Aug 20, 2024 17:00:00

Solar power generation is managed on a cloud-based basis, so if it is hacked, there is a risk that it will stop all at once.

Most consumer and commercial solar panels are centrally managed by a handful of companies, so there is a risk that a hack could shut down a large number of solar power systems at once. Software developer Bart Hubert points out the problem, citing the Netherlands as an example.

The gigantic and unregulated power plants in the cloud - Bert Hubert's writings

https://berthub.eu/articles/posts/the-gigantic-unregulated-power-plants-in-the-cloud/

In EU countries like the Netherlands, solar panels are often managed by foreign companies, most of which are centrally managed by a handful of companies based outside the EU. These solar panels generate the same amount of electricity as at least 25 medium-sized nuclear power plants, but there are few rules or laws in Europe to regulate such managers, and there is a risk that millions of solar panels could be shut down at the same time by accident or as a result of hacking.

In fact, on August 14, 2024, white hat hackers

demonstrated they could control 4 million solar panels, highlighting unexpected vulnerabilities in the power system that underpins our lives.

The EU has built a system called the ' synchronous grid ,' which allows thousands of large-scale power plants to share their capacity with each other, making it possible to supply stable electricity to many countries. However, there are concerns that even a small malfunction could spread to the entire network, so the EU imposes strict standards on large power suppliers and monitors them.

However, the solar panels are currently not under scrutiny.

Between the solar panels and the network, there is an inverter that converts the power from the panels into a form that can be handled by the power grid, and the operation and installation of the inverter is handled according to rules. In particular, in the Netherlands, it is stipulated that only inverters approved by Synergrid, the Belgian electricity and gas network federation, can be installed, but according to insiders, there is no enforcement of this, and there have been cases where inverters other than those approved have been installed.

Most inverters are directly or indirectly connected to the Internet, allowing solar panel and inverter owners to connect to the manufacturer through an app or website and check what is happening with their panels via the manufacturer's systems. At first glance, this may seem like a convenient solution, but the ability to connect to many systems means that there are many opportunities for hacking.

'What's surprising is that inverter manufacturers can also turn the power on and off on solar panels installed on the roofs of millions of homes and businesses,' said Hubert. 'If a solar panel or inverter manufacturer's system were hacked, an attacker could distribute a malicious software update, with disastrous consequences. If all the solar panels were turned off at the right time, half of the European power grid could collapse.'

'If you had a control panel to shut down dozens of nuclear reactors at the same time, you'd have to follow all the safety regulations and inspectors would come and check that it was done correctly. The same applies to large-scale solar and wind power generation, but home inverters and solar panels are just ordinary electrical appliances, so there are no inspections and no laws. Yet the management of such appliances is in the hands of just a few companies and is largely unregulated,' he said, calling for the establishment of proper legislation.

In recent years, a new EU directive called ' NIS2 ' has been emerging, which requires all kinds of service providers to strengthen their security. 'When EU member states implement this directive, they should make it clear that companies that distribute software to solar panels and have the ability to switch many panels on and off are also included in the scope of the directive,' said Hubert.

Additionally, another law,the Cyber Resilience Act , is being developed that will focus explicitly on inverters and solar panels, but potentially also on the associated central control boards, apps and services, Hubert said. 'The Cyber Resilience Act may impose high-level security requirements.'