It is February 22, 2019, Saba is celebrating a party. The local electricity company SEC speaks of “a historic moment for both the Saba Electric Company and for the island of Saba”.
For the first time in the history of Saba, two days earlier, between 3 and 5 p.m., the power was supplied entirely by solar energy. A day later, the diesel generators in the power plant stop at 8 o’clock in the morning. Two solar parks and a storage system ensure the energy supply, clean and environmentally friendly.
On sunny days, all diesel generators can stand still for up to ten hours and Solar Park Saba supplies the energy to the population of around 2,000 residents. Thanks to the storage system, SEC saves around 300 liters of diesel per hour.
The 2.3 MWh installation was supplied by the German SMA Sunbelt Energy GmbH. The company operates worldwide and is no stranger to the region. For example, at the end of 2017, SMA completed a similar project on St. Eustatius.
In addition to the environment and shareholders, SMA also takes cyber security seriously. It has issued guidelines “for secure communication with PV installations” (for “PV”, see box). According to the company, the document applies “to all products that are connected to each other within a network for PV plant communication and that can be connected directly or indirectly to the Internet via communication media.” The information is intended for installers and operators of PV installations with SMA inverters.
What are the risks according to SMA? There are quite a few of them. ”Systems that are interconnected via the internet and that are not specially protected can be misused to penetrate into a client’s network (ie beyond the internet router). This means that almost all devices connected to the network can be attacked, “warns SMA.
Once inside the network, still according to the company, malicious parties can search for usernames, passwords and other confidential data. They can access the devices included in the network to perform all kinds of other attacks or manipulate devices. But the behavior of the users can also be viewed to, for example, prepare a burglary.
The possible consequences are not tender, and SMA also lists them. For example, there is a risk of financial loss due to lack of income from energy generation. It can also go wrong with applying the rates for feed-back to the electricity grid or for energy consumed for own use. For example, a customer could claim that, due to poor security, the registration of energy consumption is (or has been) unreliable and therefore a reason to suspend or refuse payment.
Other risks are the damage to devices, identity theft, negative effects on the stability of the public electricity grid and even loss of the license to connect to the public electricity grid and legal consequences.
SMA does not just leave out with warnings, but also offers a number of solutions. One of these is: “Ensure that unauthorized persons cannot gain physical or virtual access to products from SMA and others via the devices connected to the network.”
Despite all good intentions: it is important that the guidelines of SMA are followed. But has that happened? To get an answer, we have to return – digitally – to Saba and the Solar Park. Here to the installation is connected to the internet, but not nearly as secure as the supplier would like to see. With a specialized online search engine it is fairly easy to find an IP address. A connection can be made to the park’s “SMA Hybrid Controller” using this address.
fig 1: login screen
For the time being we only see an overview when we connect. A password is required to continue in the system. The aforementioned guidelines are clear enough about this:
“Make sure that all passwords set at the factory have been changed to self-created passwords at the time of commissioning. Factory-set passwords are widely known”.
Retrieving the factory password appears to be a piece of cake in this case. The supplier is very service-oriented and offers all sorts of manuals on the website in numerous languages. For example, with the “tech-tips monitoring” we read:
fig 2: ‘Change the default password 000 into another, safer password’
0000 … Can it be…?
Yes!. Almost a year after “the historic moment”, the standard password is still usable. This way we enter the SMA Hybrid Controller of the Saba Solar Park:
fig. 3 and 4: several screens after being logged in
In the case of Saba Solar Park, is there anything else to be discovered? Yes sure! But what do we read in a manual?
“The hybrid controller continuously monitors the output power of the SMA inverters, as well as the operating status of all generators and loads in the local electricity grid. Based on this, the hybrid controller controls the SMA inverters and adjusts its output power if necessary.“
This affects one of the risks that we have not yet mentioned. According to SMA, malicious hackers can ‘gain access to devices included in the network to manipulate transmitted data and thus trigger responses from higher order systems’.
This is where it ends for us. Saba and its circa 2000 residents are too dear to us to take the risk that we inadvertently turn off the lights. We also like to stay on the right side of the law. We have therefore reported our findings to both supplier SMA Sunbelt Energy and electricity company Saba and to Island Governor Jonathan Johnson.
Comments SMA Sunbelt Energy
To get an idea of the possible risks, we asked supplier SMA Sunbelt Energy the following questions:
Can you confirm that, because of this vulnerability, hackers could have been in full control of the solar plant? And does this mean that the power plant could have been shut down and/or rebooted by someone who gets access to the controller?
- Due to an insecure implementation, it would have been possible for attackers to set the power settings of this PV system. The installer did not follow SMA’s instructions and security advice.
- We double-checked the technical specifications communicated to the customer before he installed this PV system. The document defines very clearly that VPN and firewall/s are needed for a secure integration.
- Your findings are assessed as misconfiguration, not as a vulnerability.
What is the company’s policy regarding standard passwords and the start up of new plants? Do your colleagues brief the personal of the plant for instance about (online) security risks?
- We definitely advice installers to set individual and secure passwords immediately during installation (please see link above). Secondly, we advise them to separate the PV systems from direct internet access (no port forwarding). Unfortunately, the installer – in this case – failed to do each.
Could our findings be reason for SMA to review the manuals, when it comes to publicing default passwords? Will SMA take any other measures maybe and if so, which one?
- In the meantime, we have corrected the configuration of this PV system in cooperation with the customer – immediately after your report.
- Of course, we will review our manuals and will improve the processes as we do on a regular basis. Once again, we will emphasize the password change need, for example.
- In addition, we monitor PV systems by a random sample approach by Shodan to gain more security awareness to the customers.
- We also have a training program running on this topic. The aim is to train all installers to implement a cyber secure installation in every PV system.
(This article is also published, in Dutch, in the Antilliaans Dagblad of March 7th, 2020)