Solar and wind power plants have massive security gaps, as research by the magazine shows Plus minus. Medium and small systems in particular are poorly protected against hacker attacks.
“This facility is a disaster, it shouldn’t even exist!” The insider has been working in the field of renewable energies for years and would therefore like to remain anonymous. What he just discovered on the internet within five minutes is the control of a huge solar park in North Rhine-Westphalia. The system achieves an output of 14 megawatts. That is enough electricity to power a city of 50,000 people during the day in summer. “I could turn them off now,” he says. On his desktop in front of him are selection fields that he can use to manipulate the system. A dangerous vulnerability – almost spare an invitation for criminal hackers.
The solar system in North Rhine-Westphalia was otherwise only inadequately protected – with a password that was preset when the PV system (photovoltaic system) was set up and was never changed. The insider can find the password by searching online in the manufacturer’s operating instructions. In the meantime, the security gap in this system has been closed.
The insider reveals Plus minus further security gaps in renewable energy systems. With the help of freely accessible search engines and corresponding terms, he searches for unencrypted IP addresses of control portals, filters them and can find out the location, performance and much more useful information about wind and solar parks within a few minutes. Hundreds of these open login pages for control portals for wind and solar parks can be found openly on the Internet.
Login pages freely accessible
Experts such as Stephan Gerling from the IT security company ICS CERT Kaspersky estimate that around 2500 such unencrypted solar systems can be found throughout Europe. Taken together, that would equate to a capacity of around 2.8 gigawatts, or the output of two nuclear power plants, he estimates.
For the IT security expert Michael Tenten, it is absurd that such sensitive systems are still accessible on the Internet today. The problem is not that the default password can be found in the operating instructions. The problem is rather that the IP addresses of the log-in pages can be found unencrypted on the Internet and not encrypted in a secure VPN line, says the Plus minus-Insider.
There are plenty of reasons to be more alert when it comes to cyber security and renewable energies: just last year, three large companies from the wind power industry fell victim to cyber attacks within a few weeks. First, around 6,000 Enercon wind turbines lost their internet connection. It was collateral damage as a result of a Russian hacker attack on a satellite, but the company still lost millions. Only a few weeks later it hit the wind turbine manufacturer Nordex; and a few weeks later Deutsche Windtechnik AG from Bremen.
This company believed that it was well prepared against such attacks and had protected its systems. Fortunately, only the office network was affected by the cyber attack, not the more than 7,500 wind turbines. But even a comparable small, successful attack cost the company an incredible amount of capacity, recalls CEO Matthias Brandt. He sees a lot of catching up to do in terms of cyber security, especially for medium-sized and small power generators.
Network stability of the power supply at risk
According to the Bitkom industry association, around 200 billion euros in damage is recorded every year in Germany alone as a result of cyber attacks. A large part of this is attributed to so-called ransome ware attacks. Hackers gain access to a company network, encrypt all files and their backup copies unnoticed and virtually flip the switch overnight. Then nothing works for the attacked company. The victim is promised that the data will be handed over in return for payment of a ransom.
A targeted cyber attack on various operators or producers of renewable energies could quickly become a problem for the grid stability of the power supply. IT security expert Michael Tenten no longer believes that at least a brown-out, i.e. a regional power failure, can be ruled out. You have to be prepared that much more is possible “than we can possibly imagine at the moment.” It commemorates the sabotage attack on the Nord Stream pipeline. “You couldn’t imagine that something like this could really happen.”
It’s only a matter of time, he says Plus minus-Insider when cybercriminals target renewable energy plants. The “impacts” are getting closer and closer. He is surprised that it hasn’t really “smashed” yet. Those responsible still only see IT security as a cost factor. Nobody would think of getting rid of fire alarms or fire extinguishers just because there wasn’t a fire yet.
You can see more on this and other topics today at 9:45 p.m. on Plusminus in the first