cross-posted from: https://feddit.org/post/1885722
Here is the original article in Dutch (gated)
While wind turbines, which are highly networked and equipped with hundreds of sensors, are traditionally considered more vulnerable to outside interference than solar panels, a Dutch citizen may have proved otherwise.
A Dutch white hat hacker could have gained control of millions of smart solar panel systems, using a backdoor.
The findings confirm a 2023 report by a Dutch agency which found that converters, essential parts of solar panels that make the electricity suitable for the power grid and which are usually connected to the web, can be “easily hacked, remotely disabled or used for DDoS [Distributed Denial of Service] attacks.” DDoS is one of the most common types of attacks, which basically try to overwhelm a system.
EU industry association SolarPower Europe said the bloc “needs more robust cybersecurity rules for distributed energy sources” in a statement commenting on the hack.
The share of solar power in the European grid has surged from 1% in 2010 to 9% in 2023, and with it the disruptive potential of a cyberattack on solar panels has likewise grown.
“Devices that can be centrally co-ordinated or managed (for example, aggregated rooftop solar installations) must be subject to an EU or nationally authorised layer of monitoring,” stressed Dries Acke, deputy CEO of the lobby group.
A report by the EU’s own cybersecurity agency from 24 July found that the union is ill-prepared for a concerted attack on its energy infrastructure, whether by a foreign state or by malicious insiders.
With electricity being so essential, any attack on Europe “attracts considerable pre-positioning activity by advanced threat actors” in the power sector should they aim at “executing a destructive attack” it adds.
Solar panels were outlined as a vulnerability in several scenarios, also due to the dominance of a single country, China, in the supply chain.
The industry says that while laws like the updated EU Network and Information Security Directive, known as NIS2, and the Cyber Resilience Act are a start, more action is needed: solar panels should be classified as a critical product, which means they’d be subject to more rigorous assessments.
These concerns come as the EU’s home-grown solar industry cites cybersecurity as a reason why they should receive preferential treatment, which would help them regain market share from Chinese competitors.
“Future-looking cyber requirements should come under an EU Electrification Action Plan,” said Acke, adding that “Europe must learn from its recent lessons in energy security, and map a secure path forward.”