The increasing decentralization of the power supply raises new security issues. The investigation of systems from manufacturers such as Enphase, Outback, Phocos, Sol-Ark and Victron focused on how cyber-secure these systems are. The popularity of solar and photovoltaic systems in particular is drawing increased attention to their IT security. While the Outback and Phocos systems had no vulnerabilities, the study identified various security risks in other systems.

In addition to a lack of encryption during data transmission and problems with standard passwords, potentially insecure firmware updates also pose a risk. Some systems in the test were also susceptible to attacks in which they were remotely switched off or reconfigured. Two systems examined also classified all data traffic in the local network as trustworthy. This can lead to risks if the system is inadvertently connected to the internet. In addition, the exact location of some systems could be identified through unauthorized access to their access point (AP) scans. This would allow cyber attackers to target specific regions in an emergency.

Data security and location dependency

Trend Micro also looked at issues of data sovereignty and storage location when using cloud services. Depending on the manufacturer, some systems transfer data to Amazon Web Services (AWS) in the USA or the EU, to Microsoft Azure in Brazil, to Alibaba Cloud in China or to data centers in the Netherlands, for example. The transfer of sensitive information across international borders requires not only technical reliability, but also compliance with different data protection regulations. This illustrates the complexity and global nature of data security when it comes to decentralized energy generation.

It is said that it is unlikely that individual exposed devices could cause large-scale outages in the decentralized energy supply. Instead, attackers could target cloud services that manage and control multiple devices simultaneously in order to control them for malicious purposes. The security measures taken by cloud providers to prevent such attacks are correspondingly important. Cybercriminals can use methods such as phishing, brute-forcing passwords or exploiting known vulnerabilities to take over user accounts with remote management functions. Once they have gained access, they can manipulate existing data and control the systems remotely if the cloud services allow this.

Recommendations for protection

Udo Schneider, Security Evangelist Europe at Trend Micro

© Trend Micro

The security experts at Trend Micro provide clear recommendations for action to support system operators and technicians:

• It is recommended to limit remote access to the control interface. In particular, direct exposure of systems on the Internet should be avoided.
• Changing default passwords and enabling password protection are crucial to prevent unauthorized access.
• Separate the network interface of the inverters from other local networks to reduce vulnerability to potential attacks.
• It is advised to follow best security practices and consider working with external IT security experts.

Udo Schneider, Security Evangelist Europe at Trend Micro explains: "The integration of renewable energy requires not only technical innovation, but also careful consideration of security aspects to ensure the smooth operation and trustworthiness of these systems. Cybersecurity plays a crucial role in ensuring a high-performance energy supply."

The full Distributed Energy Generation Gateway (In)Security report can be found at: https://http://www.trendmicro.com/vinfo/de/security/news/security-technology/distributed-energy-generation-gateway-insecurity