All it takes is one hacker and a batch of faulty solar panels to threaten the safety of Europe’s electric grid.
Vangelis Stykas, a cybersecurity consultant, said he figured out how to do it. Using a laptop and smartphone at his home in Thessaloniki, Greece, Stykas bypassed firewalls in panels around the world and gained access to more power than runs through Germany’s entire system.
The “white-hat hacker,” who tests software so companies can fix flaws, said he got far enough inside the controls that he could have turned the devices off, dramatically tipping the supply-demand balance for the power network. Such a drastic fluctuation could stress a grid to the point where it shuts down as a fail-safe, he said.
The exponential growth of rooftop solar systems means millions more connection points to the grid, creating a massive vulnerability that hackers could exploit. The most serious impact may be cascading grid failures across the continent. That risk is a growing concern for utilities and governments dealing with more cyberattacks every year.
“We are growing increasingly dependent on these devices, but even as they become critical national infrastructure, they are not fully secure,” said Stykas, 41, co-founder of security firm Atropos.ai. “If these can be hacked, that leaves Europe’s grid, which underpins our entire lifestyle, vulnerable.”
The average number of weekly cyberattacks on utilities worldwide doubled within two years to about 1,100, and they’re occurring more frequently as digitalisation takes hold, the International Energy Agency said. The European Union suffered more than 200 reported cyberattacks on energy infrastructure last year, and that number has “largely increased in recent years.”
Romania’s Electrica SA, which supplies about 4 million people, said this week it was “under a cyberattack” and was coordinating its response with national authorities. Critical power supply systems weren’t affected, the cybersecurity directorate said Wednesday.
“There’s some naivete about the risk,” Harry Krejsa, director of studies at the Carnegie Mellon Institute for Strategy & Technology in Pittsburgh, told the Columbia Energy Exchange podcast last week. “It should be more of a concern than is widely perceived today.”
Hostile intentions can range from greed (ransom payments or market manipulation) to terrorism (putting nations in the dark) to war (see Russia’s cyberattacks on Ukraine’s power systems). In Japan, hackers took over solar monitors and used them to steal from bank accounts, local media reported.
Instigators can range from a small group of “hacktivists” motivated by ideology to a state-supported battalion working around the clock.
The threat is serious enough that NATO ran a security drill in Sweden to find and fix vulnerabilities in solar, wind and hydroelectric systems.
The military alliance says it’s the world’s first such exercise, and the scenario comes amid wars in Ukraine and the Middle East, and the West’s fracturing relationships with Russia and China. The latter is the biggest maker of solar panels.
“When we look at the security threats for renewable energy systems, they look very different from what we are used to,” said Freddy Jonsson Hanberg, director of September’s NATO sessions. “You have a huge number of opportunities for attacks against those systems. They are vulnerable.”
The EU’s biennial Cyber Europe exercise in June focused on energy for the first time. The hypotheticals included responding to state-directed threats against operators of power distribution systems and gas storage sites.
Taking down a nation’s electric grid would be an extreme outcome given that utilities fight off cyberattacks every day and their most critical systems are typically behind multiple layers of security.
As solar proliferates, those tasked with patching any flaws struggle to keep pace with those exploiting them. Germany connected more than 1 million panels to people’s homes and businesses last year - more than the previous six years combined.
The IEA has forecast that 100 million households worldwide will rely on rooftop solar panels for energy by 2030. That’s quadruple the current amount.
“Solar technology has graduated from being the cool new tech gadget to becoming critical infrastructure - with everything that implies,” said Uri Sadot, cybersecurity program director for Israel-based SolarEdge Technologies.
Yet progress carries a potentially dangerous flip side. The clamor for equipment is squeezing far-flung supply chains, forcing some energy companies to deal with less-established manufacturers they may not have done business with before.
Many of those makers focus on keeping prices low, so they’re not spending money on experienced programmers to design sophisticated protection software.
“The speed at which the sector is growing means that people may not be investing as much into risk management and security as they ordinarily would,” said Dick O’Brien, principal intelligence analyst at cybersecurity provider Symantec.
In his tests to control the panels, Stykas targeted circuits called inverters that are connected to the cloud and convert sunlight into electricity for the grid.
A bad actor could turn the inverters off, infect them with malware or plant digital booby traps for activation later. Stykas told the makers he cracked their firewalls, but only some made fixes, he said.
Earlier this year, attackers accessed about 800 solar power monitoring devices made by Japan-based Contec and used them as pathways to steal from bank accounts, according to local media. The hackers exploited back doors installed surreptitiously, the manufacturer said in May.
Contec makes equipment for power plant operators to track generation and operations at solar stations. The company was aware of vulnerabilities as far back as 2021, when it urged customers to update their software.
A spokesman declined to comment.
As Europe’s biggest economy and industrial heartland, Germany is a high-value target. The country has earmarked tens of billions of dollars for clean technology add-ons and upgrades to help cut carbon emissions by two-thirds this decade.
Solar vulnerabilities “are a cause for concern” and “the risk is growing,” the regulatory Federal Network Agency said. RWE, Germany’s biggest electricity producer, has cybersecurity “at the top of its agenda,” spokesperson Sarah Knauber said without elaborating.
Next door in the Netherlands, consultant Secura identified 27 scenarios in which a cyberattack could significantly disrupt solar installations and, consequently, “hit the energy sector as a whole.”
The UK has a high penetration of renewables, especially wind. More than 95% of energy companies surveyed - including some producing clean power - suffered major disruptions from cyberattacks in the past year, according to Kaspersky Labs, a security provider. The primary threat was posed by smart devices, the respondents said.
The EU has implemented a handful of laws in recent years to bolster cybersecurity defenses. The European Commission is working on new rules to strengthen protections for solar devices, but they will give companies as long as 18 months to comply. A spokesman declined to comment.
The first report assessing the bloc’s readiness was released this month, and it listed energy as one of the top 10 targets for hackers. Supply chains were especially vulnerable.
“If we don’t take it seriously, then people are going to lose trust in the network,” said Nathan Morelli, head of cybersecurity at SA Power Networks in Australia, which has the highest solar penetration in the world. “That ultimately impacts our ability to encourage growth and further development in renewables.”