Smart inverter vulnerabilities threaten the electric grid: The biggest risk occurs during high-demand times. If enough solar DERs suddenly go offline during a critical period, there might not be adequate alternative energy sources that can come online immediately, or the available alternatives are much more expensive to operate. Attackers can produce similar results merely by changing the data that DERs send to utilities. Tansy offers the example of making a 10-kW array appear as a 1-megawatt (mW) system to the utility. If the utility tries to draw more capacity than is available from one or more solar DERs in a time of need, service quality will suffer and brownouts might occur.”Solar arrays are pretty simple in their operation, but they’re complicated in their management,” says Gregory Pollmann, principal industrial threat hunter at Dragos. “You have to manage battery assets. You have to manage the solar arrays themselves. And both of those things are usually integrated into the building automation management system that is located within that organization.”DERs connect to the grid to sell over-generation to the utility. “Usually there’s an observation connection from the public utility, and there’s also a management connection from the organization that actually owns the asset,” says Pollmann. “Theoretically, if those things were compromised, an adversary may have access to the power generation asset that’s owned by the organization or could possibly swim upstream to public utility assets.””Therein lies the risk that’s magnified when you’re talking about the proliferation of devices,” Pollmann adds. “If a public utility provider has 100,000 customers in a region and 5% are installing DERs, that’s 5,000 connections, and that’s 5,000 devices. And all of a sudden, the attack surfaces to both the organizations that are installing the DERs and possibly the public utility are expanded at an alarming rate.”That said, Pollmann believes it would be difficult for an adversary to create a widespread power outage by exploiting DERs. “Each one of those connections are at an individual level on the DER side,” he says. “On the public utility side, that may be as possible, because the public utility represents the many to few relationship to all those DER assets. I think an adversary with means, with intent, would just go after the public utility and not spend time on individual compromise of DER assets.”Utilities bench-test network and physical assets before bringing them online, says Pollmann, to ensure they meet certain levels of cybersecurity and physical security objectives. With DERs, they rely on the product to meet a rigorous manufacturing standard. “There’s some concern from the utility side that none of those things can be validated from their position.”Nation-state adversaries are just as likely to leverage solar DERs to disrupt the grid as cybercriminals, says Tansy. In fact, it happened last year when the Russian-backed group Just Evil attacked Lithuania’s state energy holding company Ignitis Group through its solar monitoring system. “[Solar DERs] are a good way for a well-heeled adversarial nation-state to find a way into the overall grid,” he says.”We are in the middle of intensifying global competition among superpowers, specifically players like China, Russia, and their surrogates in the United States,” says Tansy. “And we have an electrical grid that is overwhelmingly supplied by product that comes straight from mainland China. These are the solar inverters and the battery inverters; they are software driven. When the software needs to change, as often as not, it’s being changed and updated from a control system based in Beijing. That’s about as simple and plain as I can put it.”
Best practices for securing solar DERs: Too often when companies plan their solar DER projects, “cybersecurity just doesn’t come up,” says Tansy. “[The energy sector] is 100% regulation driven. If there’s not a rule that you need to have a security program in place, you’re not going to get one.”Several organizations have developed DER security best practices and frameworks. They include:
NIST IR 8498, Cybersecurity for Smart Inverters from the US National Institute of Standards and Technology (NIST)Cybersecurity Baselines for Electric Distribution Systems and DER from the National Association of Regulatory Utility Commissioners (NARUC)The Distributed Energy Resource Cybersecurity Framework from the US National Renewable Energy Laboratory (NREL)Some key points from these documents and industry experts include vetting the security of the product and services providers. Things like fire safety, cybersecurity, such as if it’s protected from remote access, or where your data is stored, Sadot says. He suggests asking the installer questions about who else has access to your data and control of your devices, where the data is stored, and how they are protecting it. A US Cybersecurity and Infrastructure Security Agency (CISA) document has a list of questions to ask providers about their security standing.Assign security responsibilities to capable staff. They might be IT, OT, or a dedicated security team. The organization may also look for services providers.Use strong access control and authentication practices. Change all default passwords and credentials that are preconfigured on the device. Use multi-factor authentication (MFA) for access to those devices and related accounts. Create, modify, or delete roles, credentials, and permissions as needed. Implement role-based access control (RBAC) so that only staff assigned to perform needed tasks have permission to do so. Inverters might have roles for installers, the electric utility, third-party operators, and staff responsible for maintaining the DER.Configure the event log capturing data that would be needed should a security event occur. Inverter event logs will provide critical information that will help security teams analyze an unexpected event. This includes:
All user authentication attempts along with the identities associated with themChanges to the smart inverter configuration settings including the identities of those making themThe creation or deletion of user accountsSoftware and firmware update records and whether the update was manual or automatedAll communications such as loss of connectivity or connections to a networkActions made directly from the inverter’s control panelMonitor the event log and key network activity to watch for anomalies and to ensure that it is collecting and storing logs correctly and the communications connections to ensure they remain secure. “Many organizations lack real-time awareness of their OT network traffic, making detection and response difficult,” says Jeppson.Protect all communications connections. A smart inverter might connect with the device manufacturer, a third-party operator, an electric utility, or other devices at the location. Common practices for protecting communications include:
Use a dedicated cellular connection for inverter-to-utility connections.Restrict communications with the system owner to the inverter’s control panel.Perform updates using a portable storage device such as a USB drive.Separate the inverter from other network activity. “Too many systems remain flat, increasing the attack surface,” says Jeppson.Keep the software and firmware updated. Boonstra recommends following good asset and patch management practices, knowing what versions of software you are running, and checking it against vulnerability databases.Keep regular backups of the system and test their integrity. “Be prepared. Have backups. Test your backups. Test your emergency plan,” says Boonstra. He also recommends not installing backups locally and conducting penetration testing exercises on the DER.Disable features that are no longer used. This might include remote access protocols, guest or anonymous user access, or wireless communications.Remove the smart inverter from the system when no longer needed. Attackers love connected but forgotten IoT devices as they decrease their chances of discovery.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3829736/why-attackers-target-companys-solar-energy-system-and-how-to-stop-them.html
