Solar inverters made by three of the world’s largest manufacturers were found vulnerable to remote sabotage that could have produced large-scale power outages.
Researchers from cybersecurity firm Forescout said in a report released Thursday that they uncovered 46 vulnerabilities in solar inverters from leading vendors Sungrow and Growatt (both based in China) and Germany-based SMA Solar Technology. The flaws — which range from information leakage to buffer overflows to defects in website code — could let hackers collect details about the equipment and its users, inject data into web portals and even overwrite devices’ firmware with malicious code.
Solar inverters convert electricity generated by solar panels into power for businesses and homes, making them a critical link in the chain of solar power equipment. Forescout’s findings underscore how the shift to renewable electricity is increasing scrutiny on the digitally connected equipment underpinning that evolution — especially as threats to the electric grid grow, with China attempting to gain footholds into U.S. critical infrastructure ahead of an expected conflict over Taiwan.
“Vulnerabilities that … allow modifications of the industrial control systems are the type prone for use by adversaries,” Robert M. Lee, CEO of the industrial cybersecurity firm Dragos, said to Cybersecurity Dive. “Over the last few years, we’ve seen a significant increase in the number of state and non-state actors targeting such infrastructure, and as such, visibility into and the mitigation of such vulnerabilities is critical.”
According to Forescout, more than half of solar inverter manufacturers and storage system providers are based in China. Sungrow, Growatt and SMA each have patched the vulnerabilities described in Forescout’s report, including the CVEs.
Cyber vulnerabilities
Growatt inverters were especially vulnerable because of basic flaws in the company’s cloud platform, according to the report. These flaws would have allowed hackers to steal information about Growatt devices and even modify them without logging in to the portal. One vulnerability allowed an attacker to “upload arbitrary files” to the platform, Forescout said, while another exposed lists of authorized users.
Growatt’s web portal contained both insecure direct object reference vulnerabilities and cross-site scripting vulnerabilities, and Forescout said hackers could have exploited either type of flaw to take over a Growatt user’s account and “perform operations on the connected inverter devices, such as switching it on or off.”
Attacks on Sungrow and SMA inverters were more complicated, according to the report, but they likewise exploited basic security failures, including hardcoded login credentials and stack-overflow vulnerabilities. One SMA website was configured to allow unauthorized code execution, while a Sungrow Android application failed to verify security certificates and used insecure encryption, opening it up to man-in-the-middle attacks.
Compromising solar inverters could allow adversaries to cause immense damage to the electric power grid. Forescout’s report described how hackers could tamper with inverters to create a self-perpetuating cycle of power load fluctuations, “leading to grid instability, load shedding, and emergency equipment shutdown.”
Daniel dos Santos, Forescout’s head of research, said in a statement to Cybersecurity Dive that “owners of commercial installations should enforce strict security requirements when procuring solar equipment, conduct regular risk assessments, ensure full network visibility into these devices and segment them into sub-networks with continuous monitoring.”