The power supply in Europe is seriously compromised by a vulnerability in solar panels. This was discovered by Willem Westerhof, a full-time ethical hacker at ITsec (part of Insite Security), during his internship at this company. Thousands of converters, which allow the electricity from the solar panels to run into the main grid, are so poorly protected that malicious people can disable the equivalent of dozens of power plants, all at once, with just one switch.
As part of his graduation research Willem Westerhof examined the converters of the market leading company SMA’s (with an annual turnover in 2016: 1 billion Euro) from 1 August 2016 to 31 January 2017. He discovered that these devices are shockingly . Exploiting solar panels can cause such an imbalance in supply and demand that the power network shall fail. Experts confirm that this may even lead to the failure large parts of entire European power network. The losses due to such a power failure, apart from the human suffering, may run into billions.
Lack of legislation and control of the digital security of such devices poses a great risk. “Certification and accountability of private companies should also be high on the political agenda,” says Willem. The most (industrial) Internet or Things devices are purely developed and designed based on functionality. The security aspect is not included in the design. As an argument, manufacturers call it lack of knowledge, resources, money. Money in the wallet seems to win over security in the future. “It only has to go wrong once and then one wants to take action.”
At the end of 2016, ITsec presented Willem’s findings to SMA, TenneT and the NCSC (National Cyber Security Centre). Meanwhile, more than half a year has passed since and little has happened, despite the fact that according to ITsec all the parties have acknowledged that there is a problem. ITsec refers to the report to draw attention to the problems that may arise if no measures are taken. “We have been advocating for safe programming and legislation in the field of digital security, for years now”, says Erik Rutkens, the Director of ITsec. The recent outbreaks of WannaCry and Petya prove the urgency of this. Computers can be silently infected with specific malware for months, with the sole purpose being to strike at the right moment. Now nobody feels the urgency. But if Europe shall fall flat, it is obviously too late.
View Willem Westerhof’s presentation on SHA2017 via YouTube.
For more information, you can contact ITsec via Erik Rutkens +31 6 53 317 977 or Tim Sluis +31 6 22 555 000.
Read the full article on Volkskrant.