00:01Power grids are getting ever more complicated.
00:04But what if their connection to the internet becomes a problem?
00:07Photovoltaics, also known as solar panels,
00:10are an increasingly large part of the overall power supply.
00:14If hackers have access to a lot of them and can turn them off at the same time,
00:18that's what could cause blackouts.
00:25But let's go back to the beginning of this story.
00:29So here's the claim that hackers can access solar power plants around the world
00:34and easily turn them off.
00:38But can they cause widespread blackouts?
00:40How serious would the damage be and who might carry out such attacks?
00:44We're meeting a security researcher based in the United States
00:47who is on a mission to educate on cybersecurity.
00:52So if you can see here, this is a solar load device, but just deployed in that region.
00:56So we're going to try some default password here.
00:59Maybe we're going to sync, check solar here.
01:02Nah, it is not working.
01:04So let me try the other one.
01:07There it goes.
01:08DW was able to establish that the system hacked here produces enough electricity
01:13to sustain roughly 241 person households in Germany for a year.
01:17Now the important part here is that this is actually giving extensive privileges here.
01:22It's a complete control of the device, if you ask me.
01:26While DW was able to verify similar security weaknesses on systems in Europe,
01:30the manufacturer for this monitoring setup, the German company Solarlog, told us,
01:36While it is technically possible for a customer to assign a weak password
01:39and provide open access to their network on the internet,
01:42we do not recommend this.
01:45But can the implications be even larger if a hacker has access to many solar installations?
01:54Let's start with the basics.
01:55What exactly is a solar power system and how can it be hacked?
01:58Solar panels harness the energy of the sun and turn it into electricity.
02:04In most setups, this power flows into a so-called inverter,
02:07the device at the center of the story.
02:10This is also the form of current used in the wider power grid,
02:13an interconnected network for electricity delivery.
02:16So, if this homeowner feeds electricity into the grid,
02:20it will be passed on from here.
02:25The inverter connects to a brain, a control unit for this setup.
02:28They are part of the heart and software that users use to turn the system on or off,
02:32to change the settings or check data about their supply.
02:35Crucially though, users generally don't connect to the inverter and its brain directly.
02:39The setup is typically part of the so-called Internet of Things,
02:43devices connected to the internet.
02:45In most cases, the inverter connects to the Wi-Fi
02:48and from there to a cloud platform provided by the vendor.
02:51For this story, controlling energy flow through the inverter and that access to the cloud
02:55will be key to understanding how solar panels can be hacked.
03:00Students here at Aachen University learn about cyber threats to the power grid.
03:04Andreas Ulbic and his team study how the grid evolves
03:06and what challenges two major trends bring.
03:09First, the power renewables generate is less predictable than fossil fuels,
03:12challenging the fragile balance of the grid.
03:15And second, grids are increasingly digitized.
03:19Let's say such a cyber attack on PV installations were successful.
03:23What would you expect as a possible outcome?
03:26I think we would see maybe regional blackouts that voltage levels in certain areas
03:32would go low enough that protection devices would trip
03:35and then a substation would disconnect an area.
03:37So it would mean in an area that has a lot of the inverters that were attacked,
03:42that area may be out of power for a couple of hours.
03:45That would be a nuisance, but it would not be a major disruption to society.
03:51But even if we don't know how much damage the hacking can do,
03:55we do know a little bit about who might do the hacking.
03:59First, let's take a look at global supply chains.
04:02Huawei and SunGro made up half of all inverters sold around the world in 2023,
04:07while China on the whole accounts for the vast majority of the total.
04:11European producers do have a market share, but it's relatively small.
04:15So does that mean China itself might use its market dominance to hack electricity systems,
04:21perhaps for strategic or political ends?
04:24US government agencies believe Chinese hackers have advanced on critical infrastructure
04:28in the United States, planting coda networks that control power grids,
04:31including on the island Guam, where the US entertains a vast military base.
04:36And there are also reports that China has been targeting Indian energy systems.
04:41China denies both allegations.
04:44Voltaifun is the name designated to a cyber threat actor
04:51that governments have said is a Chinese state-sponsored actor.
04:55As for state actors hacking into the grid,
04:58the example of Russia shows you don't need to be a supply chain player to do damage.
05:03The US and the UK believe Russia has launched several cyber attacks on Ukrainian infrastructure,
05:09including its power grid over the last decade.
05:13And an analysis by the Euroelectric lobby group found that almost two thirds of global recorded cyber attacks in 2023 came from Russia.
05:24The European Union recently passed legislation which aims to strengthen cybersecurity for Internet-connected devices and critical infrastructure.
05:33One piece is known as NIS-2.
05:37If you have 50 employees or more and you are an operator, you are affected by NIS-2 and you need to implement risk management measures and cybersecurity incident management.
05:50The idea is that large plants can take immediate action in the event of a cyber attack.
05:55It's part of a suite of measures aimed at improving cybersecurity across Europe.
06:02The Cyber Resilience Act is a brand new piece of EU legislation aimed at making the IoT space safer.
06:08It asks manufacturers to supply updates for the full lifetime of the product, disclose vulnerabilities and design devices with cybersecurity in mind.
06:17This new legislation will come into force in late 2027.
06:21It will apply to all new devices sold inside the European Union,
06:25but it won't fix all of the legacy devices that are already out there.
06:30I think it would be problematic to think that that effort alone would solve the sorts of geopolitical challenges that emerge from these devices and their vulnerabilities.
06:39We highlighted specific cases showing the cyber vulnerabilities of solar power.
06:43It supports what people in the cybersecurity industry told us, that a large part of solar power is vulnerable to attack.
06:50In the coming years, more and more digital devices will enter power grids.
06:54In an era of hybrid warfare, we all need to get serious about cybersecurity.
