Dive Brief:
- Nearly 35,000 solar power devices are remotely manageable and openly accessible to anyone from anywhere in the world, according to a new report from industrial cybersecurity firm Forescout.
- These exposed devices with internet-accessible management interfaces, which are made by 42 different companies, include equipment that is essential for operating solar energy infrastructure, according to the Tuesday report.
- Some of the management interfaces may include password protections, but Forescout said that virtually none of them needed to be online and that any exceptions should be placed behind VPNs.
- The 10 vendors with the greatest number of exposed devices have each disclosed vulnerabilities in the past decade, increasing the risk of their sitting exposed on the public internet.
Dive Insight:
The transition to renewable energy sources and the increasing digitization of the power grid have combined to create serious cybersecurity risks. Forescout’s latest findings illustrate how the absence of secure design practices in critical infrastructure devices also can endanger people’s lives and present opportunities to destabilize entire regions.
Forescout’s report — based on a scan of public IP addresses using the Shodan search engine — contains details about the distribution of solar equipment with internet-accessible management interfaces. For example, these devices are more prevalent in Europe and Asia than elsewhere, with three-quarters of the devices residing in Europe and 17% in Asia. Germany and Greece each have one-fifth of the total number of exposed devices. In addition, the 10 vendors with the most exposed devices were not the same as the 10 vendors with the biggest market shares; global titan Huawei, for example, is not on Forescout’s list.
SMA’s Sunny WebBox, a device that collects and reports information about the performance of solar inverters, was the most commonly observed piece of equipment left remotely accessible, followed by Fronius International inverters. The Sunny WebBox, which was discontinued in 2015, has “always been among the most often exposed solar devices,” Forescout said — even though researchers disclosed a hard-coded vulnerability in the product in September 2015. In fact, while the number of exposed devices dropped from 80,000 in December 2014 to 9,500 by the time of the vulnerability’s disclosure, it was back up to 13,000 last month, according to Forescout.
Discontinued internet-exposed infrastructure with known vulnerabilities constitute a recipe for disaster, according to cybersecurity experts.
“We see threat groups aggressively and opportunistically accessing internet-connected [infrastructure],” said Rob Lee, the chief executive of the industrial cyber firm Dragos. “Solar farms and other distributed energy resources require connectivity. But that connectivity should be properly secured and an assume-breach mindset must be taken for how attractive these systems are to adversaries.”
Some of the devices may be remotely accessible because their operators don’t even know they exist amid a sea of hard-to-manage infrastructure.
“Without full visibility into how these exposed assets communicate across environments, operators can’t properly control them,” Gary Kneeland, senior product manager at industrial cyber firm Claroty, told Cybersecurity Dive via email. “As this becomes a more prevalent attack pathway, things like asset visibility and communication mapping will be a key requirement for protecting critical infrastructure.”
Kneeland said vulnerabilities in devices accidentally left online “remain a persistent pain point for sectors racing to digitalize, especially in the energy sector.”
“Attackers don’t need sophisticated tools,” he said, “just access.”
