Solar-power system flaws shine light on Smart Grid threats
Connecting state and local government leaders
A DHS alert on vulnerabilities found in control systems for solar power equipment underscores the importance of security in a complex and varied power grid.
The Homeland Security Department has issued an alert about vulnerabilities in a control system for solar electric systems that could allow unauthorized users to access to the system and execute malicious code.
The equipment is sold by the Italian systems integrator Sinapsi, and although a proof-of-concept exploit has been published, no exploits have yet been reported in the wild. The alert is a reminder of the need to incorporate security into increasingly complex and interactive power grids, however. With the Energy Department funding research and development and implementation of new technology for a Smart Grid, it is imperative that software and hardware be built to emerging standards for IT security.
The alert was issued this month by the DHS Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in response to a published report of vulnerabilities along with an exploit. Italian researchers Roberto Paleari and Ivan Speziale found the problem in a variety of photo electric system control servers and published their findings in September after contacting the vendor without response.
According to the researchers, they found multiple security issues that could allow remote execution of code within the systems by unauthorized users. Management Web pages in device firmware are vulnerable to SQL injection, allowing access in some cases with no authentication. This can expose username and plain text passwords for accounts on the system. There also are some “hard coded” accounts on the equipment with predefined passwords that cannot be changed or removed.
The researchers warned that the same management server is used in a number of control products for solar power systems from different manufacturers and that all probably share the vulnerabilities.
“We are not aware of an updated firmware that corrects the issues described in this advisory,” Paleari and Speziale wrote. “Users should avoid exposing the management interface of the device on the Internet.”
Solar power has been used for generating electricity for years, but usually in stand-alone implementations in devices or buildings. But the Smart Grid now being developed is intended to incorporate a variety of distributed energy sources, including solar and wind power. When they become part of the national power distribution and delivery system, such vulnerabilities could conceivably provide attackers with access to the wider grid.
The Defense Department already is experimenting with such systems. Michael Aimone, director of DOD Business Enterprise Integration, told a House Homeland Security subcommittee earlier this year that the department is developing next-generation microgrids to enable local generation and storage of power on bases. Integrating microgrids with commercial grids could not only protect against outages but also enable better local energy supplies and help balance demand and supply. But it also could introduce new vulnerabilities.
Advanced power grids are not without protection. The National Institute of Standards and Technology has been charged in the Energy Independence and Security Act of 2007 with identifying and developing the technical standards for security and interoperability to ensure that utilities, manufacturers, equipment testers and regulators will be working on the same page. But standards development is a slow process, and security standards are not mandatory for manufacturers or users of equipment in the private sector.
A given vulnerability in a specific piece or type of equipment might not be a big threat to our power system, but it illustrates the need to pay attention to security as we build out new systems.