SEC’s energy network on Saba has been wide open for cyber attacks. Negligence in the installation of the solar system allowed malicious parties to take over the entire electricity grid. Not much was needed for this: entering “0000” when the password was requested, was sufficient.
The security leak was found by our own investigation. Supplier SMA Sunbelt Energy confirms the findings and speaks of a ‘wrong configuration’. “Due to an insecure implementation, it would have been possible for attackers to set the power settings of this PV system”, a spokesperson of SMA replied by e-mail. “The installer did not follow SMA’s instructions and security advice”. Because it is an installation error, it can be safely assumed that the network has been fully accessible all this time since it was put into use more than a year ago.
The vulnerability has been reported to both SMA and SEC and Island Governor Johnathan Johnson of Saba. “Immediately after your report, we have corrected the configuration of this system in collaboration with the customer”, wrote the SMA spokesperson.
Since February 2019, the electricity has come to Saba for a large part of two solar parks and a storage system. On sunny days the diesel generators can stand still for up to ten hours. Thanks to the storage system, SEC saves around 300 liters of diesel per hour.
(This article is also published, in Dutch, in the Antilliaans Dagblad of March 7th, 2020)