sector Ups Cyber Security
The digitization of the grid system and the proliferation of renewable energy create opportunities for hackers that haven’t been fully explored. An unplanned malicious attack, however, gives no room to prepare backup solutions. It would effectively cripple some countries’ power grids altogether, although it remains to be seen just how long that effect would last. Technological advancements within the grid improve reliability and capacity, but can introduce new vulnerabilities in cases where additional means of remote access are added or where redundancy is reduced. Other advancements may reduce inherent vulnerabilities in design or remove the potential for human errors.
At the same time, the dependence of the public, business, government, schools, hospitals, and other critical infrastructure on reliable and secure electricity continues to grow, increasing overall sensitivity to the impacts of outages and disruptions, regardless of the cause. Ensuring the security and resilience of the electric grid is critical to both the owners and operators of infrastructure, as well as government authorities.
Concerns about the cyber security of the electric grid are widely recognized and shared. The fundamental issue at stake is to determine next steps for improving grid security and how to prioritize these steps among all of the other issues that face the industry. The potential for malicious hackers to access and adversely affect physical electricity assets of U.S. electricity generation, transmission, or distribution systems via cyber means is a primary concern for utilities. But in the last few months, several notable clean energy companies have taken steps to reduce the risk of a breach. The solar energy sector is sharpening its focus on solar cyber security amid growing concerns about cyber threats.
Utility owners and operators, whether investor-owned, municipal or cooperative, generally are responsible for making system improvements. However, without timely and specific information on the ways in which equipment could be damaged or disrupted by adversarial threats, it is difficult for them to properly prioritize changes, upgrades, and mitigation efforts that could improve physical security.
Utility executives now understand the business impact of solar cyber security, making it easier to justify improvements, at least in some cases. Actionable threat and risk assessments are needed to optimize owner/operator investments in both new technology and the replacement of aging infrastructure to improve security. These investments also need to be appropriately valued by state public service commissioners when they evaluate rate cases.
The good news is that grid operators recognize the threat and their reliability practices have so far kept the power system “secure and up to date. There had been no successful cyber attacks against Indian utilities that caused permanent or long term damage to power system operations. But, experts have cautioned, there has been “a steady rise in cyber and physical security related events since May 2017.
The grid security is perhaps the most critical element in the continued evolution of the energy sector. Every participant across the solar value chain from hardware manufacturers to project owners needs to aggressively neutralize the very real threat of cyber attacks. The energy industry is focused on securing grid assets ranging from power plants and substations to smart-metered customers.
Industry’s response to an increasing number of physical threats has been to invest in better security systems and barriers to protect critical infrastructure. Additionally, the need to have a secure software and programs is must, which will allow bulk power system asset owners and operators to network with one another in order to facilitate the sharing of transmission and generation step-up transformers and related equipment in the event of an emergency or other non-routine failure.
Cyber Security Climate in India and Beyond
As India sets ambitious target for renewable energy sector growth, a number of opportunities have opened up. These include inverters, back up facilities, smart grids, net metering, distribution management systems for large solar parks, and Green Energy Corridors.
And it has not been long that the electricity sector in India has started deploying smart grid technologies with the hope that they will play a central role in strengthening this sector so it can provide the clean, quality power the country needs to meet developmental, environmental, and political goals. Smart grids are equipped with information and communication technology (ICT) that helps to improve operational efficiency, but ICT also introduces cyber threat vulnerabilities.
The US Industrial Control Systems – Computer Emergency Response Team (US ICS-CERT) has published numerous reports on vulnerabilities in software and hardware that are used in India, including SCADA software. National cyber security standards for smart grids and regulation enforcing them are not in place. The Indian smart grid institutional and regulatory environment is weak and the problem is exacerbated by the extreme debt of electricity distribution companies.
Due to insufficient regulation of information sharing and incomplete institutions to facilitate it, information on cyber attacks and equipment vulnerabilities is nearly non-existent. But we can infer from the international cyber security climate that the energy sector is a target of increasingly sophisticated attacks. Additionally, the national climate shows that India is generally unsecure in cyberspace.
As global cyber security threats pose daunting risks to the electricity sector, governments must do all they can to facilitate information sharing and best practices. In India, the processes are underway to create strong institutions for information sharing and attack mitigation through sectoral CERTs and ISACs but there is much left to do.
The state of regulation is in the same position. As utilities deploy more ICT they will be the first line of defense against cyber attacks, but the government Keeping Power Safemust lead the way. The next year will be in focus as the government moves to finalize standards and institutions as utilities simultaneously roll out smart grid projects, hopefully while giving cyber security the importance it deserves.
Michael Walstrom from International Policy Institute Cyber Security Policy Fellowship in his report mentions that standards and regulations are also incomplete. The Bureau of Indian Standards has created some standards for SCADA systems, but in order to create a mechanism for statutory control over the implementation of such standards state level electricity regulatory commissions need to pass smart grid regulations, or the Central Electricity Authority (CEA) must issue guidelines that will apply to utilities across the country.
The Forum of Regulators issued model smart grid regulations that will allow state regulators to mandate standards, but adopting is not moving quickly. Similarly the Ministry of Power is looking over guidelines for critical information infrastructure in the power sector. Until these regulations are put in place cyber security will be guided by limited and very general guidelines such as the functional requirements for advanced metering infrastructure (AMI) put out by the CEA in August 2016.
Standards and regulations only guide utilities as they create a cyber security posture; most important is cyber security awareness throughout an organization and keeping a finger on the pulse of cyber risks and vulnerabilities. State utilities have been requested to create a chief information security officer position to act as a nodal officer with CERTs and ISAC, which will be a big step in the right direction. But it seems this has been nothing more than a standing recommendation.
Keeping Power Safe
Any software that has network access, security software and data infrastructure should be continuously monitored and kept up-todate to stay defensive against the latest cyber threats. Energy sector has been now cautious enough to up its cyber security amid the growing IT threats.
In India to enable comprehensive cyber security policy compliance, the government mandated implementation of security policy within government agencies in accordance with the Information Security Management System (ISMS) Standard ISO 27001. Computer Security Guidelines have been issued for compliance within government and are being circulated to all departments and ministries. Cyber security drills are being conducted to assess preparedness for critical organisations. The Five Year Plan on Information Security also states guides on standards.
Nationwide Information Security Education and Awareness Programmes have been implemented to create necessary cyber security awareness through formal and informal programmes. This is the officially recognized national or sector-specific research and development (R&D) program/project for cyber security standards, best practices and guidelines to be applied in either the private or the public sector. A number of other R&D projects have been supported at premier academic and R&D institutions in the identified thrust areas like cryptography and cryptanalysis, steganography, network and systems security assurance, network monitoring, cyber forensics and capacity development in the area of cyber security.
Michael Walstrom from International Policy Institute Cyber Security Policy Fellowship in his report also mentioned financial state of distribution companies is worth mentioning.
Many electricity distribution companies have trouble paying for the electricity that they supply. Cyber security is a matter of economics as much as anything else. Companies must be willing to consistently upgrade infrastructure, as well as maintain the staff to perform tasks like patching software and altering configurations on field equipment. If utility company leaders don’t give cyber security its proper importance, no amount of regulation will secure assets in this critical infrastructure sector.
There are various ongoing activities and programs of the Government to address the cyber security challenges which have significantly contributed to the creation of a platform that is now Keeping Power Safe capable of supporting and sustaining the efforts in securing the cyber space.
Due to the dynamic nature of cyberspace, there is now a need for these actions to be unified under a National Cyber Security Policy, with an integrated vision and a set of sustained & coordinated strategies for implementation.
With cyber threat looming around the vulnerable energy assets, its time for the government to foster and promote enhanced cyber security within the renewables sector. It may require a further push from governments and/or regulators to mandate measures and practices to achieve awareness and preparedness on a broader scale.