Over 130K PV Measuring and Diagnostics Solutions exposed over the Internet
With its increasing prominence and global adoption, green energy has emerged as a potential target for attackers, posing concerns for both State and Private entities in the near future. With the increasing adoption of renewable energy sources such as solar, wind, and hydroelectric power, the infrastructure supporting green energy becomes an attractive prospect for cyber threats.
The interconnected nature of green energy systems, which encompasses power grids, energy storage facilities, and smart technologies, positions vulnerabilities, and misconfigurations that are enticing for malicious actors to exploit. Hence, in times of conflict or heightened tensions, the dependence on green energy systems for power generation and distribution renders them alluring targets.
By exploiting renewable energy infrastructure, attackers can accomplish multiple goals, including destabilizing the targeted region, inflicting economic disruption, undermining energy security, and securing a strategic advantage.
The repercussions of these attacks are far-reaching, leading to the disruption of vital services, compromising the integrity of energy grids, and triggering a domino effect that reverberates across multiple sectors, ultimately impacting the overall functioning of a nation.
Given the wide attack surface that threat actors can leverage in the green energy sector, it is crucial to dissect and understand the major component that plays a significant role in the monitoring and management of PV systems, which are considered Distributed Energy Resources (DER) within the broader context of decentralized energy generation and grid integration – Photovoltaic Monitoring and Diagnostic Solutions.
Photovoltaic Monitoring and Diagnostic Solutions
Photovoltaic diagnostic and monitoring systems are essential in the solar industry as they provide real-time data on the performance of PV installations. They evaluate system efficiency, detect faults, and optimize overall operation.
DERs, such as PV systems, are connected to the electric grid. Monitoring their performance and behavior is crucial for grid integration and management. The monitoring solution provides valuable data on energy generation patterns, load profiles, and grid interactions. This information assists grid operators in managing the integration of PV systems into the grid, optimizing power flow, and maintaining grid stability.
These systems enable operators to assess energy yield, troubleshoot issues promptly, and make informed decisions for system optimization. With remote monitoring capabilities, they enhance management efficiency across multiple locations.
The data collected supports compliance, warranty claims, and research efforts, driving innovation in the solar industry. By integrating with other components and facilitating long-term asset management, these systems contribute to solar PV installations’ reliability, efficiency, and profitability, supporting the industry’s growth and sustainability.
Internet Exposure of Photovoltaic Diagnostic & Monitoring systems
As PV monitoring and diagnostics systems are critical elements in the solar industry, an attack on these systems can have a domino effect affecting multiple entities and operations within a state.
Previously Cyble researcher blogs have discussed the impact and vulnerabilities in one of the Control Systems used in PV plants globally in the blog “Photovoltaic Plants PV Facing Risk of Cyberattack“.
CRIL researchers further investigated the internet exposure of these systems to understand the attack surface available for Threat Actors. They observed that there are over 130K internet-exposed PV diagnostic and monitoring solutions globally. Given below is the graph for the same.
Note: Internet Exposed devices only indicate assets that might be potentially vulnerable to cyber-attacks. Not all devices need to be prone to cyber-attacks; rather, the high exposure of these devices provides a large attack surface for attackers.
Given below are screenshots of the assets found during the investigation.
Attacks targeting PV Systems
The operational and maintenance aspects of Photovoltaic (PV) and other green energy systems rely on conventional Information Technology (IT) computing and networking infrastructure, along with internet connectivity, to perform tasks such as remote diagnostics, revenue metering, integration into virtual power plants, condition monitoring, and control of grid support functionalities such as curtailment and reactive power management.
A cyber-attack on PV diagnostic and monitoring systems might have serious consequences for Distributed Energy Resources (DER), including reduced energy production, system instability, physical asset damage, and unique cybersecurity challenges.
Apart from threats like spear phishing, Denial of Service (DOS) attack, and physical damage to assets, attackers can target PV inverter controls through the internet-enabled PV plant monitoring and diagnostics system. As the exposure of these systems is high, they might become a potential target for malicious hackers. Given below are a few challenges while securing these systems.
Managing vulnerabilities within the PV industry can be a tedious task due to reliance on multiple unique assets, and at the same time, if PV monitoring and Measuring solutions use outdated firmware, exploitation of these devices can be quite easy. These systems are Web-based solutions prone to vulnerabilities for which State entities and Vendors actively release security advisories related to PV Monitoring and Measuring solutions. Currently, there are multiple Proof of Concepts and vulnerabilities reported in these systems available in the public domain that increase the likelihood of exploitation.
Common misconfigurations, such as using factory default passwords, unsecured communication, lack of updates, improper network segmentation, poor access control, etc., can provide intruders with an easier approach to data manipulation of these devices. The majority of Hacktivist groups rely on misconfigurations to gain access to assets related to the ICS environment. Malicious attackers can easily bypass the authorization protocols of PV monitoring systems if they are exposed over the internet and are still being operated via factory default credentials.
The most common & abundant source of access credentials for administrators managing PV monitoring solutions are logs extracted by the information stealer malware. Various stealer malware operators extract and collect these logs to further list them for sale in the various dark web marketplaces.
Gaining access to multiple PV monitoring solutions can have a disastrous impact on CI organizations and National services that rely on solar energy and might pose a significant threat to the electric grid.
Targeting PV monitoring solutions can have severe repercussions, extending beyond the energy sector. It can lead to reduced energy production, causing an energy crisis and imbalances in supply and demand. Disruptions in PV monitoring can also affect the transportation sector, particularly electric vehicles, by impacting charging infrastructure and mobility services. Additionally, economic impacts may arise, with businesses facing downtime and financial losses.
Cyberattacks targeting PV monitoring solutions and the subsequent reduction in green energy production can result in power outages, impacting households, businesses, and public services. Also, TAs might gain a strategic advantage in a war-like situation if they have access to thousands of PV measuring & monitoring and exploiting their underlying vulnerabilities.
Exposing assets vital for operations within nations over the internet increases the risk of cyber-attacks as TAs and Hacktivist groups continuously scan the internet to find assets that can be easily targeted and have a major impact on operations. Researchers at Cyble observed a huge number of PV monitoring assets exposed over the internet that are located globally. In the list of solutions observed during the investigation, multiple solutions might be vulnerable and misconfigured, increasing the risk of cyber attacks. Hence, the operators of these solutions must ensure that the products are updated with the latest patch released by official vendors and are being monitored for intrusions.
Leaving PV monitoring and diagnostic solutions exposed over the internet indicates the lack of healthy cyber hygiene as state and private entities might deploy these solutions to monitor critical PV systems. The unavailability of these solutions might have a high impact on overall operations within a state.
Official vendors and State authorities provide regular updates and alerts on such devices. However, the high internet exposure of this device indicates that a large chunk of asset owners still lack visibility into PV monitoring and diagnostic solutions.
- Access Control: Implement strong access controls for your PV monitoring solution. This includes using strong and unique passwords, enabling two-factor authentication, and restricting access based on user roles and privileges.
- Regular Software Updates: Keep your monitoring software and hardware up to date with the latest security patches and firmware updates. This helps to address any vulnerabilities and protect against potential exploits.
- Network Segmentation: Separate your PV monitoring solution from other critical networks and systems. Use firewalls and network segmentation techniques to isolate and protect the monitoring infrastructure from unauthorized access.
- Encryption: Implement encryption protocols to secure data transmission between the PV monitoring components, such as between the monitoring software and the data logger or inverters. This helps to prevent interception and tampering of sensitive data.
- Intrusion Detection System (IDS): Deploy an IDS to monitor the network traffic and identify any suspicious or malicious activities. This allows you to detect and respond to potential security breaches promptly.
- Secure Communication Protocols: Ensure that the communication protocols used in your PV monitoring systems, such as HTTPS, MQTT with TLS, or SSH, are secure and encrypted to protect data integrity and confidentiality.
- Regular Security Audits: Conduct regular security audits and vulnerability assessments of your PV monitoring solution. This helps identify and address any weaknesses or vulnerabilities attackers could exploit.
- User Training and Awareness: Provide comprehensive security training to system administrators and users of the PV monitoring solution. Educate them about best practices for password management, phishing prevention, and safe browsing habits.
- Secure Data Storage: Safeguard the storage of PV monitoring data by implementing appropriate access controls, encryption, and backups. Regularly review and assess data retention policies to ensure privacy and data protection regulations compliance.
- Incident Response Plan: Develop an incident response plan that outlines the steps to be taken in case of a security breach or incident. This includes containment, investigation, recovery procedures, and communication with relevant stakeholders.
- Zero Trust Architecture: Implement a zero trust approach for your PV monitoring solution. This means adopting a security model where every user, device, and network request is treated as potentially untrusted, regardless of their location within or outside the network. Implement granular access controls, continuous authentication, and dynamic authorization to minimize the attack surface and mitigate potential security risks.
- Compliance with International Standards: Ensure that your PV monitoring solution complies with relevant international standards. Adhering to these standards demonstrates your commitment to maintaining a robust security framework and helps establish trust with stakeholders by following recognized best practices.
All the findings stated in this document have been verified and reviewed via our Enterprise platform, Cyble Vision and HUMINT. These data points and observations are valid and accurate for the period discussed in the report and publication time. Cyble is not liable for any action(s) taken based on these findings and any ensuing consequences.
This document is created to share our findings and research with the broader cybersecurity community from an academic and knowledge-sharing standpoint. It is in no way an endorsement of the activities described in the report.
It is an amalgamation of our collective research on this subject and is not a direct promotion of our brand, platform, or services. This report can be shared freely for academic or knowledge-sharing purposes, provided that Cyble is mentioned as the source of your findings.