Trend Micro researchers look into a myriad of areas to assess the security of software and hardware. In the past, we’ve looked at the Automation Identification System (AIS) used to track naval vessels, attacks against the Oil and Gas industry, radio remote controllers, and smart homes, among others. The energy sector is one of the most frequently attacked industries in North America. This is why it is an area that we like to focus on, as it has broad applications and is changing quickly with new technologies being introduced.
Distributed Energy Generation (DEG) systems using solar and wind power are becoming increasingly popular in home environments and buildings to offset the traditional energy grid requirements. However, these systems are susceptible to cybersecurity vulnerabilities like any other critical infrastructure network. Our researchers wanted to assess the security of these devices to identify the types of challenges this technology currently has and what recommendations we can offer the vendors to improve the security of their devices. This research focuses on solar devices due to their popularity, and we partnered with All Energy, who helped us with this analysis. The analysis included 5 popular vendor devices, 3 in North America and 2 in Europe.
We focused on the following:
- The communication protocols
- The hardware
- The software and communication vulnerabilities
- The user interface (UI)
Our research into these items looked at six security concerns we found:
- Password issues
- Trusted local area network (LAN)
- Remote shutdown/configuration
- Access Points (AP} scans
- Insecure firmware update
- Insecure communications
- Data sovereignty
The report reveals significant concerns in communication modules and inverters of DEG devices, which can lead to severe data breaches and energy supply disruptions. I won’t go into the details on this as you can read through this within the research report, but it is safe to say we found issues ranging from weak passwords/no passwords, the ability to remote shutdown the devices, firmware updates only by contacting the vendor, and concerns with data sovereignty. But we did find that many of the vendors have done a respectable job of securing their devices, and we even called out one vendor due to their support of open source, which allowed us to perform a very in-depth analysis of their product.
The consequences of these vulnerabilities are not limited to just technical issues. They pose real security risks to the stability of the energy grid and the privacy of end-users. Insecure DEG systems may even deter people from adopting solar energy due to concerns about data leaks and supply reliability. Having secure communication protocols and data protection in place are not just technical requirements but fundamental to maintaining user trust in renewable energy.
As more people and organizations adopt DEG systems to help power their homes and businesses, this research will help them understand the security concerns within DEG systems. Feel free to check out this research here.