Thousands of converters, which allow the electricity from the solar panels to run into the main grid, are so poorly protected that people with bad intentions could disable the equivalent of dozens of power plants, all at once, with just one switch.
As part of his graduation research, Willem Westerhof examined the converters of the market leading company SMA’s (with an annual turnover in 2016: 1 billion Euro) from 1 August 2016 to 31 January 2017. He discovered that these devices are poorly protected. Exploiting solar panels can lead to such an imbalance in supply and demand, which can cause the power network to fail. Experts have confirmed that this may even lead to the failure of large parts of the entire European power network. The losses due to such a power failure, apart from the human suffering, may run into billions of euro’s.
Lack of legislation and control of the digital security of such devices, poses a great risk. “Certification and accountability of private companies should also be high on the political agenda,” says Willem. The most (industrial) Internet or Things devices are purely developed and designed based on functionality. The security aspect is not included in the design. As an argument, manufacturers will say this is due to a lack of knowledge, resources, and money. Money seems to win over security in the future. “It only has to go wrong one time until people will start taking this more seriously and will want to take action.”
At the end of 2016, ITsec presented Willem’s findings to SMA, TenneT and the NCSC (National Cyber Security Centre). Meanwhile, more than half a year has passed since, and little has happened. Despite the fact that according to ITsec, all the parties have acknowledged that there is a problem. ITsec refers to the report to draw attention to the problems that may arise if no measures are taken. “We have been advocating for safe programming and legislation in the field of digital security for years now”, says Erik Rutkens, the Director of ITsec. The recent outbreaks of WannaCry and Petya prove the urgency of this. Computers can be silently infected with specific malware for months, with the sole purpose of striking at the right moment. As of now, nobody feels the urgency to do something about it, but if Europe falls flat because of this, it is obviously too late.
View Willem Westerhof’s presentation on SHA2017 via YouTube.
Read the full article on Volkskrant.