Cybersecurity, solar energy and the electric grid

A group of Russian hackers claims to have identified security gaps in widely-used solar panel monitoring software.  The monitoring platform's developer is said to be fixing the gaps -- but can hackers damage the electric grid?

Solar panels supporting Goblin Valley State Park, Utah.

German company Solare Datensysteme GmbH makes a series of devices to track and monitor solar panel performance.  Its "Solar-Log" product line monitors the performance of solar photovoltaic systems and uses an internet connection and software to offer users additional management tools.  According to the company's website, Solar-Log systems manage roughly 229,300 solar plants that producing an aggregate average of 5.66 terawatt-hours (TWh) per day.

According to an article on tech website The Register, a Russian hacking firm known as Positive Security has warned that the previous Solar-Log software was vulnerable to malicious cyberattacks that could cause power grid reconfiguration and cascading blackouts.  The article claims that attackers could download and modify Solar-Log configuration files without needing propert authentication.  Files could be compromised to change user passwords and run code provided by the attacker.  The article suggests that malicious hackers could manipulate "specific power-generation related values", letting users could overstate the amount of power pumped back into grids by their solar installations.

The exact details of the weaknesses identified by Positive Security is being kept secret until the Solar-Log maker can distribute a patch shoring up system security.  As with past bugs, it is likely that Solare Datensysteme and other product makers will continue to plug holes in their cybersecurity, as new flaws are exposed and as systems evolve.  But solar panel monitoring systems are not the only energy-related infrastructure vulnerable to hacking; items ranging from utility smart meters to utility-scale power generator controls may be at risk of compromise from outside forces.

A series of regulations are designed to protect the grid against these threats.  The Federal Energy Regulatory Commission has approved mandatory cybersecurity reliability standards for the U.S. bulk power system.  Acting under its authority pursuant to the Energy Policy Act of 2005, through Order No. 706 the Commission has approved a series of Critical Infrastructure Protection (CIP) cyber security reliability standards proposed by electric reliability organization North American Electric Reliability Corporation (NERC).  Both NERC and the Commission continue to evaluate further changes to those standards, along with other standards bolstering the physical security of the electric grid.

New cybersecurity threats crop up regularly, prompting product developers, service providers, and regulators to engage in a continual effort to identify, block, and protect against threats to the electric power system.  For developers of energy technologies or projects, compliance with key regulations is a critical element of this protection, as is taking a proactive view to ensure safe and reliable operations.  While it is hard to predict the next front in this war, count on it to be ever shifting.